Skip to content

Hide Navigation Hide TOC

BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32)

BabyShark is a relatively new malware. The earliest sample we found from open source repositories and our internal data sets was seen in November 2018. The malware is launched by executing the first stage HTA from a remote location, thus it can be delivered via different file types including PE files as well as malicious documents. It exfiltrates system information to C2 server, maintains persistence on the system, and waits for further instruction from the operator.

Cluster A Galaxy A Cluster B Galaxy B Level
BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32) Tool BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware 1
BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32) Tool BabyShark (8abdd40c-d79a-4353-80e3-29f8a4229a37) Malpedia 1
BabyShark (78ed653d-2d76-4a99-849e-1509e4573c32) Tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 1
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 2
BabyShark (8abdd40c-d79a-4353-80e3-29f8a4229a37) Malpedia Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Ruby Sleet (03ff54cf-f7d4-4606-a531-2ca6d4fa6a54) Threat Actor Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Opal Sleet (5f71a9ea-511d-4fdd-9807-271ef613f488) Threat Actor Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e) Banker Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
RDP Wrapper (bea5f660-a106-4983-a11a-0e0b6ce348d2) Tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
TightVNC (e596e014-c0b7-491a-afee-3588fbfc61c1) Tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Chrome Remote Desktop (6583d982-a5cb-47e0-a3b0-bc18cadaeb53) RAT Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
RevClient (cdd432b0-8899-4e7d-ad4a-b18741ade11d) Tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32) Malpedia Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32) Tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8) RAT Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838) Malpedia Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
XRat (d650da35-7ad7-417a-902a-16ea55bd1126) Ransomware Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa) Malpedia Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Kimsuky - APT-C-55 (84e18657-3995-5837-88f1-f823520382a8) 360.net Threat Actors Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d) RAT Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Emerald Sleet (44be06b1-e17a-5ea6-a0a2-067933a7af77) Microsoft Activity Group actor Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Kimsuky (860643d6-5693-4e4e-ad1f-56c49faa10a7) Malpedia Kimsuky (bcaaad6f-0597-4b89-b69b-84a6be2b7bc3) Threat Actor 2
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern 3
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern 3
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 3
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern 3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 3
Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e) Banker TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838) Malpedia 3
TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e) Banker Xbot (4cfa42a3-71d9-43e2-bf23-daa79f326387) Malpedia 3
TinyNuke (e683cd91-40b4-4e1c-be25-34a27610a22e) Banker Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool 3
xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32) Tool XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32) Malpedia 3
xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32) Tool xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8) RAT 3
xrat (c76e2ee8-52d1-4a55-81df-5542d232ca32) Tool XRat (d650da35-7ad7-417a-902a-16ea55bd1126) Ransomware 3
xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8) RAT XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32) Malpedia 3
xRAT (509aff15-ba17-4582-b1a0-b0ed89df01d8) RAT XRat (d650da35-7ad7-417a-902a-16ea55bd1126) Ransomware 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Video Capture - T1125 (6faf650d-bf31-4eb4-802d-1000cf38efaf) Attack Pattern 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 3
Application Window Discovery - T1010 (4ae4f953-fe58-4cc8-a327-33257e30a830) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Non-Standard Port - T1571 (b18eae87-b469-4e14-b454-b171b416bc18) Attack Pattern 3
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 3
XRat (a8f167a8-30b9-4953-8eb6-247f0d046d32) Malpedia XRat (d650da35-7ad7-417a-902a-16ea55bd1126) Ransomware 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 3
Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 3
