Hide Navigation Hide TOC

APT29 (b2056ff0-00b9-482e-b11c-c771daa5f28a)

A 2015 report by F-Secure describe APT29 as: 'The Dukes are a well-resourced, highly dedicated and organized cyberespionage group that we believe has been working for the Russian Federation since at least 2008 to collect intelligence in support of foreign and security policy decision-making. The Dukes show unusual confidence in their ability to continue successfully compromising their targets, as well as in their ability to operate with impunity. The Dukes primarily target Western governments and related organizations, such as government ministries and agencies, political think tanks, and governmental subcontractors. Their targets have also included the governments of members of the Commonwealth of Independent States;Asian, African, and Middle Eastern governments;organizations associated with Chechen extremism;and Russian speakers engaged in the illicit trade of controlled substances and drugs. The Dukes are known to employ a vast arsenal of malware toolsets, which we identify as MiniDuke, CosmicDuke, OnionDuke, CozyDuke, CloudDuke, SeaDuke, HammerDuke, PinchDuke, and GeminiDuke. In recent years, the Dukes have engaged in apparently biannual large - scale spear - phishing campaigns against hundreds or even thousands of recipients associated with governmental institutions and affiliated organizations. These campaigns utilize a smash - and - grab approach involving a fast but noisy breakin followed by the rapid collection and exfiltration of as much data as possible.If the compromised target is discovered to be of value, the Dukes will quickly switch the toolset used and move to using stealthier tactics focused on persistent compromise and long - term intelligence gathering. This threat actor targets government ministries and agencies in the West, Central Asia, East Africa, and the Middle East; Chechen extremist groups; Russian organized crime; and think tanks. It is suspected to be behind the 2015 compromise of unclassified networks at the White House, Department of State, Pentagon, and the Joint Chiefs of Staff. The threat actor includes all of the Dukes tool sets, including MiniDuke, CosmicDuke, OnionDuke, CozyDuke, SeaDuke, CloudDuke (aka MiniDionis), and HammerDuke (aka Hammertoss). '

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	APT29 (b2056ff0-00b9-482e-b11c-c771daa5f28a)	Threat Actor	1
SNOWYAMBER (0125ef58-2675-426f-90eb-0b189961199a)	Tool	APT29 (b2056ff0-00b9-482e-b11c-c771daa5f28a)	Threat Actor	1
APT29 (b2056ff0-00b9-482e-b11c-c771daa5f28a)	Threat Actor	Midnight Blizzard (31982812-c8bf-5e85-b0ba-0c64a7d05d20)	Microsoft Activity Group actor	1
APT29 (b2056ff0-00b9-482e-b11c-c771daa5f28a)	Threat Actor	HALFRIG (f169f0b3-fe4d-40e5-a443-2561c98eb67e)	Tool	1
QUARTERRIG (2d5072db-64e2-4d81-9b3a-3aa76cfa978b)	Tool	APT29 (b2056ff0-00b9-482e-b11c-c771daa5f28a)	Threat Actor	1
APT29 (b2056ff0-00b9-482e-b11c-c771daa5f28a)	Threat Actor	UNC2452 (2ee5ed7a-c4d0-40be-a837-20817474a15b)	Threat Actor	1
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	2
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
TrailBlazer - S0682 (bdad6f3b-de88-42fa-9295-d29b5271808e)	Malware	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	PinchDuke - S0048 (ae9d818d-95d0-41da-b045-9cabea1ca164)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	HTML Smuggling - T1027.006 (d4dc46e3-5ba5-45b9-8204-010867cacfcb)	Attack Pattern	2
GeminiDuke - S0049 (199463de-d9be-46d6-bb41-07234c1dd5a6)	Malware	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	TEARDROP - S0560 (32f49626-87f4-4d6c-8f59-a0dca953fe26)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Cloud Administration Command - T1651 (d94b3ae9-8059-4989-8e9f-ea0f601f80a7)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	RC Scripts - T1037.004 (dca670cf-eeec-438f-8185-fd959d9ef211)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	2
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	QUIETEXIT - S1084 (4816d361-f82b-4a18-aa05-b215e7cf9200)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	2
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe)	Attack Pattern	2
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Device Registration - T1098.005 (7decb26c-715c-40cf-b7e0-026f7d7cc215)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	2
Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf)	Attack Pattern	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Disable or Modify Cloud Logs - T1562.008 (cacc40da-4c9e-462c-80d5-fd70a178b12d)	Attack Pattern	2
SoreFang - S0516 (e33e4603-afab-402d-b2a1-248d435b5fe0)	Malware	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	PolyglotDuke - S0518 (3d57dcc4-be99-4613-9482-d5218f5ec13e)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Hide Infrastructure - T1665 (eb897572-8979-4242-a089-56f294f4c91d)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	VaporRage - S0636 (96eca9b9-b37f-42f1-96dc-a2c441403194)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	ipconfig - S0100 (294e2560-bd48-44b2-9da2-833b5588ad11)	mitre-tool	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	2
NativeZone - S0637 (b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84)	Malware	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	RegDuke - S0511 (47124daf-44be-4530-9c63-038bc64318dd)	Malware	2
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	2
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	MiniDuke - S0051 (5e7ef1dc-7fb6-4913-ac75-e06113b59e0c)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f)	mitre-tool	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	POSHSPY - S0150 (5e595477-2e78-4ce7-ae42-e0b059b17808)	Malware	2
Systeminfo - S0096 (7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1)	mitre-tool	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	BloodHound - S0521 (066b057c-944e-4cfc-b654-e3dfba04b926)	mitre-tool	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961)	Attack Pattern	2
