Skip to content

Hide Navigation Hide TOC

QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)

QUASARRAT is an open-source RAT available at https://github.com/quasar/QuasarRat . The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past. QUASARRAT is a publicly available Windows backdoor. It may visit a website, download, upload, and execute files. QUASARRAT may acquire system information, act as a remote desktop or shell, or remotely activate the webcam. The backdoor may also log keystrokes and steal passwords from commonly used browsers and FTP clients. QUASARRAT was originally named xRAT before it was renamed by the developers in August 2015. Availability: Public

Cluster A Galaxy A Cluster B Galaxy B Level
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc) Threat Actor 1
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa) Malpedia 1
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 1
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d) RAT 1
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 1
BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32) Tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8) RAT Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa) Malpedia Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
XRat (d650da35-7ad7-417a-902a-16ea55bd1126) Ransomware Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Kimsuky - APT-C-55 (84e18657-3995-5837-88f1-f823520382a8) 360.net Threat Actors Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d) RAT Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838) Malpedia Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Kimsuky (860643d6-5693-4e4e-ad1f-56c49faa10a7) Malpedia Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32) Malpedia Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e) Banker Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
RDP Wrapper (bea5f660-a106-4983-a11a-0e0b6ce348d2) Tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor TightVNC (e596e014-c0b7-491a-afee-3588fbfc61c1) Tool 2
BabyShark (8abdd40c-d79a-4353-80e3-29f8a4229a37) Malpedia Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Emerald Sleet (44be06b1-e17a-5ea6-a0a2-067933a7af77) Microsoft Activity Group actor Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32) Tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
RevClient (cdd432b0-8899-4e7d-ad4a-b18741ade11d) Tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Chrome Remote Desktop (6583d982-a5cb-47e0-a3b0-bc18cadaeb53) RAT Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d) RAT Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa) Malpedia 2
Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d) RAT QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32) Tool BabyShark (8abdd40c-d79a-4353-80e3-29f8a4229a37) Malpedia 3
BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32) Tool BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 3
xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8) RAT XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32) Malpedia 3
xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8) RAT XRat (d650da35-7ad7-417a-902a-16ea55bd1126) Ransomware 3
xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8) RAT xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32) Tool 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 3
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 3
XRat (d650da35-7ad7-417a-902a-16ea55bd1126) Ransomware XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32) Malpedia 3
XRat (d650da35-7ad7-417a-902a-16ea55bd1126) Ransomware xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32) Tool 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern 3
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23) Attack Pattern 3
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 3
Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 3
Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 3
Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04) mitre-tool 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Browser Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Search Victim-Owned Websites - T1594 (16cdd21f-da65-4e4f-bc04-dd7d198c7b26) Attack Pattern 3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 3
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 3
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 3
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 3
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern 3
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 3
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Remote Access Software - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern 3
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 3
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 3
TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838) Malpedia TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e) Banker 3
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e) Banker 3
TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e) Banker Xbot (4cfa42a3-71d9-43e2-bf23-daa79f326387) Malpedia 3
XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32) Malpedia xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32) Tool 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 4
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern 4
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 4
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 4
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern 4
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern 4
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 4
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 4
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 4
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337) Attack Pattern 4
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 4
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 4
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 4
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 4
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 4
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3) Attack Pattern Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern 4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 4
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968) Attack Pattern Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern 4
Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern 4
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367) Tool 4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 4
Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a) Attack Pattern 4
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 4
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04) mitre-tool 4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 4
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern 4
Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156) Attack Pattern Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 4
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern 4
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 4
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern 4
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 4
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 4
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern 4
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 4
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 4
Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 4
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 4
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern 4
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 4
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 4
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 4
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern 4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 4
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f) Tool gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 4
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512) Attack Pattern Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool 4
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool Xbot (4cfa42a3-71d9-43e2-bf23-daa79f326387) Malpedia 4
Data Encrypted for Impact - T1471 (d9e88203-2b5d-405f-a406-2933b1e3d7e4) Attack Pattern Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool 4
TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838) Malpedia Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool 4
Endpoint Denial of Service - T1642 (eb6cf439-1bcb-4d10-bc68-1eed844ed7b3) Attack Pattern Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool 4
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool 4
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 5
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 5
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 5
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b) Malpedia 5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 5
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 5
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 5
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern 5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 5
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 5
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 5
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 5
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 5
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern 5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 5
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 5
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern 5
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 5
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern 5
Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3) Attack Pattern 5
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL Side-Loading - T1574.002 (e64c62cf-9cd7-4a14-94ec-cdaac43ab44b) Attack Pattern 5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 5
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512) Attack Pattern Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) Attack Pattern 5
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 5