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Clipboard Data - T1115 (30973a08-aed9-4edf-8604-9084ce1b5c4f) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc) Attack Pattern 3
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 3
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 3
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Reflective Code Loading - T1620 (4933e63b-9b77-476e-ab29-761bc5b7d15a) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 3
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 3
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Web Portal Capture - T1056.003 (69e5226d-05dc-4f15-95d7-44f5ed78d06e) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04) mitre-tool 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156) Attack Pattern 3
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Phishing - T1660 (defc1257-4db1-4fb3-8ef5-bb77f63146df) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 3
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern 3
Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 3
BabyShark - S0414 (d1b7830a-fced-4be3-a99c-f495af9d9e1b) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set External Remote Services - T1133 (10d51417-ee35-4589-b1ff-b6df1c334e8d) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 3
LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 3
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 3
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Internal Spearphishing - T1534 (9e7452df-5144-4b6e-b04a-b66dd4016747) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 3
Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Gather Victim Org Information - T1591 (937e4772-8441-4e4a-8bf0-8d447d667e23) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 3
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Service Stop - T1489 (20fb2507-d71c-455d-9b6d-6104461cf26b) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Automated Exfiltration - T1020 (774a3188-6ba9-4dc4-879d-d54ee48a5ce9) Attack Pattern 3
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Network Sniffing - T1040 (3257eb21-f9a7-4430-8de1-d8b6e288f529) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Financial Theft - T1657 (851e071f-208d-4c79-adc6-5974c85c78f3) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern 3
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Visual Basic - T1059.005 (dfd7cc1d-e1d8-4394-a198-97c4cab8aa67) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Delay Execution - T1678 (a1df809c-7d0e-459f-8fe5-25474bab770b) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Query Public AI Services - T1682 (143122a8-fcda-4dd7-aded-5b9387d9c2d6) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Adversary-in-the-Middle - T1557 (035bb001-ab69-4a0b-9f6c-2de8b09e1b9d) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 3
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern 3
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 3
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39) Malware 3
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Disable or Modify System Firewall - T1686 (eec096b8-c207-43df-b6c1-11523861e452) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Search Open Technical Databases - T1596 (55fc4df0-b42c-479a-b860-7a6761bcaad0) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern 3
Mshta - T1218.005 (840a987a-99bd-4a80-a5c9-0cb2baa6cade) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3) Attack Pattern 3
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Exploit Public-Facing Application - T1190 (3f886f2a-874f-4333-b794-aa6075009b1c) Attack Pattern 3
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Impersonation - T1684.001 (cd92d2b8-ce43-4666-9472-f1b4b9f4f8be) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Multi-Factor Authentication Interception - T1111 (dd43c543-bb85-4a6f-aa6e-160d90d06a49) Attack Pattern 3
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Search Victim-Owned Websites - T1594 (16cdd21f-da65-4e4f-bc04-dd7d198c7b26) Attack Pattern 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 3
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set System Service Discovery - T1007 (322bad5a-1c49-4d23-ab79-76d641794afa) Attack Pattern 3
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set 3
Kimsuky - G0094 (0ec2f388-bf0f-4b5c-97b1-fc736d26c25f) Intrusion Set Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 3
Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d) RAT QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool 3