Multi-Factor Authentication Request Generation - T1621 (954a1639-f2d6-407d-aef3-4917622ca493)	Attack Pattern	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68)	mitre-tool	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	meek - S0175 (65370d0b-3bd4-4653-8cf9-daf56f6be830)	mitre-tool	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	SDelete - S0195 (d8d19e33-94fd-4aa3-b94a-08ee801a2153)	mitre-tool	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	OnionDuke - S0052 (b136d088-a829-432c-ac26-5529c26d4c7e)	Malware	2
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Raindrop - S0565 (4efc3e00-72f2-466a-ab7c-8a7dc6603b19)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	2
Cloud Accounts - T1586.003 (3d52e51e-f6db-4719-813c-48002a99f43a)	Attack Pattern	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Trusted Relationship - T1199 (9fa07bef-9c81-421e-a8e5-ad4366c5a925)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	2
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	ROADTools - S0684 (6dbdc657-d8e0-4f2f-909b-7251b3e72c6d)	mitre-tool	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	LiteDuke - S0513 (95e2cbae-d82c-4f7b-b63c-16462015d35d)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	GoldFinder - S0597 (b7010785-699f-412f-ba49-524da6033c76)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2)	Attack Pattern	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	HAMMERTOSS - S0037 (2daa14d6-cbf3-4308-bb8e-213c324a08e4)	Malware	2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	CloudDuke - S0054 (cbf646f1-7db5-4dc6-808b-0094313949df)	Malware	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	2
APT29 - G0016 (899ce53f-13a0-479b-a0e4-67d46e241542)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	2
Notion (5c807e49-dc90-4f80-b044-49bb990acb61)	online-service	SNOWYAMBER (0125ef58-2675-426f-90eb-0b189961199a)	Tool	2
NOBELIUM (d7247cf9-13b6-4781-b789-a5f33521633b)	Microsoft Activity Group actor	SNOWYAMBER (0125ef58-2675-426f-90eb-0b189961199a)	Tool	2
SNOWYAMBER (0125ef58-2675-426f-90eb-0b189961199a)	Tool	UNC2452 (2ee5ed7a-c4d0-40be-a837-20817474a15b)	Threat Actor	2
Midnight Blizzard (31982812-c8bf-5e85-b0ba-0c64a7d05d20)	Microsoft Activity Group actor	UNC2452 (2ee5ed7a-c4d0-40be-a837-20817474a15b)	Threat Actor	2
NOBELIUM (d7247cf9-13b6-4781-b789-a5f33521633b)	Microsoft Activity Group actor	HALFRIG (f169f0b3-fe4d-40e5-a443-2561c98eb67e)	Tool	2
UNC2452 (2ee5ed7a-c4d0-40be-a837-20817474a15b)	Threat Actor	HALFRIG (f169f0b3-fe4d-40e5-a443-2561c98eb67e)	Tool	2
QUARTERRIG (2d5072db-64e2-4d81-9b3a-3aa76cfa978b)	Tool	NOBELIUM (d7247cf9-13b6-4781-b789-a5f33521633b)	Microsoft Activity Group actor	2
QUARTERRIG (2d5072db-64e2-4d81-9b3a-3aa76cfa978b)	Tool	UNC2452 (2ee5ed7a-c4d0-40be-a837-20817474a15b)	Threat Actor	2
NOBELIUM (d7247cf9-13b6-4781-b789-a5f33521633b)	Microsoft Activity Group actor	UNC2452 (2ee5ed7a-c4d0-40be-a837-20817474a15b)	Threat Actor	2
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	3
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b)	Attack Pattern	CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	3
CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	3
CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	3
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	CozyCar - S0046 (e6ef745b-077f-42e1-a37d-29eecff9c754)	Malware	3
TrailBlazer - S0682 (bdad6f3b-de88-42fa-9295-d29b5271808e)	Malware	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
TrailBlazer - S0682 (bdad6f3b-de88-42fa-9295-d29b5271808e)	Malware	Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	3
TrailBlazer - S0682 (bdad6f3b-de88-42fa-9295-d29b5271808e)	Malware	Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	3
TrailBlazer - S0682 (bdad6f3b-de88-42fa-9295-d29b5271808e)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
TrailBlazer - S0682 (bdad6f3b-de88-42fa-9295-d29b5271808e)	Malware	Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	3
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
WellMess - S0514 (3a4197ae-ec63-4162-907b-9a073d1157e4)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	PinchDuke - S0048 (ae9d818d-95d0-41da-b045-9cabea1ca164)	Malware	3
PinchDuke - S0048 (ae9d818d-95d0-41da-b045-9cabea1ca164)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	PinchDuke - S0048 (ae9d818d-95d0-41da-b045-9cabea1ca164)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	PinchDuke - S0048 (ae9d818d-95d0-41da-b045-9cabea1ca164)	Malware	3
PinchDuke - S0048 (ae9d818d-95d0-41da-b045-9cabea1ca164)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	PinchDuke - S0048 (ae9d818d-95d0-41da-b045-9cabea1ca164)	Malware	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	PinchDuke - S0048 (ae9d818d-95d0-41da-b045-9cabea1ca164)	Malware	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	HTML Smuggling - T1027.006 (d4dc46e3-5ba5-45b9-8204-010867cacfcb)	Attack Pattern	3
GeminiDuke - S0049 (199463de-d9be-46d6-bb41-07234c1dd5a6)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	3
GeminiDuke - S0049 (199463de-d9be-46d6-bb41-07234c1dd5a6)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
GeminiDuke - S0049 (199463de-d9be-46d6-bb41-07234c1dd5a6)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
GeminiDuke - S0049 (199463de-d9be-46d6-bb41-07234c1dd5a6)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
GeminiDuke - S0049 (199463de-d9be-46d6-bb41-07234c1dd5a6)	Malware	GeminiDuke (6a28a648-30c0-4d1d-bd67-81a8dc6486ba)	Tool	3
GeminiDuke - S0049 (199463de-d9be-46d6-bb41-07234c1dd5a6)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	3
GeminiDuke - S0049 (199463de-d9be-46d6-bb41-07234c1dd5a6)	Malware	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	TEARDROP - S0560 (32f49626-87f4-4d6c-8f59-a0dca953fe26)	Malware	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	TEARDROP - S0560 (32f49626-87f4-4d6c-8f59-a0dca953fe26)	Malware	3
TEARDROP - S0560 (32f49626-87f4-4d6c-8f59-a0dca953fe26)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
TEARDROP - S0560 (32f49626-87f4-4d6c-8f59-a0dca953fe26)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	TEARDROP - S0560 (32f49626-87f4-4d6c-8f59-a0dca953fe26)	Malware	3
TEARDROP - S0560 (32f49626-87f4-4d6c-8f59-a0dca953fe26)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	3
