Skip to content

Hide Navigation Hide TOC

FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826)

FIN8 is a financially motivated threat group that has been active since at least January 2016, and known for targeting organizations in the hospitality, retail, entertainment, insurance, technology, chemical, and financial sectors. In June 2021, security researchers detected FIN8 switching from targeting point-of-sale (POS) devices to distributing a number of ransomware variants.(Citation: FireEye Obfuscation June 2017)(Citation: FireEye Fin8 May 2016)(Citation: Bitdefender Sardonic Aug 2021)(Citation: Symantec FIN8 Jul 2023)

Cluster A Galaxy A Cluster B Galaxy B Level
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 1
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 1
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47) mitre-tool FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0) Attack Pattern 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 1
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 1
Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
FIN8 (a78ae9fe-71cd-4563-9213-7b6260bd9a73) Threat Actor FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware 1
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 1
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
PUNCHTRACK - S0197 (c4de7d83-e875-4c88-8b5d-06c41e5b7e79) Malware FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
dsquery - S0105 (38952eac-cb1b-4a71-bad2-ee8223a1c8fe) mitre-tool FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern 1
FIN8 - G0061 (fd19bd82-1b14-49a1-a176-6cdc46b8a826) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 1
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23) mitre-tool Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware 2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware 2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware 2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware 2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 2
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware 2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware 2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware 2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware 2
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware 2
Sardonic - S1085 (0c52f5bc-557d-4083-bd27-66d7cdb794bb) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool 2
Nltest - S0359 (981acc4c-2ede-4b56-be6e-fa1a75f37acf) mitre-tool Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 2
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 2
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 2
Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 2
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 2
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Remote Data Staging - T1074.002 (359b00ad-9425-420b-bba5-6de8d600cbc0) Attack Pattern 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 2
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 2
Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 2
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware 2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware 2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware 2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware 2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware 2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware 2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware AppCert DLLs - T1546.009 (7d57b371-10c2-45e5-b3cc-83a8fb380e4c) Attack Pattern 2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware 2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware 2
PUNCHBUGGY - S0196 (5c6ed2dc-37f4-40ea-b2e1-4c76140a388c) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 2
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 2
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern 2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern 2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware Ragnar Locker (e69f9836-873a-43d3-92a8-97ab783a4171) Ransomware 2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware Inhibit System Recovery - T1490 (f5d8eed6-48a9-4cdf-a3d7-d1ffa99c3d2a) Attack Pattern 2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware Data Encrypted for Impact - T1486 (b80d107d-fa0d-4b60-9684-b0433e8bdba0) Attack Pattern 2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 2
Ragnar Locker - S0481 (54895630-efd2-4608-9c24-319de972a9eb) Malware Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 2
PUNCHTRACK - S0197 (c4de7d83-e875-4c88-8b5d-06c41e5b7e79) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 2
PUNCHTRACK - S0197 (c4de7d83-e875-4c88-8b5d-06c41e5b7e79) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 2
PUNCHTRACK - S0197 (c4de7d83-e875-4c88-8b5d-06c41e5b7e79) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 2
Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern dsquery - S0105 (38952eac-cb1b-4a71-bad2-ee8223a1c8fe) mitre-tool 2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern dsquery - S0105 (38952eac-cb1b-4a71-bad2-ee8223a1c8fe) mitre-tool 2
dsquery - S0105 (38952eac-cb1b-4a71-bad2-ee8223a1c8fe) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
dsquery - S0105 (38952eac-cb1b-4a71-bad2-ee8223a1c8fe) mitre-tool Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 2
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Asynchronous Procedure Call - T1055.004 (7c0f17c9-1af6-4628-9cbd-9e45482dd605) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58) Attack Pattern 2
BADHATCH - S1081 (3553b49d-d4ae-4fb6-ab17-0adbc520c888) Malware Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 2
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367) Tool PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 2
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern 2
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 2
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c) Attack Pattern 3
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 3
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 3
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 3
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern 3
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 3
Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 3
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern 3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 3
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern AppCert DLLs - T1546.009 (7d57b371-10c2-45e5-b3cc-83a8fb380e4c) Attack Pattern 3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 3
Run Virtual Instance - T1564.006 (b5327dd1-6bf9-4785-a199-25bcbd1f4a9d) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 3
Ragnar Locker (e69f9836-873a-43d3-92a8-97ab783a4171) Ransomware Private Cluster (5d999c23-11cf-4dee-84bb-f447a4f70dc8) Unknown 3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336) Attack Pattern 3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 3
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Embedded Payloads - T1027.009 (0533ab23-3f7d-463f-9bd8-634d27e4dee1) Attack Pattern 3
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 3