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool APT43 (aac49b4e-74e9-49fa-84f9-e340cf8bafbc) Threat Actor 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool 3
QUASARRAT (4d58ad7d-b5ee-4efb-b6af-6c70aadb326a) Tool Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa) Malpedia 3
QuasarRAT - S0262 (da04ac30-27da-4959-a67d-450ce47d9470) mitre-tool Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d) RAT 3
Quasar RAT (6efa425c-3731-44fd-9224-2a62df061a2d) RAT Quasar RAT (05252643-093b-4070-b62f-d5836683a9fa) Malpedia 3
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool 4
Xbot (4cfa42a3-71d9-43e2-bf23-daa79f326387) Malpedia Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool 4
TinyNuke (5a78ec38-8b93-4dde-a99e-0c9b77674838) Malpedia Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool 4
Data Encrypted for Impact - T1471 (d9e88203-2b5d-405f-a406-2933b1e3d7e4) Attack Pattern Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool 4
Endpoint Denial of Service - T1642 (eb6cf439-1bcb-4d10-bc68-1eed844ed7b3) Attack Pattern Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool 4
GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512) Attack Pattern Xbot - S0298 (da21929e-40c0-443d-bdf4-6b60d15448b4) mitre-tool 4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Files and Directories - T1564.001 (ec8fc7e2-b356-455c-8db5-2e37be158e7d) Attack Pattern 4
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern Remote Desktop Protocol - T1021.001 (eb062747-2193-45de-8fa2-e62549c37ddf) Attack Pattern 4
Abuse Elevation Control Mechanism - T1548 (67720091-eee3-4d2d-ae16-8264567f6f5b) Attack Pattern Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 4
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Credentials In Files - T1552.001 (837f9164-50af-4ac0-8219-379d8a74cefc) Attack Pattern 4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Window - T1564.003 (cbb66055-0325-4111-aca0-40547b6ad5b0) Attack Pattern 4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 4
Tool - T1588.002 (a2fdce72-04b2-409a-ac10-cc1695f4fce0) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 4
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Server - T1583.004 (60c4b628-4807-4b0b-bbf5-fdac8643c337) Attack Pattern 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern CSPY Downloader - S0527 (5256c0f8-9108-4c92-8b09-482dfacdcd94) mitre-tool 4
Search Engines - T1593.002 (6e561441-8431-4773-a9b8-ccf28ef6a968) Attack Pattern Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware System Location Discovery - T1614 (c877e33f-1df6-40d6-b1e7-ce70f16f4979) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Amadey - S1025 (05318127-5962-444b-b900-a9dcfe0ff6e9) Malware Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern 4
Change Default File Association - T1546.001 (98034fef-d9fb-4667-8dc4-2eab6231724c) Attack Pattern Event Triggered Execution - T1546 (b6301b64-ef57-4cce-bb0b-77026f14a8db) Attack Pattern 4
Unsecured Credentials - T1552 (435dfb86-2697-4867-85b5-2fef496c0517) Attack Pattern Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern 4
Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern 4
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Rogue Domain Controller - T1207 (564998d8-ab3e-4123-93fb-eccaa6b9714a) Attack Pattern 4
Steal or Forge Authentication Certificates - T1649 (7de1f7ac-5d0c-4c9c-8873-627202205331) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 4
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 4
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern Mimikatz - S0002 (afc079f3-c0ea-4096-b75d-3f05338b7f60) mitre-tool 4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Hidden Users - T1564.002 (8c4aef43-48d5-49aa-b2af-c0cd58d30c3d) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern 4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Shared Modules - T1129 (0a5231ec-41af-4a35-83d0-6bdf11f28c65) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 4
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
Non-Application Layer Protocol - T1095 (c21d5a77-d422-4a69-acd7-2c53c1faa34b) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware gh0st (1b1ae63f-bcee-4aba-8994-6c60cee5e16f) Tool 4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware 4
gh0st RAT - S0032 (88c621a7-aef9-4ae0-94e3-1fc87123eb24) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
Data Encoding - T1132 (cc7b8c4e-9be0-47ca-b0bb-83915ec3ee2f) Attack Pattern Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc) Attack Pattern 4
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 4
Exploits - T1588.005 (f4b843c1-7e92-4701-8fed-ce82f8be2636) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 4
