MuddyWater (a29af069-03c3-4534-b78b-7d1a77ea085b)

The MuddyWater attacks are primarily against Middle Eastern nations. However, we have also observed attacks against surrounding nations and beyond, including targets in India and the USA. MuddyWater attacks are characterized by the use of a slowly evolving PowerShell-based first stage backdoor we call “POWERSTATS”. Despite broad scrutiny and reports on MuddyWater attacks, the activity continues with only incremental changes to the tools and techniques.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
Mango Sandstorm (da68ca6d-250f-50f1-a585-240475fdbb35)	Microsoft Activity Group actor	MuddyWater (a29af069-03c3-4534-b78b-7d1a77ea085b)	Threat Actor	1
MuddyWater (a29af069-03c3-4534-b78b-7d1a77ea085b)	Threat Actor	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	1
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
SHARPSTATS - S0450 (73c4711b-407a-449d-b269-e3b1531fe7a9)	Malware	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Out1 - S0594 (80c815bb-b24a-4b9c-9d73-ff4c075a278d)	mitre-tool	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261)	mitre-tool	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
RemoteUtilities - S0592 (03c6e0ea-96d3-4b23-9afb-05055663cf4b)	mitre-tool	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
PowGoop - S1046 (c19d19ae-dd58-4584-8469-966bbeaa80e3)	Malware	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Mori - S1047 (7e100ca4-e639-48d9-9a9d-8ad84aa7b448)	Malware	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
LP-Notes - S9036 (7fbf1f1e-cbd8-4060-8e3b-7ca0e56ce3fe)	Malware	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Network Topology - T1590.004 (34ab90a3-05f6-4259-8f21-621081fdaba5)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Fooder - S9033 (7c8865dc-1bf9-49ce-b5f2-f15abde0909a)	Malware	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)	Malware	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Impersonation - T1684.001 (cd92d2b8-ce43-4666-9472-f1b4b9f4f8be)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79)	mitre-tool	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Small Sieve - S1035 (ff41b9b6-4c1d-407b-a7e2-835109c8dbc5)	Malware	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	MuddyWater - G0069 (269e8108-68c6-4f99-b911-14b2e765dec2)	Intrusion Set	2
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	3
SHARPSTATS - S0450 (73c4711b-407a-449d-b269-e3b1531fe7a9)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
SHARPSTATS - S0450 (73c4711b-407a-449d-b269-e3b1531fe7a9)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
SHARPSTATS - S0450 (73c4711b-407a-449d-b269-e3b1531fe7a9)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
SHARPSTATS - S0450 (73c4711b-407a-449d-b269-e3b1531fe7a9)	Malware	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	3
SHARPSTATS - S0450 (73c4711b-407a-449d-b269-e3b1531fe7a9)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
SHARPSTATS - S0450 (73c4711b-407a-449d-b269-e3b1531fe7a9)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
SHARPSTATS - S0450 (73c4711b-407a-449d-b269-e3b1531fe7a9)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	3
STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	3
STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	3
STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	3
STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	3
STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	3
STARWHALE - S1037 (e355fc84-6f3c-4888-8e0a-d7fa9c378532)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
Tsundere Botnet - S9034 (18f5f8c6-bba5-4aba-93e7-3539fe565883)	Malware	Compromise Software Dependencies and Development Tools - T1195.001 (191cc6af-1bb2-4344-ab5f-28e496638720)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Out1 - S0594 (80c815bb-b24a-4b9c-9d73-ff4c075a278d)	mitre-tool	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Out1 - S0594 (80c815bb-b24a-4b9c-9d73-ff4c075a278d)	mitre-tool	3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Out1 - S0594 (80c815bb-b24a-4b9c-9d73-ff4c075a278d)	mitre-tool	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Out1 - S0594 (80c815bb-b24a-4b9c-9d73-ff4c075a278d)	mitre-tool	3
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	Out1 - S0594 (80c815bb-b24a-4b9c-9d73-ff4c075a278d)	mitre-tool	3
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580)	Attack Pattern	3
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2)	Attack Pattern	3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b)	Attack Pattern	3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	3
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261)	mitre-tool	3
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261)	mitre-tool	3
ConnectWise - S0591 (842976c7-f9c8-41b2-8371-41dc64fbe261)	mitre-tool	Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032)	Attack Pattern	Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	3
RemoteUtilities - S0592 (03c6e0ea-96d3-4b23-9afb-05055663cf4b)	mitre-tool	Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	3
RemoteUtilities - S0592 (03c6e0ea-96d3-4b23-9afb-05055663cf4b)	mitre-tool	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
