Hide Navigation Hide TOC

Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)

Daggerfly is a People's Republic of China-linked APT entity active since at least 2012. Daggerfly has targeted individuals, government and NGO entities, and telecommunication companies in Asia and Africa. Daggerfly is associated with exclusive use of MgBot malware and is noted for several potential supply chain infection campaigns.(Citation: Symantec Daggerfly 2023)(Citation: ESET EvasivePanda 2023)(Citation: Symantec Daggerfly 2024)(Citation: ESET EvasivePanda 2024)

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	1
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00)	Attack Pattern	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	1
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Server - T1584.004 (e196b5c5-8118-4a1c-ab8a-936586ce3db5)	Attack Pattern	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163)	mitre-tool	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf)	Attack Pattern	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f)	mitre-tool	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313)	Malware	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Rename System Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b)	Attack Pattern	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	1
Daggerfly - G1034 (f3be6240-f68e-47e1-90d2-ad8f3b3bb8a6)	Intrusion Set	DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	1
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36)	Attack Pattern	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	2
Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e)	Attack Pattern	MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	2
MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967)	Attack Pattern	MacMa - S1016 (bdee9574-7479-4073-a7dc-e86d8acd073a)	Malware	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	2
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd)	Malware	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	2
Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00)	Attack Pattern	Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7)	Attack Pattern	2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
Server - T1584.004 (e196b5c5-8118-4a1c-ab8a-936586ce3db5)	Attack Pattern	Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9)	Attack Pattern	2
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163)	mitre-tool	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163)	mitre-tool	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	2
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163)	mitre-tool	Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	2
BITSAdmin - S0190 (64764dc6-a032-495f-8250-1e4c06bdc163)	mitre-tool	BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7)	Attack Pattern	2
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf)	Attack Pattern	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f)	mitre-tool	2
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f)	mitre-tool	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	2
Reg - S0075 (cde2d700-9ed1-46cf-9bce-07364fe8b24f)	mitre-tool	Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580)	Attack Pattern	2
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	2
MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	2
MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	2
MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	2
MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	2
MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	2
MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	2
MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	2
MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec)	Attack Pattern	2
MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	2
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff)	Attack Pattern	MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	2
MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	2
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967)	Attack Pattern	MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	2
MgBot - S1146 (a36eedea-9523-4abb-96e8-205f171ee763)	Malware	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313)	Malware	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313)	Malware	2
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313)	Malware	2
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313)	Malware	2
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313)	Malware	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	2
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313)	Malware	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	2
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313)	Malware	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	2
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	2
Nightdoor - S1147 (51f78dfc-52f9-424e-8753-bb4246188313)	Malware	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	2
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	2
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Rename System Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b)	Attack Pattern	2
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	2
Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Linux or Mac System Logs - T1070.002 (2bce5b30-7014-4a5d-ade7-12913fe6ac36)	Attack Pattern	3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	3
Launch Agent - T1543.001 (d10cbd34-42e3-45c0-84d2-535a09849584)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	3
Gatekeeper Bypass - T1553.001 (31a0a2ac-c67c-4a7e-b9ed-6a96477d4e8e)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	3
PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa)	Tool	PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	3
DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	3
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b)	Attack Pattern	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070)	RAT	PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee)	Malpedia	3
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	3
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	3
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	3