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern 4
Email Accounts - T1585.002 (65013dd2-bc61-43e3-afb5-a14c4fa7437a) Attack Pattern Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Data Staged - T1074 (7dd95ff6-712e-4056-9626-312ea4ab4c5e) Attack Pattern 4
Exfiltration to Cloud Storage - T1567.002 (bf1b6176-597c-4600-bfcd-ac989670f96b) Attack Pattern Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern 4
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
Spearphishing Link - T1566.002 (2b742742-28c3-4e1b-bab7-8350d6300fa7) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 4
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool 4
certutil - S0160 (0a68f1f1-da74-4d28-8d9a-696c082706cc) mitre-tool Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern 4
Compromise Accounts - T1586 (81033c3b-16a4-46e4-8fed-9b030dd03c4a) Attack Pattern Email Accounts - T1586.002 (3dc8c101-d4db-4f4d-8150-1b5a76ca5f1b) Attack Pattern 4
Email Addresses - T1589.002 (69f897fd-12a9-4c89-ad6a-46d2f3c38262) Attack Pattern Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern 4
Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern Pass the Hash - T1550.002 (e624264c-033a-424d-9fd7-fc9c3bbdb03e) Attack Pattern 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern 4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Lateral Tool Transfer - T1570 (bf90d72c-c00b-45e3-b3aa-68560560d4c5) Attack Pattern 4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 4
PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool PsExec (6dd05630-9bd8-11e8-a8b9-47ce338a4367) Tool 4
Windows Service - T1543.003 (2959d63f-73fd-46a1-abd2-109d7dcede32) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 4
Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 4
SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern PsExec - S0029 (ff6caf67-ea1f-4895-b80e-4bb0fc31c6db) mitre-tool 4
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 4
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Web Portal Capture - T1056.003 (69e5226d-05dc-4f15-95d7-44f5ed78d06e) Attack Pattern 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Double File Extension - T1036.007 (11f29a39-0942-4d62-92b6-fe236cf3066e) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 4
Scheduled Task - T1053.005 (005a06c6-14bf-4118-afa0-ebcd8aebb0c9) Attack Pattern schtasks - S0111 (c9703cd3-141c-43a0-a926-380082be5d04) mitre-tool 4
Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern Web Services - T1583.006 (88d31120-5bc7-4ce3-a9c0-7cf147be8e54) Attack Pattern 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Brave Prince - S0252 (28b97733-ef07-4414-aaa5-df50b2d30cc5) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 4
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern LSASS Memory - T1003.001 (65f2d882-3f41-4d48-8a06-29af77ec9f90) Attack Pattern 4
Gather Victim Identity Information - T1589 (5282dd9a-d26d-4e16-88b7-7c0f4553daf4) Attack Pattern Employee Names - T1589.003 (76551c52-b111-4884-bc47-ff3e728f0156) Attack Pattern 4
Spearphishing Link - T1598.003 (2d3f5b3c-54ca-4f4d-bb1f-849346d31230) Attack Pattern Phishing for Information - T1598 (cca0ccb6-a068-4574-a722-b1556f86833a) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern 4
Gold Dragon - S0249 (b9799466-9dd7-4098-b2d6-f999ce50b9a8) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 4
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Remote Email Collection - T1114.002 (b4694861-542c-48ea-9eb1-10d356e7140a) Attack Pattern 4
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Email Forwarding Rule - T1114.003 (7d77a07d-02fe-4e88-8bd9-e9c008c01bf0) Attack Pattern 4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern 4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
Encrypted/Encoded File - T1027.013 (0d91b3c0-5e50-47c3-949a-2a796f04d144) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 4
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern KGH_SPY - S0526 (8bdfe255-e658-4ddd-a11c-b854762e451d) Malware 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 4
Web Service - T1102 (830c9528-df21-472c-8c14-a036bf17d665) Attack Pattern Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 4
Malicious Link - T1204.001 (ef67e13e-5598-4adc-bdb2-998225874fa9) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
Binary Padding - T1027.001 (5bfccc3f-2326-4112-86cc-c1ece9d8a2b5) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Command Obfuscation - T1027.010 (d511a6f6-4a33-41d5-bc95-c343875d1377) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Mail Protocols - T1071.003 (54b4c251-1f0e-4eba-ba6b-dbc7a6f6f06b) Attack Pattern Application Layer Protocol - T1071 (355be19c-ffc9-46d5-8d50-d6a036c675b6) Attack Pattern 4
