Skip to content

Hide Navigation Hide TOC

HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3)

HEXANE is a cyber espionage threat group that has targeted oil & gas, telecommunications, aviation, and internet service provider organizations since at least 2017. Targeted companies have been located in the Middle East and Africa, including Israel, Saudi Arabia, Kuwait, Morocco, and Tunisia. HEXANE's TTPs appear similar to APT33 and OilRig but due to differences in victims and tools it is tracked as a separate entity.(Citation: Dragos Hexane)(Citation: Kaspersky Lyceum October 2021)(Citation: ClearSky Siamesekitten August 2021)(Citation: Accenture Lyceum Targets November 2021)

Cluster A Galaxy A Cluster B Galaxy B Level
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
DnsSystem - S1021 (8a2867f9-e8fc-4bf1-a860-ef6e46311900) Malware HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47) mitre-tool HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
ipconfig - S0100 (294e2560-bd48-44b2-9da2-833b5588ad11) mitre-tool HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
netstat - S0104 (4664b683-f578-434f-919b-1c1aad2a1111) mitre-tool HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Identify Roles - T1591.004 (cc723aff-ec88-40e3-a224-5af9fd983cc4) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern HEXANE - G1001 (f29b7c5e-2439-42ad-a86f-9f8984fafae3) Intrusion Set 1
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Dylib Hijacking - T1574.004 (fc742192-19e3-466c-9eb5-964a97b29490) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
Group Policy Discovery - T1615 (1b20efbf-8063-4fc3-a07d-b575318a301b) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2
Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 2
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3) mitre-tool 2
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware 2
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern 2
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466) Attack Pattern 2
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware 2
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 2
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 2
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
Shark - S1019 (99854cc8-f202-4e03-aa0a-4f8a4af93229) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
DnsSystem - S1021 (8a2867f9-e8fc-4bf1-a860-ef6e46311900) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
DnsSystem - S1021 (8a2867f9-e8fc-4bf1-a860-ef6e46311900) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern DnsSystem - S1021 (8a2867f9-e8fc-4bf1-a860-ef6e46311900) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern DnsSystem - S1021 (8a2867f9-e8fc-4bf1-a860-ef6e46311900) Malware 2
DnsSystem - S1021 (8a2867f9-e8fc-4bf1-a860-ef6e46311900) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern DnsSystem - S1021 (8a2867f9-e8fc-4bf1-a860-ef6e46311900) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern DnsSystem - S1021 (8a2867f9-e8fc-4bf1-a860-ef6e46311900) Malware 2
DnsSystem - S1021 (8a2867f9-e8fc-4bf1-a860-ef6e46311900) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
DnsSystem - S1021 (8a2867f9-e8fc-4bf1-a860-ef6e46311900) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
DNS Server - T1583.002 (197ef1b9-e764-46c3-b96c-23f77985dc81) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 2
Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 2
DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware 2
DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware 2
DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 2
DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
DanBot - S1014 (b8d48deb-450c-44f6-a934-ac8765aa89cb) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 2
ipconfig - S0100 (294e2560-bd48-44b2-9da2-833b5588ad11) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 2
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 2
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern 2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) Attack Pattern 2
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c) Attack Pattern 2
Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware 2
Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern 2
Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 2
Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern 2
Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 2
Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware 2
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware 2
Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware 2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Milan - S1015 (aea6d6b8-d832-4c90-a1bb-f52c6684db6c) Malware 2
Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a) Attack Pattern Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern 2
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 2
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
netstat - S0104 (4664b683-f578-434f-919b-1c1aad2a1111) mitre-tool System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23) Attack Pattern Identify Roles - T1591.004 (cc723aff-ec88-40e3-a224-5af9fd983cc4) Attack Pattern 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 2
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Kevin - S1020 (e7863f5d-cb6a-4f81-8804-0a635eec160a) Malware 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 2
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern 2
PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 2
PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 2
PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern PoshC2 - S0378 (4b57c098-f043-4da2-83ef-7588a6d426bc) mitre-tool 2
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool 2
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool 2
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163) mitre-tool 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 3
Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 3
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Dylib Hijacking - T1574.004 (fc742192-19e3-466c-9eb5-964a97b29490) Attack Pattern 3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 3
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6) Attack Pattern 3
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 3
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 3
Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d) Attack Pattern Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163) Attack Pattern 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern 3
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 3
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 3
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 3
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd) Attack Pattern 3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 3
VNC - T1021.005 (01327cde-66c4-4123-bf34-5f258d59457b) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 3
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 3
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b) Malpedia 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 3
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern 3
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842) Attack Pattern Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade) Attack Pattern 3
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 3
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 3