Skip to content

Hide Navigation Hide TOC

VICEROY TIGER (e2b87f81-a6a1-4524-b03f-193c3191d239)

VICEROY TIGER is an adversary with a nexus to India that has historically targeted entities throughout multiple sectors. Older activity targeted multiple sectors and countries; however, since 2015 this adversary appears to focus on entities in Pakistan with a particular focus on government and security organizations. This adversary consistently leverages spear phishing emails containing malicious Microsoft Office documents, malware designed to target the Android mobile platform, and phishing activity designed to harvest user credentials. In March 2017, the 360 Chasing Team found a sample of targeted attacks that confirmed the previously unknown sample of APT's attack actions, which the organization can now trace back at least in April 2016. The chasing team named the attack organization APT-C-35. In June 2017, the 360 Threat Intelligence Center discovered the organization’s new attack activity, confirmed and exposed the gang’s targeted attacks against Pakistan, and analyzed in detail. The unique EHDevel malicious code framework used by the organization.

Cluster A Galaxy A Cluster B Galaxy B Level
VICEROY TIGER (e2b87f81-a6a1-4524-b03f-193c3191d239) Threat Actor 摩诃草 - APT-C-09 (231a81cd-4e24-590b-b084-1a4715b30d67) 360.net Threat Actors 1
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set 摩诃草 - APT-C-09 (231a81cd-4e24-590b-b084-1a4715b30d67) 360.net Threat Actors 2
QUILTED TIGER (18d473a5-831b-47a5-97a1-a32156299825) Threat Actor 摩诃草 - APT-C-09 (231a81cd-4e24-590b-b084-1a4715b30d67) 360.net Threat Actors 2
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Exploitation for Client Execution - T1203 (be2dcee9-a7a7-4e38-afd6-21b31ecc3d63) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56) Malware 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set BITS Jobs - T1197 (c8e87b83-edbb-48d4-9295-4974897525b7) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 3
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 3
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set 3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set TINYTYPHON - S0131 (85b39628-204a-48d2-b377-ec368cbcb7ca) Malware 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Drive-by Compromise - T1189 (d742a578-d70e-4d0e-96a6-02a9c30204e6) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set AutoIt backdoor - S0129 (f5352566-1a64-49ac-8f7f-97e1d1a03300) Malware 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set NDiskMonitor - S0272 (d1183cb9-258e-4f2f-8415-50ac8252c49e) Malware 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 3
QUILTED TIGER (18d473a5-831b-47a5-97a1-a32156299825) Threat Actor Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 3
Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3
QUILTED TIGER (18d473a5-831b-47a5-97a1-a32156299825) Threat Actor MONSOON - G0042 (9559ecaf-2e75-48a7-aee8-9974020bc772) Intrusion Set 3
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 4
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 4
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware File and Directory Discovery - T1420 (cf28ca46-1fd3-46b4-b1f6-ec0b72361848) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Access Notifications - T1517 (39dd7871-f59b-495f-a9a5-3cb8cc50c9b2) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Abuse Accessibility Features - T1453 (2204c371-6100-4ae0-82f3-25c07c29772a) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Call Control - T1616 (351ddf79-2d3a-41b4-9bef-82ea5d3ccd69) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Video Capture - T1512 (d8940e76-f9c1-4912-bea6-e21c251370b6) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Exfiltration Over C2 Channel - T1646 (32063d7f-0a39-440d-a4a3-2694488f96cc) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Location Tracking - T1430 (99e6295e-741b-4857-b6e5-64989eb039b4) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Audio Capture - T1429 (6683aa0c-d98a-4f5b-ac57-ca7e9934a760) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Masquerading - T1655 (f856eaab-e84a-4265-a8a2-7bf37e5dc2fc) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware System Information Discovery - T1426 (e2ea7f6b-8d4f-49c3-819d-660530d12b77) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001 (37047267-3e56-453c-833e-d92b68118120) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Data from Local System - T1533 (e1c912a9-e305-434b-9172-8a6ce3ec9c4a) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Lockscreen Bypass - T1461 (dfe29258-ce59-421c-9dee-e85cb9fa90cd) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Stored Application Data - T1409 (702055ac-4e54-4ae9-9527-e23a38e0b160) Attack Pattern 4
VajraSpy - S9006 (8205a875-3ed5-4be2-ab9b-14a7d29431d0) Malware Software Discovery - T1418 (198ce408-1470-45ee-b47f-7056050d4fc2) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 4
BackConfig - S0475 (c13d9621-aca7-436b-ab3d-3a95badb3d00) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 4
Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Audio Capture - T1123 (1035cdf2-3e5f-446f-a7a7-e8f6d7925967) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 4
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 4
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 4
Domain Trust Discovery - T1482 (767dbf9e-df3f-45cb-8998-4903ab5f80c0) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 4
Windows Management Instrumentation - T1047 (01a5a209-b94c-450b-b7f9-946497d91055) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool 4
PowerSploit - S0194 (13cd9151-83b7-410d-9f98-25d0f0d1d80d) mitre-tool Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern 4
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
Replication Through Removable Media - T1091 (3b744087-9945-4a6f-91e8-9dbceda417a4) Attack Pattern Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56) Malware 4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56) Malware 4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56) Malware 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56) Malware 4
