Hide Navigation Hide TOC

BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32)

BabyShark is a relatively new malware. The earliest sample we found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator.

Cluster A	Galaxy A	Cluster B	Galaxy B	Level
BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32)	Tool	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	1
BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32)	Tool	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	1
BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32)	Tool	BabyShark (8abdd40c-d79a-4353-80e3-29f8a4229a37)	Malpedia	1
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	2
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
RDP Wrapper (bea5f660-a106-4983-a11a-0e0b6ce348d2)	Tool	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	TightVNC (e596e014-c0b7-491a-afee-3588fbfc61c1)	Tool	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e)	Banker	2
RevClient (cdd432b0-8899-4e7d-ad4a-b18741ade11d)	Tool	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32)	Tool	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32)	Malpedia	2
Chrome Remote Desktop (6583d982-a5cb-47e0-a3b0-bc18cadaeb53)	RAT	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	2
xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8)	RAT	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838)	Malpedia	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa)	Malpedia	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	2
Ruby Sleet (03ff54cf-f7d4-4606-a531-2ca6d4fa6a54)	Threat Actor	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d)	RAT	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Emerald Sleet (44be06b1-e17a-5ea6-a0a2-067933a7af77)	Microsoft Activity Group actor	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Kimsuky (860643d6-5693-4e4e-ad1f-56c49faa10a7)	Malpedia	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	Opal Sleet (5f71a9ea-511d-4fdd-9807-271ef613f488)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	2
Kimsuky - APT-C-55 (84e18657-3995-5837-88f1-f823520382a8)	360.net Threat Actors	Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	BabyShark (8abdd40c-d79a-4353-80e3-29f8a4229a37)	Malpedia	2
Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3)	Threat Actor	XRat (d650da35-7ad7-417a-902a-16ea55bd1126)	Ransomware	2
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	3
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f)	Attack Pattern	3
Xbot (4cfa42a3-71d9-43e2-bf23-daa79f326387)	Malpedia	TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e)	Banker	3
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e)	Banker	3
TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838)	Malpedia	TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e)	Banker	3
xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8)	RAT	xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32)	Tool	3
xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32)	Tool	XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32)	Malpedia	3
xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32)	Tool	XRat (d650da35-7ad7-417a-902a-16ea55bd1126)	Ransomware	3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf)	Attack Pattern	3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	3
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Search Victim-Owned Websites - T1594 (16cdd21f-da65-4e4f-bc04-dd7d198c7b26)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d)	Attack Pattern	3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	3
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	3
Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262)	Attack Pattern	3
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	3
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49)	Attack Pattern	3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	3
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	3
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Impersonation - T1656 (c9e0c59e-162e-40a4-b8b1-78fab4329ada)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	3
Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	3
Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23)	Attack Pattern	3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d)	Attack Pattern	3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	3
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	3
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Search Open Technical Databases - T1596 (55fc4df0-b42c-479a-b860-7a6761bcaad0)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04)	mitre-tool	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	3
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	3
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f)	Intrusion Set	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	3
xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8)	RAT	XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32)	Malpedia	3
xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8)	RAT	XRat (d650da35-7ad7-417a-902a-16ea55bd1126)	Ransomware	3
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa)	Malpedia	3
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc)	Threat Actor	3
Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d)	RAT	QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a)	Tool	3
Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d)	RAT	QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470)	mitre-tool	3
Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d)	RAT	Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa)	Malpedia	3
XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32)	Malpedia	XRat (d650da35-7ad7-417a-902a-16ea55bd1126)	Ransomware	3
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	Endpoint Denial of Service - T1642 (eb6cf439-1bcb-4d10-bc68-1eed844ed7b3)	Attack Pattern	4
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	4
Xbot (4cfa42a3-71d9-43e2-bf23-daa79f326387)	Malpedia	Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	4
Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838)	Malpedia	4
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	4
Data Encrypted for Impact - T1471 (d9e88203-2b5d-405f-a406-2933b1e3d7e4)	Attack Pattern	Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4)	mitre-tool	4
Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf)	Attack Pattern	Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	4
Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b)	Attack Pattern	4
Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0)	Attack Pattern	Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	4
Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	4
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	4
Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968)	Attack Pattern	Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	4
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8)	Attack Pattern	Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d)	Attack Pattern	4
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b)	Attack Pattern	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636)	Attack Pattern	4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	4
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	4
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	4
Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a)	Attack Pattern	4
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	4
Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db)	Attack Pattern	Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c)	Attack Pattern	4
Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7)	Attack Pattern	4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	4
Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b)	Attack Pattern	Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a)	Attack Pattern	4
Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4)	Attack Pattern	Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262)	Attack Pattern	4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e)	Attack Pattern	4
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5)	Malware	Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Disable or Modify Tools - T1562.001 (ac08589e-ee59-4935-8667-d845e38fe579)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8)	Malware	4
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b)	Attack Pattern	4
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	4
Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	4
Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4)	Attack Pattern	Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156)	Attack Pattern	4
Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a)	Attack Pattern	Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230)	Attack Pattern	4
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e)	Attack Pattern	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	4
Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	4
Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e)	Malware	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	4
Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665)	Attack Pattern	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	4
User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9)	Attack Pattern	4
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a)	Attack Pattern	4
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5)	Attack Pattern	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377)	Attack Pattern	4
Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b)	Attack Pattern	Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6)	Attack Pattern	4