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	RC Scripts - T1037.004 (dca670cf-eeec-438f-8185-fd959d9ef211)	Attack Pattern	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	3
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	3
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	QUIETEXIT - S1084 (4816d361-f82b-4a18-aa05-b215e7cf9200)	Malware	3
QUIETEXIT - S1084 (4816d361-f82b-4a18-aa05-b215e7cf9200)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
QUIETEXIT - S1084 (4816d361-f82b-4a18-aa05-b215e7cf9200)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	3
QUIETEXIT - S1084 (4816d361-f82b-4a18-aa05-b215e7cf9200)	Malware	External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	3
QUIETEXIT - S1084 (4816d361-f82b-4a18-aa05-b215e7cf9200)	Malware	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	3
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe)	Attack Pattern	3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	3
Device Registration - T1098.005 (7decb26c-715c-40cf-b7e0-026f7d7cc215)	Attack Pattern	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	3
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	3
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	WellMail - S0515 (959f3b19-2dc8-48d5-8942-c66813a5101a)	Malware	3
Cloud API - T1059.009 (55bb4471-ff1f-43b4-88c1-c9384ec47abf)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	3
EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	Forced Authentication - T1187 (b77cf5f3-6060-475d-bd60-40ccbf28fdc2)	Attack Pattern	3
EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	3
EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	3
EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	3
EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	HTML Smuggling - T1027.006 (d4dc46e3-5ba5-45b9-8204-010867cacfcb)	Attack Pattern	3
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	3
EnvyScout - S0634 (2f8229dc-da94-41c6-89ba-b5b6c32f6b7d)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Cloud Logs - T1562.008 (cacc40da-4c9e-462c-80d5-fd70a178b12d)	Attack Pattern	3
SoreFang - S0516 (e33e4603-afab-402d-b2a1-248d435b5fe0)	Malware	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	3
SoreFang - S0516 (e33e4603-afab-402d-b2a1-248d435b5fe0)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	3
SoreFang - S0516 (e33e4603-afab-402d-b2a1-248d435b5fe0)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
SoreFang - S0516 (e33e4603-afab-402d-b2a1-248d435b5fe0)	Malware	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	3
SoreFang - S0516 (e33e4603-afab-402d-b2a1-248d435b5fe0)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
SoreFang - S0516 (e33e4603-afab-402d-b2a1-248d435b5fe0)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
SoreFang - S0516 (e33e4603-afab-402d-b2a1-248d435b5fe0)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
SoreFang - S0516 (e33e4603-afab-402d-b2a1-248d435b5fe0)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
SoreFang - S0516 (e33e4603-afab-402d-b2a1-248d435b5fe0)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
SoreFang - S0516 (e33e4603-afab-402d-b2a1-248d435b5fe0)	Malware	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
SoreFang - S0516 (e33e4603-afab-402d-b2a1-248d435b5fe0)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
SoreFang - S0516 (e33e4603-afab-402d-b2a1-248d435b5fe0)	Malware	Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	3
SoreFang - S0516 (e33e4603-afab-402d-b2a1-248d435b5fe0)	Malware	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	3
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	3
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	PolyglotDuke - S0518 (3d57dcc4-be99-4613-9482-d5218f5ec13e)	Malware	3
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916)	Attack Pattern	PolyglotDuke - S0518 (3d57dcc4-be99-4613-9482-d5218f5ec13e)	Malware	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	PolyglotDuke - S0518 (3d57dcc4-be99-4613-9482-d5218f5ec13e)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	PolyglotDuke - S0518 (3d57dcc4-be99-4613-9482-d5218f5ec13e)	Malware	3
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	PolyglotDuke - S0518 (3d57dcc4-be99-4613-9482-d5218f5ec13e)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	PolyglotDuke - S0518 (3d57dcc4-be99-4613-9482-d5218f5ec13e)	Malware	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	PolyglotDuke - S0518 (3d57dcc4-be99-4613-9482-d5218f5ec13e)	Malware	3
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	PolyglotDuke - S0518 (3d57dcc4-be99-4613-9482-d5218f5ec13e)	Malware	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	PolyglotDuke - S0518 (3d57dcc4-be99-4613-9482-d5218f5ec13e)	Malware	3
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	PolyglotDuke - S0518 (3d57dcc4-be99-4613-9482-d5218f5ec13e)	Malware	3
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	3
reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b)	Attack Pattern	3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	3
reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	3
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	3
reGeorg - S1187 (0e17b066-50dd-4c2f-83bf-205c5eb2bb34)	Malware	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	3
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	3
BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	3
Email Account - T1087.003 (4bc31b94-045b-4752-8920-aebaebdb6470)	Attack Pattern	BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	3
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	3
BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	3
BoomBox - S0635 (c26f1c05-b861-4970-94dc-2f7f921a3074)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3
Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617)	Attack Pattern	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Archive via Library - T1560.002 (41868330-6ee2-4d0f-b743-9f2294c3c9b6)	Attack Pattern	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
FoggyWeb - S0661 (72911fe3-f085-40f7-b4f2-f25a4221fe44)	Malware	Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	3
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	3
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	VaporRage - S0636 (96eca9b9-b37f-42f1-96dc-a2c441403194)	Malware	3