Software Discovery - T1518 (e3b6daca-e963-4a69-aee6-ed4fd653ad58) Attack Pattern Security Software Discovery - T1518.001 (cba37adb-d6fb-4610-b069-dd04c0643384) Attack Pattern 4
Stage Capabilities - T1608 (84771bc3-f6a0-403e-b144-01af70e5fda0) Attack Pattern Upload Malware - T1608.001 (3ee16395-03f0-4690-a32e-69ce9ada0f9e) Attack Pattern 4
LNK Icon Smuggling - T1027.012 (887274fc-2d63-4bdc-82f3-fae56d1d5fdc) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Remote Access Tools - T1219 (4061e78c-1284-44b4-9116-73e4ac3912f7) Attack Pattern Remote Desktop Software - T1219.002 (d4287702-e2f7-4946-bdfa-2c7f5aaa5032) Attack Pattern 4
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Private Keys - T1552.004 (60b508a1-6a5e-46b1-821a-9f7b78752abf) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Browser Information Discovery - T1217 (5e4a2073-9643-44cb-a0b5-e7f4048446c7) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Data from Information Repositories - T1213 (d28ef391-8ed4-45dc-bc4a-2f43abf54416) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern Troll Stealer - S1196 (d6748457-75c2-4989-a41f-2d017994057e) Malware 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
Additional Local or Domain Groups - T1098.007 (3e6831b2-bf4c-4ae6-b328-2e7c6633b291) Attack Pattern Account Manipulation - T1098 (a10641f4-87b4-45a3-a906-92a149cb2c27) Attack Pattern 4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 4
Junk Code Insertion - T1027.016 (671cd17f-a765-48fd-adc4-dad1941b1ae3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Mutual Exclusion - T1480.002 (49fca0d2-685d-41eb-8bd4-05451cc3a742) Attack Pattern Execution Guardrails - T1480 (853c4192-4311-43e1-bfbb-b11b14911852) Attack Pattern 4
Social Media Accounts - T1585.001 (b1ccd744-3f78-4a0e-9bb2-2002057f7928) Attack Pattern Establish Accounts - T1585 (cdfc5f0a-9bb9-4352-b896-553cfa2d8fd8) Attack Pattern 4
Server Software Component - T1505 (d456de47-a16f-4e46-8980-e67478a12dcb) Attack Pattern Web Shell - T1505.003 (5d0d3609-d06d-49e1-b9c9-b544e0c618cb) Attack Pattern 4
Component Object Model - T1559.001 (2f6b4ed7-fef1-44ba-bcb8-1b4beb610b64) Attack Pattern Inter-Process Communication - T1559 (acd0ba37-7ba9-4cc5-ac61-796586cd856d) Attack Pattern 4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71) Malware Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern 4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71) Malware Non-Standard Encoding - T1132.002 (d467bc38-284b-4a00-96ac-125f447799fc) Attack Pattern 4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71) Malware Windows Command Shell - T1059.003 (d1fcf083-a721-4223-aedf-bf8960798d62) Attack Pattern 4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71) Malware Bypass User Account Control - T1548.002 (120d5519-3098-4e1c-9191-2aa61232f073) Attack Pattern 4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71) Malware Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern 4
Dynamic API Resolution - T1027.007 (ea4c2f9c-9df1-477c-8c42-6da1118f2ac4) Attack Pattern HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71) Malware 4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71) Malware Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern 4
HTTPTroy - S9007 (52b52f72-88e6-4847-88d6-da3b9e4a4f71) Malware Symmetric Cryptography - T1573.001 (24bfaeba-cb0d-4525-b3dc-507c77ecec41) Attack Pattern 4
Valid Accounts - T1078 (b17a1a56-e99c-403c-8948-561df0cffe81) Attack Pattern Local Accounts - T1078.003 (fdc47f44-dd32-4b99-af5f-209f556f63c2) Attack Pattern 4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
File Transfer Protocols - T1071.002 (9a60a291-8960-4387-8a4a-2ab5c18bb50b) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
System Owner/User Discovery - T1033 (03d7999c-1f4c-42cc-8373-e7690d318104) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
Rundll32 - T1218.011 (045d0922-2310-4e60-b5e4-3302302cb3c5) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware Local Storage Discovery - T1680 (f2514ae4-4e9b-4f26-a5ba-c4ae85fe93c3) Attack Pattern 4
NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Ingress Tool Transfer - T1105 (e6919abc-99f9-4c6c-95a5-14761e7b2add) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern NOKKI - S0353 (071d5d65-83ec-4a55-acfa-be7d5f28ba9a) Malware 4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Browser Session Hijacking - T1185 (544b0346-29ad-41e1-a808-501bb4193f47) Attack Pattern 4