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0)	Attack Pattern	Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e)	Attack Pattern	4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58)	Attack Pattern	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5)	Attack Pattern	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101)	Attack Pattern	4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4)	Attack Pattern	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7)	Attack Pattern	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47)	Attack Pattern	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff)	Attack Pattern	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	4
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7)	Attack Pattern	Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3)	Attack Pattern	4
Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291)	Attack Pattern	Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	4
GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39)	Malware	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	4
GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39)	Malware	Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	4
GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
Impair Defenses - T1562 (3d333250-30e4-4a82-9edc-756c68afc529)	Attack Pattern	Disable or Modify System Firewall - T1562.004 (5372c5fe-f424-4def-bcd5-d3a8e770f07b)	Attack Pattern	4
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3)	Malware	4
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb)	Attack Pattern	Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb)	Attack Pattern	4
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928)	Attack Pattern	Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8)	Attack Pattern	4
Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2)	Attack Pattern	Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81)	Attack Pattern	4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	4
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762)	Attack Pattern	4
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101)	Attack Pattern	Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8)	Attack Pattern	4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94)	mitre-tool	4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60)	mitre-tool	4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0)	Attack Pattern	4
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd)	Attack Pattern	4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433)	Attack Pattern	4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077)	Attack Pattern	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662)	Attack Pattern	4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062)	Attack Pattern	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736)	Attack Pattern	AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570)	Malware	4
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15)	Attack Pattern	4
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4)	Attack Pattern	Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab)	Attack Pattern	4
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4)	Attack Pattern	4
Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	4
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	4
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	4
PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367)	Tool	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	4
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db)	mitre-tool	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	4
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	4
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3)	Attack Pattern	Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365)	Attack Pattern	4
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba)	Attack Pattern	Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9)	Attack Pattern	4
Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0)	Attack Pattern	Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf)	Attack Pattern	4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9)	Attack Pattern	schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04)	mitre-tool	4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597)	Attack Pattern	Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b)	Attack Pattern	4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688)	Attack Pattern	4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c)	Attack Pattern	4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32)	Attack Pattern	4
gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f)	Tool	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b)	Attack Pattern	gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24)	Malware	Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4)	Attack Pattern	4
Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1)	Attack Pattern	Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0)	Attack Pattern	4
Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337)	Attack Pattern	Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2)	Attack Pattern	4
Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e)	Attack Pattern	SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002)	Attack Pattern	5
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512)	Attack Pattern	Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad)	Attack Pattern	5
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a)	Attack Pattern	Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144)	Attack Pattern	5
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447)	Attack Pattern	Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0)	Attack Pattern	5
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004)	Attack Pattern	Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f)	Attack Pattern	5
Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3)	Attack Pattern	Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334)	Attack Pattern	5
Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776)	Attack Pattern	Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b)	Attack Pattern	5
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6)	Attack Pattern	Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2)	Attack Pattern	5
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742)	Attack Pattern	Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852)	Attack Pattern	5
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf)	Attack Pattern	Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517)	Attack Pattern	5
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b)	Attack Pattern	Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce)	Attack Pattern	5
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c)	Attack Pattern	Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9)	Attack Pattern	5
Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada)	Attack Pattern	Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118)	Attack Pattern	5
Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755)	Attack Pattern	Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea)	Attack Pattern	5
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5)	Attack Pattern	Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b)	Attack Pattern	5
Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56)	Attack Pattern	Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830)	Attack Pattern	5
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6)	Attack Pattern	Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d)	Attack Pattern	5
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	5
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc)	Attack Pattern	OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	5
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814)	Attack Pattern	Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926)	Attack Pattern	5
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1)	Attack Pattern	5
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023)	Attack Pattern	Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48)	Attack Pattern	5
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462)	Attack Pattern	Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf)	Attack Pattern	5
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802)	Tool	MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b)	Malpedia	5
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a)	Attack Pattern	Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27)	Attack Pattern	5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22)	Attack Pattern	DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163)	Attack Pattern	5
Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4)	Attack Pattern	System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253)	Attack Pattern	5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba)	Attack Pattern	SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541)	Attack Pattern	5
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67)	Attack Pattern	Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177)	Attack Pattern	5
Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7)	Attack Pattern	Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961)	Attack Pattern	5
Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6)	Attack Pattern	Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b)	Attack Pattern	5
Clear Windows Event Logs - T1070.001 (6495ae23-3ab4-43c5-a94f-5638a2c31fd2)	Attack Pattern	Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69)	Attack Pattern	5
DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34)	Attack Pattern	Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6)	Attack Pattern	5