VaporRage - S0636 (96eca9b9-b37f-42f1-96dc-a2c441403194)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
VaporRage - S0636 (96eca9b9-b37f-42f1-96dc-a2c441403194)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
VaporRage - S0636 (96eca9b9-b37f-42f1-96dc-a2c441403194)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	3
ipconfig - S0100 (294e2560-bd48-44b2-9da2-833b5588ad11)	mitre-tool	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	3
CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	3
CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c)	Attack Pattern	3
CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	3
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	3
CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	3
CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	3
CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	3
CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	3
CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	3
CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f)	Attack Pattern	3
CosmicDuke - S0050 (2eb9b131-d333-4a48-9eb4-d8dec46c19ee)	Malware	Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec)	Attack Pattern	3
Spearphishing via Service - T1566.003 (f6ad61ee-65f3-4bd0-a3f5-2f0accb36317)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	3
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a)	Attack Pattern	3
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	3
NativeZone - S0637 (b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84)	Malware	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
NativeZone - S0637 (b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	3
NativeZone - S0637 (b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84)	Malware	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	3
NativeZone - S0637 (b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
NativeZone - S0637 (b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84)	Malware	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	3
NativeZone - S0637 (b4783be3-35d9-4a56-ac8d-1f3e1c9d9a84)	Malware	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	RegDuke - S0511 (47124daf-44be-4530-9c63-038bc64318dd)	Malware	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	RegDuke - S0511 (47124daf-44be-4530-9c63-038bc64318dd)	Malware	3
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916)	Attack Pattern	RegDuke - S0511 (47124daf-44be-4530-9c63-038bc64318dd)	Malware	3
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	RegDuke - S0511 (47124daf-44be-4530-9c63-038bc64318dd)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	RegDuke - S0511 (47124daf-44be-4530-9c63-038bc64318dd)	Malware	3
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	RegDuke - S0511 (47124daf-44be-4530-9c63-038bc64318dd)	Malware	3
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	RegDuke - S0511 (47124daf-44be-4530-9c63-038bc64318dd)	Malware	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	RegDuke - S0511 (47124daf-44be-4530-9c63-038bc64318dd)	Malware	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	RegDuke - S0511 (47124daf-44be-4530-9c63-038bc64318dd)	Malware	3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	3
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	3
PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367)	Tool	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	3
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	3
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Password Policy Discovery - T1201 (b6075259-dba3-44e9-87c7-e954f37ec0d5)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	3
Net - S0039 (03342581-f790-4f03-ba41-e82e67392e23)	mitre-tool	Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	3
MiniDuke - S0051 (5e7ef1dc-7fb6-4913-ac75-e06113b59e0c)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
MiniDuke - S0051 (5e7ef1dc-7fb6-4913-ac75-e06113b59e0c)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	3
MiniDuke - S0051 (5e7ef1dc-7fb6-4913-ac75-e06113b59e0c)	Malware	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	3
MiniDuke - S0051 (5e7ef1dc-7fb6-4913-ac75-e06113b59e0c)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
MiniDuke - S0051 (5e7ef1dc-7fb6-4913-ac75-e06113b59e0c)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
MiniDuke - S0051 (5e7ef1dc-7fb6-4913-ac75-e06113b59e0c)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	3
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	MiniDuke - S0051 (5e7ef1dc-7fb6-4913-ac75-e06113b59e0c)	Malware	3
MiniDuke - S0051 (5e7ef1dc-7fb6-4913-ac75-e06113b59e0c)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
MiniDuke - S0051 (5e7ef1dc-7fb6-4913-ac75-e06113b59e0c)	Malware	Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f)	mitre-tool	3
Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f)	mitre-tool	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Tasklist - S0057 (2e45723a-31da-4a7e-aaa6-e01998a6788f)	mitre-tool	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	3
POSHSPY (4df1b257-c242-46b0-b120-591430066b6f)	Malpedia	POSHSPY - S0150 (5e595477-2e78-4ce7-ae42-e0b059b17808)	Malware	3
Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd)	Attack Pattern	POSHSPY - S0150 (5e595477-2e78-4ce7-ae42-e0b059b17808)	Malware	3
POSHSPY - S0150 (5e595477-2e78-4ce7-ae42-e0b059b17808)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	POSHSPY - S0150 (5e595477-2e78-4ce7-ae42-e0b059b17808)	Malware	3
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	POSHSPY - S0150 (5e595477-2e78-4ce7-ae42-e0b059b17808)	Malware	3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	POSHSPY - S0150 (5e595477-2e78-4ce7-ae42-e0b059b17808)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	POSHSPY - S0150 (5e595477-2e78-4ce7-ae42-e0b059b17808)	Malware	3
POSHSPY - S0150 (5e595477-2e78-4ce7-ae42-e0b059b17808)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
POSHSPY - S0150 (5e595477-2e78-4ce7-ae42-e0b059b17808)	Malware	Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	3
Systeminfo - S0096 (7fcbc4e8-1989-441f-9ac5-e7b6ff5806f1)	mitre-tool	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