RemoteUtilities - S0592 (03c6e0ea-96d3-4b23-9afb-05055663cf4b)	mitre-tool	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
RemoteUtilities - S0592 (03c6e0ea-96d3-4b23-9afb-05055663cf4b)	mitre-tool	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Dylib Hijacking - T1574.004 (fc742192-19e3-466c-9eb5-964a97b29490)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	3
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Exploitation of Remote Services - T1210 (9db0cf3a-a3c9-4012-8268-123b9db6fd82)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Group Policy Discovery - T1615 (1b20efbf-8063-4fc3-a07d-b575318a301b)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
Empire - S0363 (3433a9e8-1c47-4320-b9bf-ed449061d1c3)	mitre-tool	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)	Attack Pattern	3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b)	mitre-tool	Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	3
PowGoop - S1046 (c19d19ae-dd58-4584-8469-966bbeaa80e3)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
PowGoop - S1046 (c19d19ae-dd58-4584-8469-966bbeaa80e3)	Malware	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	3
PowGoop - S1046 (c19d19ae-dd58-4584-8469-966bbeaa80e3)	Malware	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
PowGoop - S1046 (c19d19ae-dd58-4584-8469-966bbeaa80e3)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	3
PowGoop - S1046 (c19d19ae-dd58-4584-8469-966bbeaa80e3)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
PowGoop - S1046 (c19d19ae-dd58-4584-8469-966bbeaa80e3)	Malware	Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc)	Attack Pattern	3
PowGoop - S1046 (c19d19ae-dd58-4584-8469-966bbeaa80e3)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
PowGoop - S1046 (c19d19ae-dd58-4584-8469-966bbeaa80e3)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Mori - S1047 (7e100ca4-e639-48d9-9a9d-8ad84aa7b448)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Mori - S1047 (7e100ca4-e639-48d9-9a9d-8ad84aa7b448)	Malware	3
Mori - S1047 (7e100ca4-e639-48d9-9a9d-8ad84aa7b448)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	3
Mori - S1047 (7e100ca4-e639-48d9-9a9d-8ad84aa7b448)	Malware	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	3
Mori - S1047 (7e100ca4-e639-48d9-9a9d-8ad84aa7b448)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Mori - S1047 (7e100ca4-e639-48d9-9a9d-8ad84aa7b448)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	3
Mori - S1047 (7e100ca4-e639-48d9-9a9d-8ad84aa7b448)	Malware	Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	3
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Mori - S1047 (7e100ca4-e639-48d9-9a9d-8ad84aa7b448)	Malware	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Mori - S1047 (7e100ca4-e639-48d9-9a9d-8ad84aa7b448)	Malware	3
Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119)	Attack Pattern	3
Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	3
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	3
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	CrackMapExec - S0488 (c4810609-7da6-48ec-8057-1b70a7814db0)	mitre-tool	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	LP-Notes - S9036 (7fbf1f1e-cbd8-4060-8e3b-7ca0e56ce3fe)	Malware	3
LP-Notes - S9036 (7fbf1f1e-cbd8-4060-8e3b-7ca0e56ce3fe)	Malware	Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	LP-Notes - S9036 (7fbf1f1e-cbd8-4060-8e3b-7ca0e56ce3fe)	Malware	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	LP-Notes - S9036 (7fbf1f1e-cbd8-4060-8e3b-7ca0e56ce3fe)	Malware	3
GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d)	Attack Pattern	LP-Notes - S9036 (7fbf1f1e-cbd8-4060-8e3b-7ca0e56ce3fe)	Malware	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	LP-Notes - S9036 (7fbf1f1e-cbd8-4060-8e3b-7ca0e56ce3fe)	Malware	3
LP-Notes - S9036 (7fbf1f1e-cbd8-4060-8e3b-7ca0e56ce3fe)	Malware	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	3
LP-Notes - S9036 (7fbf1f1e-cbd8-4060-8e3b-7ca0e56ce3fe)	Malware	Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	LP-Notes - S9036 (7fbf1f1e-cbd8-4060-8e3b-7ca0e56ce3fe)	Malware	3
LP-Notes - S9036 (7fbf1f1e-cbd8-4060-8e3b-7ca0e56ce3fe)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	LP-Notes - S9036 (7fbf1f1e-cbd8-4060-8e3b-7ca0e56ce3fe)	Malware	3
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	3
Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d)	Attack Pattern	Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64)	Attack Pattern	3
Gather Victim Network Information - T1590 (9d48cab2-7929-4812-ad22-f536665f0109)	Attack Pattern	Network Topology - T1590.004 (34ab90a3-05f6-4259-8f21-621081fdaba5)	Attack Pattern	3
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d)	Attack Pattern	Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d)	Attack Pattern	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Delay Execution - T1678 (a1df809c-7d0e-459f-8fe5-25474bab770b)	Attack Pattern	Fooder - S9033 (7c8865dc-1bf9-49ce-b5f2-f15abde0909a)	Malware	3
Fooder - S9033 (7c8865dc-1bf9-49ce-b5f2-f15abde0909a)	Malware	Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	3
Fooder - S9033 (7c8865dc-1bf9-49ce-b5f2-f15abde0909a)	Malware	Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Fooder - S9033 (7c8865dc-1bf9-49ce-b5f2-f15abde0909a)	Malware	3
