Skip to content

Hide Navigation Hide TOC

APT3 (d144c83e-2302-4947-9e24-856fbf7949ae)

Symantec described UPS in 2016 report as: 'Buckeye (also known as APT3, Gothic Panda, UPS Team, and TG-0110) is a cyberespionage group that is believed to have been operating for well over half a decade. Traditionally, the group attacked organizations in the US as well as other targets. However, Buckeyes focus appears to have changed as of June 2015, when the group began compromising political entities in Hong Kong.'

Cluster A Galaxy A Cluster B Galaxy B Level
APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set APT3 (d144c83e-2302-4947-9e24-856fbf7949ae) Threat Actor 1
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
SHOTPUT - S0063 (58adaaa8-f1e8-4606-9a08-422e568461eb) Malware APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Masquerade Account Name - T1036.010 (d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Multi-Stage Channels - T1104 (84e02621-8fdf-470f-bd58-993bb6a89d91) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04) mitre-tool APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
OSInfo - S0165 (f6d1d2cb-12f5-4221-9636-44606ea1f3f8) Malware APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
RemoteCMD - S0166 (4e6b9625-bbda-4d96-a652-b3bb45453f26) Malware APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Password Cracking - T1110.002 (1d24cdee-9ea2-4189-b08e-af110bf2435d) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern APT3 - G0022 (0bbdf25b-30ff-4894-a1cd-49260d0dd2d9) Intrusion Set 2
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 3
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 3
SHOTPUT - S0063 (58adaaa8-f1e8-4606-9a08-422e568461eb) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern SHOTPUT - S0063 (58adaaa8-f1e8-4606-9a08-422e568461eb) Malware 3
SHOTPUT - S0063 (58adaaa8-f1e8-4606-9a08-422e568461eb) Malware Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 3
SHOTPUT - S0063 (58adaaa8-f1e8-4606-9a08-422e568461eb) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 3
SHOTPUT - S0063 (58adaaa8-f1e8-4606-9a08-422e568461eb) Malware System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern 3
SHOTPUT - S0063 (58adaaa8-f1e8-4606-9a08-422e568461eb) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
SHOTPUT - S0063 (58adaaa8-f1e8-4606-9a08-422e568461eb) Malware Pirpi (4859330d-c6a5-4b9c-b45b-536ec983cd4a) Tool 3
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Account Name - T1036.010 (d349c66e-18e1-4d8b-a2d7-65af7cbd2ba0) Attack Pattern 3
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 3
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 3
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern 3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern 3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern 3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool /etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern 3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool 3
LaZagne - S0349 (b76b2d94-60e4-4107-a903-4a3a7622fb3b) mitre-tool Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 3
Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 3
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04) mitre-tool 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Debugger Evasion - T1622 (e4dc8c01-417f-458d-9ee0-bb0617c1b391) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern PlugX - S0013 (64fa0de0-6240-41f4-8638-f4ca7ed528fd) Malware 3
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern OSInfo - S0165 (f6d1d2cb-12f5-4221-9636-44606ea1f3f8) Malware 3
OSInfo - S0165 (f6d1d2cb-12f5-4221-9636-44606ea1f3f8) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern OSInfo - S0165 (f6d1d2cb-12f5-4221-9636-44606ea1f3f8) Malware 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern OSInfo - S0165 (f6d1d2cb-12f5-4221-9636-44606ea1f3f8) Malware 3
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern OSInfo - S0165 (f6d1d2cb-12f5-4221-9636-44606ea1f3f8) Malware 3
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern OSInfo - S0165 (f6d1d2cb-12f5-4221-9636-44606ea1f3f8) Malware 3
System Network Connections Discovery - T1049 (7e150503-88e7-4861-866b-ff1ac82c4475) Attack Pattern OSInfo - S0165 (f6d1d2cb-12f5-4221-9636-44606ea1f3f8) Malware 3
Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern OSInfo - S0165 (f6d1d2cb-12f5-4221-9636-44606ea1f3f8) Malware 3
OSInfo - S0165 (f6d1d2cb-12f5-4221-9636-44606ea1f3f8) Malware Network Share Discovery - T1135 (3489cfc5-640f-4bb3-a103-9137b97de79f) Attack Pattern 3
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern OSInfo - S0165 (f6d1d2cb-12f5-4221-9636-44606ea1f3f8) Malware 3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 3
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Domain Accounts - T1078.002 (c3d4bdd9-2cfe-4a80-9d0c-07a29ecdce8f) Attack Pattern 3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 3
Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Accessibility Features - T1546.008 (70e52b04-2a0c-4cea-9d18-7149f1df9dc5) Attack Pattern 3
External Proxy - T1090.002 (69b8fd78-40e8-4600-ae4d-662c9d7afdb3) Attack Pattern Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern 3
Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 3
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern RemoteCMD - S0166 (4e6b9625-bbda-4d96-a652-b3bb45453f26) Malware 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern RemoteCMD - S0166 (4e6b9625-bbda-4d96-a652-b3bb45453f26) Malware 3
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern RemoteCMD - S0166 (4e6b9625-bbda-4d96-a652-b3bb45453f26) Malware 3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 3
Brute Force - T1110 (a93494bb-4b80-4ea1-8695-3236a49916fd) Attack Pattern Password Cracking - T1110.002 (1d24cdee-9ea2-4189-b08e-af110bf2435d) Attack Pattern 3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 3
Pirpi (4859330d-c6a5-4b9c-b45b-536ec983cd4a) Tool pirpi (e2325481-006f-4ad4-86d9-1a2ae6fea154) Malpedia 4
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Proc Filesystem - T1003.007 (3120b9fa-23b8-4500-ae73-09494f607b7d) Attack Pattern 4
Cached Domain Credentials - T1003.005 (6add2ab5-2711-4e9d-87c8-7a0be8531530) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 4
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Keychain - T1555.001 (1eaebf46-e361-4437-bc23-d5d65a3b92e3) Attack Pattern 4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern /etc/passwd and /etc/shadow - T1003.008 (d0b4fcdb-d67d-4ed2-99ce-788b12f8c0f4) Attack Pattern 4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 4
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool 4
PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT PlugX (f4b159ea-97e5-483b-854b-c48a78d562aa) Tool 4
DNS - T1071.004 (1996eef1-ced3-4d7f-bf94-33298cabbf72) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 4
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern 4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 4
Trusted Developer Utilities Proxy Execution - T1127 (ff25900d-76d5-449b-a351-8824e62fc81b) Attack Pattern MSBuild - T1127.001 (c92e3d68-2349-49e4-a341-7edca2deff96) Attack Pattern 4
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 4
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 4
PlugX (036bd099-fe80-46c2-9c4c-e5c6df8dcdee) Malpedia PlugX (663f8ef9-4c50-499a-b765-f377d23c1070) RAT 4
Clear Persistence - T1070.009 (d2c4e5ea-dbdf-4113-805a-b1e2a337fb33) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern 4
Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern Domain Groups - T1069.002 (2aed01ad-3df3-4410-a8cb-11ea4ded587c) Attack Pattern 4
Domain Account - T1087.002 (21875073-b0ee-49e3-9077-1e2a885359af) Attack Pattern Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern 4
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern 4