BloodHound - S0521 (066b057c-944e-4cfc-b654-e3dfba04b926)	mitre-tool	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	3
BloodHound - S0521 (066b057c-944e-4cfc-b654-e3dfba04b926)	mitre-tool	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
BloodHound - S0521 (066b057c-944e-4cfc-b654-e3dfba04b926)	mitre-tool	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
BloodHound - S0521 (066b057c-944e-4cfc-b654-e3dfba04b926)	mitre-tool	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	3
BloodHound - S0521 (066b057c-944e-4cfc-b654-e3dfba04b926)	mitre-tool	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	3
BloodHound - S0521 (066b057c-944e-4cfc-b654-e3dfba04b926)	mitre-tool	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	3
BloodHound - S0521 (066b057c-944e-4cfc-b654-e3dfba04b926)	mitre-tool	Group Policy Discovery - T1615 (1b20efbf-8063-4fc3-a07d-b575318a301b)	Attack Pattern	3
BloodHound - S0521 (066b057c-944e-4cfc-b654-e3dfba04b926)	mitre-tool	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	3
BloodHound - S0521 (066b057c-944e-4cfc-b654-e3dfba04b926)	mitre-tool	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	3
BloodHound - S0521 (066b057c-944e-4cfc-b654-e3dfba04b926)	mitre-tool	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	3
BloodHound - S0521 (066b057c-944e-4cfc-b654-e3dfba04b926)	mitre-tool	Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961)	Attack Pattern	3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	3
Multi-hop Proxy - T1090.003 (a782ebe2-daba-42c7-bc82-e8e9d923162d)	Attack Pattern	Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68)	mitre-tool	3
Tor - S0183 (ed7d0cb1-87a6-43b4-9f46-ef1bc56d6c68)	mitre-tool	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
Active Scanning - T1595 (67073dde-d720-45ae-83da-b12d5e73ca3b)	Attack Pattern	Vulnerability Scanning - T1595.002 (5502c4e9-24ef-4d5f-8ee9-9e906c2f82c4)	Attack Pattern	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	FatDuke - S0512 (54a01db0-9fab-4d5f-8209-53cef8425f4a)	Malware	3
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	3
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2)	Attack Pattern	meek - S0175 (65370d0b-3bd4-4653-8cf9-daf56f6be830)	mitre-tool	3
Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a)	Attack Pattern	Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b)	Attack Pattern	3
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c)	Attack Pattern	SDelete - S0195 (d8d19e33-94fd-4aa3-b94a-08ee801a2153)	mitre-tool	3
SDelete - S0195 (d8d19e33-94fd-4aa3-b94a-08ee801a2153)	mitre-tool	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Additional Email Delegate Permissions - T1098.002 (e74de37c-a829-446c-937d-56a44f0e9306)	Attack Pattern	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	OnionDuke - S0052 (b136d088-a829-432c-ac26-5529c26d4c7e)	Malware	3
OnionDuke (abd10caa-7d4c-4c22-8dae-8d32f13232d7)	Malpedia	OnionDuke - S0052 (b136d088-a829-432c-ac26-5529c26d4c7e)	Malware	3
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8)	Attack Pattern	OnionDuke - S0052 (b136d088-a829-432c-ac26-5529c26d4c7e)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	OnionDuke - S0052 (b136d088-a829-432c-ac26-5529c26d4c7e)	Malware	3
Endpoint Denial of Service - T1499 (c675646d-e204-4aa8-978d-e3d6d65885c4)	Attack Pattern	OnionDuke - S0052 (b136d088-a829-432c-ac26-5529c26d4c7e)	Malware	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	OnionDuke - S0052 (b136d088-a829-432c-ac26-5529c26d4c7e)	Malware	3
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	3
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	3
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	3
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
AdFind - S0552 (f59508a6-3615-47c3-b493-6676e1a39a87)	mitre-tool	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	3
Raindrop - S0565 (4efc3e00-72f2-466a-ab7c-8a7dc6603b19)	Malware	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	3
Raindrop - S0565 (4efc3e00-72f2-466a-ab7c-8a7dc6603b19)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	3
Raindrop - S0565 (4efc3e00-72f2-466a-ab7c-8a7dc6603b19)	Malware	Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916)	Attack Pattern	3
Raindrop - S0565 (4efc3e00-72f2-466a-ab7c-8a7dc6603b19)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Raindrop - S0565 (4efc3e00-72f2-466a-ab7c-8a7dc6603b19)	Malware	Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	3
Raindrop - S0565 (4efc3e00-72f2-466a-ab7c-8a7dc6603b19)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
Raindrop - S0565 (4efc3e00-72f2-466a-ab7c-8a7dc6603b19)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	Sliver - S0633 (11f8d7eb-1927-4806-9267-3a11d4d4d6be)	mitre-tool	3
Cloud Accounts - T1586.003 (3d52e51e-f6db-4719-813c-48002a99f43a)	Attack Pattern	Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	3
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	3
Clear Network Connection History and Configurations - T1070.007 (3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc)	Attack Pattern	SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	3
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
SUNBURST - S0559 (a8839c95-029f-44cf-8f3d-a3cf2039e927)	Malware	Image File Execution Options Injection - T1546.012 (6d4a7fb3-5a24-42be-ae61-6728a2b581f6)	Attack Pattern	3
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	3
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	3
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	3
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	3
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	3
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	3
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	3
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6)	Attack Pattern	3
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e)	Attack Pattern	3
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	3
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	3
Impacket - S0357 (26c87906-d750-42c5-946c-d4162c73fc7b)	mitre-tool	Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	3