Fooder - S9033 (7c8865dc-1bf9-49ce-b5f2-f15abde0909a)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	3
Fooder - S9033 (7c8865dc-1bf9-49ce-b5f2-f15abde0909a)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Fooder - S9033 (7c8865dc-1bf9-49ce-b5f2-f15abde0909a)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	3
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	CMSTP - T1218.003 (4cbc6a62-9e34-4f94-8a19-5c1a11392a49)	Attack Pattern	3
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	3
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	3
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	3
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)	Malware	Application Layer Protocol - T1437 (6a3f6490-9c44-40de-b059-e5940f246673)	Attack Pattern	3
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)	Malware	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	3
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)	Malware	Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6)	Attack Pattern	3
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)	Malware	Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747)	Attack Pattern	3
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)	Malware	Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160)	Attack Pattern	3
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)	Malware	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	3
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)	Malware	Archive Collected Data - T1532 (e3b936a4-6321-4172-9114-038a866362ec)	Attack Pattern	3
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)	Malware	Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4)	Attack Pattern	3
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)	Malware	Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	3
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)	Malware	Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a)	Attack Pattern	3
Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760)	Attack Pattern	DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)	Malware	3
DCHSpy - S1243 (6d5c257d-e6de-4c95-a7e8-09ac9386007d)	Malware	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	3
Social Engineering - T1684 (41e4d77a-6275-4976-9e35-785985598519)	Attack Pattern	Impersonation - T1684.001 (cd92d2b8-ce43-4666-9472-f1b4b9f4f8be)	Attack Pattern	3
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	POWERSTATS - S0223 (e8545794-b98c-492b-a5b3-4b5a02682e37)	Malware	3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf)	Attack Pattern	3
Malware - T1588.001 (7807d3a4-a885-4639-a786-c1ed41484970)	Attack Pattern	Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	3
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530)	Attack Pattern	3
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	3
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	3
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	3
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	3
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79)	mitre-tool	3
Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79)	mitre-tool	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5)	Attack Pattern	3
Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd)	Attack Pattern	Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79)	mitre-tool	3
Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79)	mitre-tool	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	3
Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79)	mitre-tool	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	3
Rclone - S1040 (59096109-a1dd-463b-87e7-a8d110fe3a79)	mitre-tool	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	3
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	3
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617)	Attack Pattern	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Koadic - S0250 (c8655260-9f4b-44e3-85e1-6538a5f6e4f4)	mitre-tool	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Delay Execution - T1678 (a1df809c-7d0e-459f-8fe5-25474bab770b)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	MuddyViper - S9032 (7b92e996-b535-4159-be16-3c3aee4edf54)	Malware	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Small Sieve - S1035 (ff41b9b6-4c1d-407b-a7e2-835109c8dbc5)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Small Sieve - S1035 (ff41b9b6-4c1d-407b-a7e2-835109c8dbc5)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Small Sieve - S1035 (ff41b9b6-4c1d-407b-a7e2-835109c8dbc5)	Malware	3
Small Sieve - S1035 (ff41b9b6-4c1d-407b-a7e2-835109c8dbc5)	Malware	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	3
Small Sieve - S1035 (ff41b9b6-4c1d-407b-a7e2-835109c8dbc5)	Malware	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Small Sieve - S1035 (ff41b9b6-4c1d-407b-a7e2-835109c8dbc5)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Small Sieve - S1035 (ff41b9b6-4c1d-407b-a7e2-835109c8dbc5)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Small Sieve - S1035 (ff41b9b6-4c1d-407b-a7e2-835109c8dbc5)	Malware	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Small Sieve - S1035 (ff41b9b6-4c1d-407b-a7e2-835109c8dbc5)	Malware	3