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56) Malware 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56) Malware 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56) Malware 4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Unknown Logger - S0130 (ab3580c8-8435-4117-aace-3d9fbe46aa56) Malware 4
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 4
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Dynamic Data Exchange - T1559.002 (232a7e42-cd6e-4902-8fe9-2960f529dd4d) Attack Pattern Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 4
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Peripheral Device Discovery - T1120 (348f1eef-964b-4eb6-bb53-69b3dcb0c643) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 4
Data from Network Shared Drive - T1039 (ae676644-d2d2-41b7-af7e-9bed1b55898c) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Invalid Code Signature - T1036.001 (b4b7458f-81f2-4d38-84be-1c5ba0167a52) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern BADNEWS - S0128 (e9595678-d269-469e-ae6b-75e49259de63) Malware 4
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 4
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Code Signing Certificates - T1587.002 (34b3f738-bd64-40e5-a112-29b0542bc8bf) Attack Pattern 4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 4
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 4
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern TINYTYPHON - S0131 (85b39628-204a-48d2-b377-ec368cbcb7ca) Malware 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern TINYTYPHON - S0131 (85b39628-204a-48d2-b377-ec368cbcb7ca) Malware 4
Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern TINYTYPHON - S0131 (85b39628-204a-48d2-b377-ec368cbcb7ca) Malware 4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern TINYTYPHON - S0131 (85b39628-204a-48d2-b377-ec368cbcb7ca) Malware 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 4
AutoIt backdoor - S0129 (f5352566-1a64-49ac-8f7f-97e1d1a03300) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern AutoIt backdoor - S0129 (f5352566-1a64-49ac-8f7f-97e1d1a03300) Malware 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern AutoIt backdoor - S0129 (f5352566-1a64-49ac-8f7f-97e1d1a03300) Malware 4
AutoIt backdoor - S0129 (f5352566-1a64-49ac-8f7f-97e1d1a03300) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Indicator Removal from Tools - T1027.005 (b0533c6e-8fea-4788-874f-b799cacc4b92) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
NDiskMonitor - S0272 (d1183cb9-258e-4f2f-8415-50ac8252c49e) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
NDiskMonitor - S0272 (d1183cb9-258e-4f2f-8415-50ac8252c49e) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 4
NDiskMonitor - S0272 (d1183cb9-258e-4f2f-8415-50ac8252c49e) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
NDiskMonitor - S0272 (d1183cb9-258e-4f2f-8415-50ac8252c49e) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
NDiskMonitor - S0272 (d1183cb9-258e-4f2f-8415-50ac8252c49e) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
MONSOON - G0042 (9559ecaf-2e75-48a7-aee8-9974020bc772) Intrusion Set Patchwork - G0040 (17862c7d-9e60-48a0-b48e-da4dc4c3f6b0) Intrusion Set 4
Web Service - T1481 (c6a146ae-9c63-4606-97ff-e261e76e8380) Attack Pattern Bidirectional Communication - T1481.002 (939808a7-121d-467a-b028-4441ee8b7cee) Attack Pattern 5
Call Log - T1636.002 (1d1b1558-c833-482e-aabb-d07ef6eae63d) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 5
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Accounts - T1636.005 (337e1136-a6d3-4465-a5c5-fdc658117747) Attack Pattern 5
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) Attack Pattern Keylogging - T1417.001 (b1c95426-2550-4621-8028-ceebf28b3a47) Attack Pattern 5
Wi-Fi Discovery - T1422.002 (be63612f-a48f-44f2-a7a6-1763509fcf80) Attack Pattern System Network Configuration Discovery - T1422 (d4536441-1bcc-49fa-80ae-a596ed3f7ffd) Attack Pattern 5
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern Contact List - T1636.003 (e0b9ecb8-a7d1-43c7-aa30-8e19c6a92c86) Attack Pattern 5
Exfiltration Over Unencrypted Non-C2 Protocol - T1639.001 (37047267-3e56-453c-833e-d92b68118120) Attack Pattern Exfiltration Over Alternative Protocol - T1639 (3e091a89-a493-4a6c-8e88-d57be19bb98d) Attack Pattern 5
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 5
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 5
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 5
Office Application Startup - T1137 (2c4d4e92-0ccf-4a97-b54c-86d662988a53) Attack Pattern Office Template Macros - T1137.001 (79a47ad0-fc3b-4821-9f01-a026b1ddba21) Attack Pattern 5
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 5
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Kerberoasting - T1558.003 (f2877f7f-9a4c-4251-879f-1224e3006bee) Attack Pattern 5
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials in Registry - T1552.002 (341e222a-a6e3-4f6f-b69c-831d792b1580) Attack Pattern 5
Group Policy Preferences - T1552.006 (8d7bd4f5-3a89-4453-9c82-2c8894d5655e) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 5
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 5
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 5
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 5
Account Discovery - T1087 (72b74d71-8169-42aa-92e0-e7b04b9f5a08) Attack Pattern Local Account - T1087.001 (25659dd6-ea12-45c4-97e6-381e3e4b593e) Attack Pattern 5
Path Interception by PATH Environment Variable - T1574.007 (0c2d00da-7742-49e7-9928-4514e5075d32) Attack Pattern Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern 5
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by Search Order Hijacking - T1574.008 (58af3705-8740-4c68-9329-ec015a7013c2) Attack Pattern 5
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 5
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern Path Interception by Unquoted Path - T1574.009 (bf96a5a3-3bce-43b7-8597-88545984c07b) Attack Pattern 5
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 5
Invalid Code Signature - T1036.001 (b4b7458f-81f2-4d38-84be-1c5ba0167a52) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 5
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 5
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 5
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5