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Digital Certificates - T1587.003 (1cec9319-743b-4840-bb65-431547bce82a)	Attack Pattern	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	3
Cloud Groups - T1069.003 (16e94db9-b5b1-4cd0-b851-f38fbd0a70f2)	Attack Pattern	ROADTools - S0684 (6dbdc657-d8e0-4f2f-909b-7251b3e72c6d)	mitre-tool	3
Cloud Service Discovery - T1526 (e24fcba8-2557-4442-a139-1ee2f2e784db)	Attack Pattern	ROADTools - S0684 (6dbdc657-d8e0-4f2f-909b-7251b3e72c6d)	mitre-tool	3
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	ROADTools - S0684 (6dbdc657-d8e0-4f2f-909b-7251b3e72c6d)	mitre-tool	3
Cloud Accounts - T1078.004 (f232fa7a-025c-4d43-abc7-318e81a73d65)	Attack Pattern	ROADTools - S0684 (6dbdc657-d8e0-4f2f-909b-7251b3e72c6d)	mitre-tool	3
ROADTools - S0684 (6dbdc657-d8e0-4f2f-909b-7251b3e72c6d)	mitre-tool	Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe)	Attack Pattern	3
ROADTools - S0684 (6dbdc657-d8e0-4f2f-909b-7251b3e72c6d)	mitre-tool	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	3
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5)	Attack Pattern	Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	3
AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	Data from Cloud Storage - T1530 (3298ce88-1628-43b1-87d9-0b5336b193d7)	Attack Pattern	3
SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Cloud Service Discovery - T1526 (e24fcba8-2557-4442-a139-1ee2f2e784db)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Cloud Administration Command - T1651 (d94b3ae9-8059-4989-8e9f-ea0f601f80a7)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	3
Cloud Account - T1136.003 (a009cb25-4801-4116-9105-80a91cf15c1b)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Steal Application Access Token - T1528 (890c9858-598c-401d-a4d5-c67ebcdd703a)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Cloud Groups - T1069.003 (16e94db9-b5b1-4cd0-b851-f38fbd0a70f2)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Cloud Account - T1087.004 (8f104855-e5b7-4077-b1f5-bc3103b41abe)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Device Registration - T1098.005 (7decb26c-715c-40cf-b7e0-026f7d7cc215)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Domain Properties - T1590.001 (e3b168bd-fcd7-439e-9382-2e6c2f63514d)	Attack Pattern	AADInternals - S0677 (2c5281dd-b5fd-4531-8aea-c1bf8a0f8756)	mitre-tool	3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3)	Attack Pattern	3
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	3
SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	SEADADDY (1d07212e-6292-40a4-a5e9-30aef83b6207)	Malpedia	3
SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	3
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	3
SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	3
SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	3
Windows Management Instrumentation Event Subscription - T1546.003 (910906dd-8c0a-475a-9cc1-5e029e2fad58)	Attack Pattern	SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	3
SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	Archive via Library - T1560.002 (41868330-6ee2-4d0f-b743-9f2294c3c9b6)	Attack Pattern	3
SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
SeaDuke - S0053 (67e6d66b-1b82-4699-b47a-e2efb6268d14)	Malware	Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	3
LiteDuke - S0513 (95e2cbae-d82c-4f7b-b63c-16462015d35d)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
LiteDuke - S0513 (95e2cbae-d82c-4f7b-b63c-16462015d35d)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
LiteDuke - S0513 (95e2cbae-d82c-4f7b-b63c-16462015d35d)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
LiteDuke - S0513 (95e2cbae-d82c-4f7b-b63c-16462015d35d)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	3
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916)	Attack Pattern	LiteDuke - S0513 (95e2cbae-d82c-4f7b-b63c-16462015d35d)	Malware	3
LiteDuke - S0513 (95e2cbae-d82c-4f7b-b63c-16462015d35d)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
LiteDuke - S0513 (95e2cbae-d82c-4f7b-b63c-16462015d35d)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	LiteDuke - S0513 (95e2cbae-d82c-4f7b-b63c-16462015d35d)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	LiteDuke - S0513 (95e2cbae-d82c-4f7b-b63c-16462015d35d)	Malware	3
LiteDuke - S0513 (95e2cbae-d82c-4f7b-b63c-16462015d35d)	Malware	Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	3
LiteDuke - S0513 (95e2cbae-d82c-4f7b-b63c-16462015d35d)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
LiteDuke - S0513 (95e2cbae-d82c-4f7b-b63c-16462015d35d)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	3
LiteDuke - S0513 (95e2cbae-d82c-4f7b-b63c-16462015d35d)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	GoldFinder - S0597 (b7010785-699f-412f-ba49-524da6033c76)	Malware	3
GoldFinder - S0597 (b7010785-699f-412f-ba49-524da6033c76)	Malware	Internet Connection Discovery - T1016.001 (132d5b37-aac5-4378-a8dc-3127b18a73dc)	Attack Pattern	3
GoldFinder - S0597 (b7010785-699f-412f-ba49-524da6033c76)	Malware	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	3
GoldMax - S0588 (5c747acd-47f0-4c5a-b9e5-213541fc01e0)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	3
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	3
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	3
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	3
Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	3
Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	3
Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	3
Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	3
Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	3
Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	3
Sibot - S0589 (979adb5a-dc30-48f0-9e3d-9a26d866928c)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd)	Attack Pattern	Password Guessing - T1110.001 (09c4c11e-4fa1-4f8c-8dad-3cf8e69ad119)	Attack Pattern	3
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	3
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd)	Attack Pattern	Password Spraying - T1110.003 (692074ae-bb62-4a5e-a735-02cb6bde458c)	Attack Pattern	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6)	Malware	3
