VICEROY TIGER (e2b87f81-a6a1-4524-b03f-193c3191d239)

VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors. Older activity targeted multiple sectors and countries; however, since 2015 this adversary appears to focus on entities in Pakistan with a particular focus on government and security organizations. This adversary consistently leverages spear phishing emails containing malicious Microsoft Office documents, malware designed to target the Android mobile platform, and phishing activity designed to harvest user credentials. In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
摩诃草 - APT-C-09 (231a81cd-4e24-590b-b084-1a4715b30d67)	360.net Threat Actors	VICEROY TIGER (e2b87f81-a6a1-4524-b03f-193c3191d239)	Threat Actor	1
摩诃草 - APT-C-09 (231a81cd-4e24-590b-b084-1a4715b30d67)	360.net Threat Actors	QUILTED TIGER (18d473a5-831b-47a5-97a1-a32156299825)	Threat Actor	2
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	摩诃草 - APT-C-09 (231a81cd-4e24-590b-b084-1a4715b30d67)	360.net Threat Actors	2
MONSOON - G0042 (9559ecaf-2e75-48a7-aee8-9974020bc772)	Intrusion Set	QUILTED TIGER (18d473a5-831b-47a5-97a1-a32156299825)	Threat Actor	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	QUILTED TIGER (18d473a5-831b-47a5-97a1-a32156299825)	Threat Actor	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	AutoIt backdoor - S0129 (f5352566-1a64-49ac-8f7f-97e1d1a03300)	Malware	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	NDiskMonitor - S0272 (d1183cb9-258e-4f2f-8415-50ac8252c49e)	Malware	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	TINYTYPHON - S0131 (85b39628-204a-48d2-b377-ec368cbcb7ca)	Malware	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56)	Malware	3
MONSOON - G0042 (9559ecaf-2e75-48a7-aee8-9974020bc772)	Intrusion Set	Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0)	Intrusion Set	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	4
Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	4
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	4
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	4
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32)	Attack Pattern	4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580)	Attack Pattern	4
Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0)	Attack Pattern	4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e)	Attack Pattern	4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	4
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	4
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967)	Attack Pattern	PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d)	mitre-tool	Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	4
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230)	Attack Pattern	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Invalid Code Signature - T1036.001 (b4b7458f-81f2-4d38-84be-1c5ba0167a52)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63)	Malware	4
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	4
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	4
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	AutoIt backdoor - S0129 (f5352566-1a64-49ac-8f7f-97e1d1a03300)	Malware	4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	AutoIt backdoor - S0129 (f5352566-1a64-49ac-8f7f-97e1d1a03300)	Malware	4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	AutoIt backdoor - S0129 (f5352566-1a64-49ac-8f7f-97e1d1a03300)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	AutoIt backdoor - S0129 (f5352566-1a64-49ac-8f7f-97e1d1a03300)	Malware	4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	NDiskMonitor - S0272 (d1183cb9-258e-4f2f-8415-50ac8252c49e)	Malware	4
NDiskMonitor - S0272 (d1183cb9-258e-4f2f-8415-50ac8252c49e)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
NDiskMonitor - S0272 (d1183cb9-258e-4f2f-8415-50ac8252c49e)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	NDiskMonitor - S0272 (d1183cb9-258e-4f2f-8415-50ac8252c49e)	Malware	4
NDiskMonitor - S0272 (d1183cb9-258e-4f2f-8415-50ac8252c49e)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	4
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	4
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d)	Attack Pattern	Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d)	Attack Pattern	4
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b)	Attack Pattern	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	4
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00)	Malware	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	4
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf)	Attack Pattern	4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	TINYTYPHON - S0131 (85b39628-204a-48d2-b377-ec368cbcb7ca)	Malware	4
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9)	Attack Pattern	TINYTYPHON - S0131 (85b39628-204a-48d2-b377-ec368cbcb7ca)	Malware	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	TINYTYPHON - S0131 (85b39628-204a-48d2-b377-ec368cbcb7ca)	Malware	4
TINYTYPHON - S0131 (85b39628-204a-48d2-b377-ec368cbcb7ca)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	4
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	4
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	4
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4)	Attack Pattern	Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56)	Malware	4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56)	Malware	4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56)	Malware	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56)	Malware	4
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56)	Malware	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56)	Malware	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56)	Malware	4
Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e)	Attack Pattern	Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08)	Attack Pattern	5
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	5
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580)	Attack Pattern	5
Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	5
Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	5
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	5
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e)	Attack Pattern	5
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee)	Attack Pattern	5
DLL Search Order Hijacking - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	5
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945)	Attack Pattern	Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	5
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	5
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	5
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Invalid Code Signature - T1036.001 (b4b7458f-81f2-4d38-84be-1c5ba0167a52)	Attack Pattern	5
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	5
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	5
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	5
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	5
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	5
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	5
Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21)	Attack Pattern	Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53)	Attack Pattern	5
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	5
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	5