Skip to content

Hide Navigation Hide TOC

Raspberry Typhoon (37f012df-54d8-4b3d-a288-af47240430ea)

Microsoft has tracked Raspberry Typhoon (RADIUM) as the primary threat group targeting nations that ring the South China Sea. Raspberry Typhoon consistently targets government ministries, military entities, and corporate entities connected to critical infrastructure, particularly telecoms. Since January 2023, Raspberry Typhoon has been particularly persistent. When targeting government ministries or infrastructure, Raspberry Typhoon typically conducts intelligence collection and malware execution. In many countries, targets vary from defense and intelligence-related ministries to economic and trade-related ministries

Cluster A Galaxy A Cluster B Galaxy B Level
LOTUS PANDA (32fafa69-fe3c-49db-afd4-aac2664bcf0d) Threat Actor Raspberry Typhoon (37f012df-54d8-4b3d-a288-af47240430ea) Threat Actor 1
LOTUS PANDA (32fafa69-fe3c-49db-afd4-aac2664bcf0d) Threat Actor Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set 2
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47) mitre-tool 3
Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718) Malware Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 3
Lotus Blossom - G0030 (88b7dbc2-32d3-4e31-af2f-3fc24e1582d7) Intrusion Set System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 3
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 4
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 4
Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc) Attack Pattern System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d) Attack Pattern 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 4
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware 4
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware 4
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 4
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 4
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware 4
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware 4
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware Group Policy Discovery - T1615 (1b20efbf-8063-4fc3-a07d-b575318a301b) Attack Pattern 4
Emissary - S0082 (0f862b01-99da-47cc-9bdb-db4a86a95bb1) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool 4
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 4
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware 4
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware 4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware 4
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 4
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware 4
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware 4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware 4
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware 4
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware Elise (3477a25d-e04b-475e-8330-39f66c10cc01) Malpedia 4
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware Elise Backdoor (d70fd29d-590e-4ed5-b72f-6ce0142019c6) Tool 4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware 4
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware 4
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware 4
Elise - S0081 (7551188b-8f91-4d34-8350-0d0c57b2b913) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 4
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware 4
Sagerunex - S1210 (7f269253-c225-45ff-87c2-5e8ef6dd369f) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 4
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 4
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool 4
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool 4
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern 4
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool 4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87) mitre-tool 4
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88) Attack Pattern 4
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern 4
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 4
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 4
NBTscan - S0590 (b63970b7-ddfb-4aee-97b1-80d335e033a8) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 4
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 4
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 4
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 4
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 4
Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 4
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 4
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 4
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool 4
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b) mitre-tool Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6) Attack Pattern 4
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
Ping - S0097 (b77b563c-34bb-4fb8-86a3-3694338f7b47) mitre-tool Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 4
Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 4
Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718) Malware Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern 4
Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718) Malware Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 4
Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718) Malware Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 4
Hannotog - S1211 (273e2b53-64ec-48be-9ad9-8f3dc0e53718) Malware Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 4
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 5
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 5
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 5
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 5
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 5
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 5
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 5
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 5
Elise (3477a25d-e04b-475e-8330-39f66c10cc01) Malpedia Elise Backdoor (d70fd29d-590e-4ed5-b72f-6ce0142019c6) Tool 5
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 5
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 5
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8) Attack Pattern 5
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 5
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 5
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 5
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e) Attack Pattern Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 5
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 5
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 5
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6) Attack Pattern 5