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6)	Malware	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6)	Malware	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6)	Malware	3
Stored Data Manipulation - T1565.001 (1cfcb312-b8d7-47a4-b560-4b16cc677292)	Attack Pattern	SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6)	Malware	3
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6)	Malware	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6)	Malware	3
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6)	Malware	3
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6)	Malware	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6)	Malware	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6)	Malware	3
Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00)	Attack Pattern	SUNSPOT - S0562 (bf48e7f8-752c-4ce8-bf8f-748edacd8fa6)	Malware	3
Hybrid Identity - T1556.007 (54ca26f3-c172-4231-93e5-ccebcac2161f)	Attack Pattern	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	HAMMERTOSS - S0037 (2daa14d6-cbf3-4308-bb8e-213c324a08e4)	Malware	3
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8)	Attack Pattern	HAMMERTOSS - S0037 (2daa14d6-cbf3-4308-bb8e-213c324a08e4)	Malware	3
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	HAMMERTOSS - S0037 (2daa14d6-cbf3-4308-bb8e-213c324a08e4)	Malware	3
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	HAMMERTOSS - S0037 (2daa14d6-cbf3-4308-bb8e-213c324a08e4)	Malware	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	HAMMERTOSS - S0037 (2daa14d6-cbf3-4308-bb8e-213c324a08e4)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	HAMMERTOSS - S0037 (2daa14d6-cbf3-4308-bb8e-213c324a08e4)	Malware	3
HAMMERTOSS - S0037 (2daa14d6-cbf3-4308-bb8e-213c324a08e4)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Cloud Services - T1021.007 (8861073d-d1b8-4941-82ce-dce621d398f0)	Attack Pattern	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	3
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Scheduled Transfer - T1029 (4eeaf8a9-c86b-4954-a663-9555fb406466)	Attack Pattern	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	3
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Network Service Discovery - T1046 (e3a12395-188d-4051-9a16-ea8e14d07b88)	Attack Pattern	3
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Protocol Tunneling - T1572 (4fe28b27-b13c-453e-a386-c2ef362a573b)	Attack Pattern	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47)	Attack Pattern	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475)	Attack Pattern	3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	3
Domain Fronting - T1090.004 (ca9d3402-ada3-484d-876a-d717bd6e05f2)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	3
Exploitation for Privilege Escalation - T1068 (b21c3b2d-02e6-45b1-980b-e69051040839)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Process Argument Spoofing - T1564.010 (ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	3
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	Cobalt Strike - S0154 (a7881f21-e978-4fe4-af56-92c9416a2616)	Malware	3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Data Destruction - T1485 (d45a3d09-b3cf-48f4-9f0f-f521ee5cb05c)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
PowerDuke (c79f5876-e3b9-417a-8eaf-8f1b01a0fecd)	Malpedia	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	PowerDuke - S0139 (00c3bfcb-99bd-4767-8c03-b08f585f5c8a)	Malware	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	CloudDuke - S0054 (cbf646f1-7db5-4dc6-808b-0094313949df)	Malware	3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	CloudDuke - S0054 (cbf646f1-7db5-4dc6-808b-0094313949df)	Malware	3
CloudDuke - S0054 (cbf646f1-7db5-4dc6-808b-0094313949df)	Malware	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3
SUNBURST (16902832-0118-40f2-b29e-eaba799b2bf4)	Backdoor	NOBELIUM (d7247cf9-13b6-4781-b789-a5f33521633b)	Microsoft Activity Group actor	3
NOBELIUM (d7247cf9-13b6-4781-b789-a5f33521633b)	Microsoft Activity Group actor	Private Cluster ()	Unknown	3
NOBELIUM (d7247cf9-13b6-4781-b789-a5f33521633b)	Microsoft Activity Group actor	Private Cluster ()	Unknown	3
TEARDROP (aba3fd7d-87cc-4266-82a1-d458ae299266)	Tool	NOBELIUM (d7247cf9-13b6-4781-b789-a5f33521633b)	Microsoft Activity Group actor	3
NOBELIUM (d7247cf9-13b6-4781-b789-a5f33521633b)	Microsoft Activity Group actor	GoldMax (1e912590-c879-4a9c-81b9-2d31e82ac718)	Tool	3
Rename Legitimate Utilities - T1036.003 (bd5b58a4-a52d-4a29-bc0d-3f1d3968eb6b)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	4
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	4
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Junk Data - T1001.001 (f7c0689c-4dbd-489b-81be-7cb7c7079ade)	Attack Pattern	4
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	4
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72)	Attack Pattern	4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	4
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	4
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	4
Steganography - T1027.003 (c2e147a9-d1a8-4074-811a-d8789202d916)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Fileless Storage - T1027.011 (02c5abff-30bf-4703-ab92-1f6072fae939)	Attack Pattern	4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SSH - T1021.004 (2db31dcd-54da-405d-acef-b9129b816ed6)	Attack Pattern	4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	4
Email Account - T1087.003 (4bc31b94-045b-4752-8920-aebaebdb6470)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	4
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	4
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	4
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Compile After Delivery - T1027.004 (c726e0a2-a57a-4b7b-a973-d0f013246617)	Attack Pattern	4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Library - T1560.002 (41868330-6ee2-4d0f-b743-9f2294c3c9b6)	Attack Pattern	4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	4
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	4
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	4
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b)	Malpedia	4
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	4
