Skip to content

Hide Navigation Hide TOC

QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)

QUASARRAT is an open-source RAT available at https://github.com/quasar/QuasarRat . The versions used by APT10 (1.3.4.0, 2.0.0.0, and 2.0.0.1) are not available via the public GitHub page, indicating that APT10 has further customized the open source version. The 2.0 versions require a dropper to decipher and launch the AES encrypted QUASARRAT payload. QUASARRAT is a fully functional .NET backdoor that has been used by multiple cyber espionage groups in the past. QUASARRAT is a publicly available Windows backdoor. It may visit a website, download, upload, and execute files. QUASARRAT may acquire system information, act as a remote desktop or shell, or remotely activate the webcam. The backdoor may also log keystrokes and steal passwords from commonly used browsers and FTP clients. QUASARRAT was originally named xRAT before it was renamed by the developers in August 2015. Availability: Public

Cluster A Galaxy A Cluster B Galaxy B Level
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 1
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc) Threat Actor 1
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 1
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa) Malpedia 1
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d) RAT 1
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 2
System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 2
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 2
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
XRat (d650da35-7ad7-417a-902a-16ea55bd1126) Ransomware Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Chrome Remote Desktop (6583d982-a5cb-47e0-a3b0-bc18cadaeb53) RAT Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Kimsuky (860643d6-5693-4e4e-ad1f-56c49faa10a7) Malpedia Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e) Banker 2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor Private Cluster (4e18657-3995-5837-88f1-f823520382a8) Unknown 2
xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8) RAT Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Emerald Sleet (44be06b1-e17a-5ea6-a0a2-067933a7af77) Microsoft Activity Group actor Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838) Malpedia Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d) RAT Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor BabyShark (8abdd40c-d79a-4353-80e3-29f8a4229a37) Malpedia 2
Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa) Malpedia Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor RDP Wrapper (bea5f660-a106-4983-a11a-0e0b6ce348d2) Tool 2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor TightVNC (e596e014-c0b7-491a-afee-3588fbfc61c1) Tool 2
RevClient (cdd432b0-8899-4e7d-ad4a-b18741ade11d) Tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32) Tool 2
BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32) Tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 2
XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32) Malpedia Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa) Malpedia Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d) RAT 2
Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d) RAT QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 2
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 3
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 3
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern 3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern 3
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
XRat (d650da35-7ad7-417a-902a-16ea55bd1126) Ransomware XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32) Malpedia 3
XRat (d650da35-7ad7-417a-902a-16ea55bd1126) Ransomware xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8) RAT 3
XRat (d650da35-7ad7-417a-902a-16ea55bd1126) Ransomware xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32) Tool 3
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e) Banker 3
TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838) Malpedia TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e) Banker 3
TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e) Banker Xbot (4cfa42a3-71d9-43e2-bf23-daa79f326387) Malpedia 3
XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32) Malpedia xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8) RAT 3
xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8) RAT xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32) Tool 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 3
XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32) Malpedia xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32) Tool 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32) Tool 3
BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32) Tool BabyShark (8abdd40c-d79a-4353-80e3-29f8a4229a37) Malpedia 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Remote Access Software - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern 3
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern 3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 3
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern 3
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 3
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337) Attack Pattern 3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 3
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636) Attack Pattern 3
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 3
Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04) mitre-tool Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 3
Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Browser Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 3
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Search Victim-Owned Websites - T1594 (16cdd21f-da65-4e4f-bc04-dd7d198c7b26) Attack Pattern 3
Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern 3
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 3
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern 3
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512) Attack Pattern 4
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 4
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool Xbot (4cfa42a3-71d9-43e2-bf23-daa79f326387) Malpedia 4
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838) Malpedia 4
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool Data Encrypted for Impact - T1471 (d9e88203-2b5d-405f-a406-2933b1e3d7e4) Attack Pattern 4
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool Endpoint Denial of Service - T1642 (eb6cf439-1bcb-4d10-bc68-1eed844ed7b3) Attack Pattern 4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 4
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern 4
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 4
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern 4
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 4
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern 4
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 4
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 4
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern 4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 4
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 4
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 4
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 4
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 4
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337) Attack Pattern 4
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 4
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 4
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 4
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 4
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367) Tool 4
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 4
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b) Attack Pattern Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern 4
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 4
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636) Attack Pattern 4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 4
schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04) mitre-tool Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 4
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3) Attack Pattern Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern 4
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern 4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 4
Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968) Attack Pattern Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern 4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern 4
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern 4
Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a) Attack Pattern 4
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 4
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern 4
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 4
Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156) Attack Pattern 4
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern 4
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529) Attack Pattern Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579) Attack Pattern 4
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 4
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c) Attack Pattern 4
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 4
Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 4
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 4
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 4
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 4
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Match Legitimate Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern 4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern 4
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512) Attack Pattern Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) Attack Pattern 5
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern 5
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern 5
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 5
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern 5
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 5
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern 5
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 5
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern 5
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern 5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 5
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern 5
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b) Malpedia 5
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern 5
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 5
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern 5
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 5
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern 5
Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3) Attack Pattern Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern 5