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Small Sieve - S1035 (ff41b9b6-4c1d-407b-a7e2-835109c8dbc5)	Malware	3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Small Sieve - S1035 (ff41b9b6-4c1d-407b-a7e2-835109c8dbc5)	Malware	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Small Sieve - S1035 (ff41b9b6-4c1d-407b-a7e2-835109c8dbc5)	Malware	3
Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc)	Attack Pattern	Small Sieve - S1035 (ff41b9b6-4c1d-407b-a7e2-835109c8dbc5)	Malware	3
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	4
Msiexec - T1218.007 (365be77f-fc0e-42ee-bac8-4faf806d9336)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	4
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	4
Compromise Software Dependencies and Development Tools - T1195.001 (191cc6af-1bb2-4344-ab5f-28e496638720)	Attack Pattern	Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7)	Attack Pattern	4
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	4
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	4
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580)	Attack Pattern	4
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	4
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	4
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32)	Attack Pattern	4
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2)	Attack Pattern	4
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	4
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b)	Attack Pattern	4
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	4
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	4
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	Dylib Hijacking - T1574.004 (fc742192-19e3-466c-9eb5-964a97b29490)	Attack Pattern	4
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	4
Exfiltration to Code Repository - T1567.001 (86a96bf6-cf8b-411c-aaeb-8959944d64f7)	Attack Pattern	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	4
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	4
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b)	Attack Pattern	MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96)	Attack Pattern	4
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	4
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	4
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	4
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	4
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	4
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd)	Attack Pattern	4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3)	Attack Pattern	4
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	4
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	4
Name Resolution Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e)	Attack Pattern	Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	4
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	4
Create Process with Token - T1134.002 (677569f9-a8b0-459e-ab24-7f18091fa7bf)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	4
Group Policy Modification - T1484.001 (5d2be8b9-d24c-4e98-83bf-2f5f79477163)	Attack Pattern	Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d)	Attack Pattern	4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d)	Attack Pattern	4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	/etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4)	Attack Pattern	4
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc)	Attack Pattern	4
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	4
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	4
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	4
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd)	Attack Pattern	Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119)	Attack Pattern	4
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd)	Attack Pattern	Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c)	Attack Pattern	4
NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	4
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	At - T1053.002 (f3d95a1f-bba2-44ce-9af7-37866cd63fd0)	Attack Pattern	4
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	4
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	4
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	4
GUI Input Capture - T1056.002 (a2029942-0a85-4947-b23c-ca434698171d)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4)	Attack Pattern	4
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d)	Attack Pattern	4
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747)	Attack Pattern	4
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86)	Attack Pattern	4
Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc)	Attack Pattern	Match Legitimate Name or Location - T1655.001 (114fed8b-7eed-4136-8b9c-411c5c7fff4b)	Attack Pattern	4
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	4
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	4
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b)	Malpedia	4
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	4
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Exfiltration Over Asymmetric Encrypted Non-C2 Protocol - T1048.002 (8e350c1d-ac79-4b5c-bd4e-7476d7e84ec5)	Attack Pattern	4
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	4