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	4
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	4
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	4
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	4
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	4
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	4
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Network Share Connection Removal - T1070.005 (a750a9f6-0bde-4bb3-9aae-1e2786e9780c)	Attack Pattern	4
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	4
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	4
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	4
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	Domain Generation Algorithms - T1568.002 (118f61a5-eb3e-4fb6-931f-2096647f4ecd)	Attack Pattern	4
Time Based Evasion - T1497.003 (4bed873f-0b7d-41d4-b93a-b6905d1f90b0)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	4
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
One-Way Communication - T1102.003 (9c99724c-a483-4d60-ad9d-7f004e42e8e8)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	4
Steganography - T1001.002 (eec23884-3fa1-4d8a-ac50-6f104d51e235)	Attack Pattern	Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3)	Attack Pattern	4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33)	Attack Pattern	4
Data Obfuscation - T1001 (ad255bfe-a9e6-4b52-a258-8d3462abe842)	Attack Pattern	Protocol or Service Impersonation - T1001.003 (c325b232-d5bc-4dde-a3ec-71f3db9e8adc)	Attack Pattern	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	Clear Network Connection History and Configurations - T1070.007 (3975dbb5-0e1e-4f5b-bae1-cf2ab84b46dc)	Attack Pattern	4
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	4
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Image File Execution Options Injection - T1546.012 (6d4a7fb3-5a24-42be-ae61-6728a2b581f6)	Attack Pattern	4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	NTDS - T1003.003 (edf91964-b26e-4b4a-9600-ccacd7d7df24)	Attack Pattern	4
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	4
Ccache Files - T1558.005 (394220d9-8efc-4252-9040-664f7b115be6)	Attack Pattern	Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	4
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	LLMNR/NBT-NS Poisoning and SMB Relay - T1557.001 (650c784b-7504-4df7-ab2c-4ea882384d1e)	Attack Pattern	4
Cloud Groups - T1069.003 (16e94db9-b5b1-4cd0-b851-f38fbd0a70f2)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	4
SAML Tokens - T1606.002 (1f9c2bae-b441-4f66-a8af-b65946ee72f2)	Attack Pattern	Forge Web Credentials - T1606 (94cb00a4-b295-4d06-aa2b-5653b9c1be9c)	Attack Pattern	4
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230)	Attack Pattern	Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	4
Trust Modification - T1484.002 (24769ab5-14bd-4f4e-a752-cfb185da53ee)	Attack Pattern	Domain or Tenant Policy Modification - T1484 (ebb42bbe-62d7-47d7-a55f-3b08b61d792d)	Attack Pattern	4
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	4
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262)	Attack Pattern	Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4)	Attack Pattern	4
Multi-Factor Authentication - T1556.006 (b4409cd8-0da9-46e1-a401-a241afd4d1cc)	Attack Pattern	Modify Authentication Process - T1556 (f4c1826f-a322-41cd-9557-562100848c84)	Attack Pattern	4
Gather Victim Network Information - T1590 (9d48cab2-7929-4812-ad22-f536665f0109)	Attack Pattern	Domain Properties - T1590.001 (e3b168bd-fcd7-439e-9382-2e6c2f63514d)	Attack Pattern	4
Shortcut Modification - T1547.009 (4ab929c6-ee2d-4fb5-aab4-b14be2ed7179)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	4
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b)	Attack Pattern	4
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
Stored Data Manipulation - T1565.001 (1cfcb312-b8d7-47a4-b560-4b16cc677292)	Attack Pattern	Data Manipulation - T1565 (ac9e6b22-11bf-45d7-9181-c1cb08360931)	Attack Pattern	4
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	4
Supply Chain Compromise - T1195 (3f18edba-28f4-4bb9-82c3-8aa60dcac5f7)	Attack Pattern	Compromise Software Supply Chain - T1195.002 (bd369cd9-abb8-41ce-b5bb-fff23ee86c00)	Attack Pattern	4
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	4
Make and Impersonate Token - T1134.003 (8cdeb020-e31e-4f88-a582-f53dcfbda819)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Windows Remote Management - T1021.006 (60d0c01d-e2bf-49dd-a453-f8a9c9fa6f65)	Attack Pattern	4
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	4
Token Impersonation/Theft - T1134.001 (86850eff-2729-40c3-b85e-c4af26da4a2d)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	4
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	4
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f)	Attack Pattern	4
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	4
Sudo and Sudo Caching - T1548.003 (1365fe3b-0f50-455d-b4da-266ce31c23b0)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	Distributed Component Object Model - T1021.003 (68a0c5ed-bee2-4513-830d-5b0d650139bd)	Attack Pattern	4
Parent PID Spoofing - T1134.004 (93591901-3172-4e94-abf8-6034ab26f44a)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Process Argument Spoofing - T1564.010 (ffe59ad3-ad9b-4b9f-b74f-5beb3c309dc1)	Attack Pattern	4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	NTFS File Attributes - T1564.004 (f2857333-11d4-45bf-b064-2c28d8525be5)	Attack Pattern	4
SUNBURST (16902832-0118-40f2-b29e-eaba799b2bf4)	Backdoor	SUNSPOT (d9b2305e-9802-483c-a95d-2ae8525c7704)	Tool	4
Raindrop (6c562458-7970-4d61-aded-1fe4a9002404)	Tool	TEARDROP (aba3fd7d-87cc-4266-82a1-d458ae299266)	Tool	4
TEARDROP (aba3fd7d-87cc-4266-82a1-d458ae299266)	Tool	TEARDROP (efa01fef-7faf-4bb2-8630-b3a237df882a)	Malpedia	4
GoldMax (9a3429d7-e4a8-43c5-8786-0b3a1c841a5f)	Malpedia	GoldMax (1e912590-c879-4a9c-81b9-2d31e82ac718)	Tool	4
Raindrop (309f9be7-8824-4452-90b3-cef81fd10099)	Malpedia	Raindrop (6c562458-7970-4d61-aded-1fe4a9002404)	Tool	5
Raindrop (6c562458-7970-4d61-aded-1fe4a9002404)	Tool	NOBELIUM (d7247cf9-13b6-4781-b789-a5f33521633b)	Microsoft Activity Group actor	5