Credentials from Web Browsers - T1555.003 (58a3e6aa-4453-4cc8-a51f-4befe80b31a8) Attack Pattern TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware 4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Traffic Signaling - T1205 (451a9977-d255-43c9-b431-66de80130c8c) Attack Pattern 4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern 4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern 4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern 4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Bidirectional Communication - T1102.002 (be055942-6e63-49d7-9fa1-9cb7d8a8f3f4) Attack Pattern 4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Steal Web Session Cookie - T1539 (10ffac09-e42d-4f56-ab20-db94c67d76ff) Attack Pattern 4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Dead Drop Resolver - T1102.001 (f7827069-0bf2-4764-af4f-23fae0d181b7) Attack Pattern 4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Modify Registry - T1112 (57340c81-c025-4189-8fa0-fc7ede51bae4) Attack Pattern 4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern 4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern 4
TRANSLATEXT - S1201 (4b72b6a7-72be-45d9-af02-fdcf0fc6d358) Malware Query Registry - T1012 (c32f7008-9fea-41f7-8366-5eb9b74bd896) Attack Pattern 4
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Local Account - T1136.001 (635cbe30-392d-4e27-978e-66774357c762) Attack Pattern 4
Browser Extensions - T1176.001 (278716b1-61ce-4a74-8d17-891d0c494101) Attack Pattern Software Extensions - T1176 (389735f1-f21c-4208-b8f0-f8031e7169b8) Attack Pattern 4
Timestomp - T1070.006 (47f2d673-ca62-47e9-929b-1b0be9657611) Attack Pattern Indicator Removal - T1070 (799ace7f-e227-4411-baa0-8868704f2a69) Attack Pattern 4
Code Signing Certificates - T1588.003 (e7cbc1de-1f79-48ee-abfd-da1241c65a15) Attack Pattern Obtain Capabilities - T1588 (ce0687a0-e692-4b77-964a-0784a8e54ff1) Attack Pattern 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern Process Hollowing - T1055.012 (b200542e-e877-4395-875b-cf1a44537ca4) Attack Pattern 4
Python - T1059.006 (cc3502b5-30cc-4473-ad48-42d51a6ef6d1) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern 4
System Binary Proxy Execution - T1218 (457c7820-d331-465a-915e-42f85500ccc4) Attack Pattern Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern 4
Hide Artifacts - T1564 (22905430-4901-4c2a-84f6-98243cb173f8) Attack Pattern Ignore Process Interrupts - T1564.011 (4a2975db-414e-4c0c-bd92-775987514b4b) Attack Pattern 4
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39) Malware 4
Code Signing - T1553.002 (32901740-b42c-4fdd-bc02-345b5dc57082) Attack Pattern GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39) Malware 4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern GoBear - S1197 (98943603-5be6-4551-8c98-bbaf0d229d39) Malware 4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern 4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Standard Encoding - T1132.001 (04fd5427-79c7-44ea-ae13-11b24778ff1c) Attack Pattern 4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern 4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern 4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Remote System Discovery - T1018 (e358d692-23c0-4a31-9eb6-ecc13a8d7735) Attack Pattern 4
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 4
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware 4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern 4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Gomir - S1198 (3128c86d-bd0d-445c-850f-96abf68fbfc3) Malware System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern 4
Compression - T1027.015 (fbd91bfc-75c2-4f0c-8116-3b4e722906b3) Attack Pattern Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern 4
Social Media - T1593.001 (bbe5b322-e2af-4a5e-9625-a4e62bf84ed3) Attack Pattern Search Open Websites/Domains - T1593 (a0e6614a-7740-4b24-bd65-f1bde09fc365) Attack Pattern 4
Dynamic-link Library Injection - T1055.001 (f4599aa0-4f85-4a32-80ea-fc39dc965945) Attack Pattern Process Injection - T1055 (43e7dc91-05b2-474c-b9ac-2ed4fe101f4d) Attack Pattern 4
Domains - T1583.001 (40f5caa0-4cb7-4117-89fc-d421bb493df3) Attack Pattern Acquire Infrastructure - T1583 (0458aab9-ad42-4eac-9e22-706a95bafee2) Attack Pattern 4
Domains - T1584.001 (f9cc4d06-775f-4ee1-b401-4e2cc0da30ba) Attack Pattern Compromise Infrastructure - T1584 (7e3beebd-8bfe-4e7b-a892-e44ab06a75f9) Attack Pattern 4
Virtualization/Sandbox Evasion - T1497 (82caa33e-d11a-433a-94ea-9b5a5fbef81d) Attack Pattern System Checks - T1497.001 (29be378d-262d-4e99-b00d-852d573628e6) Attack Pattern 4
Social Engineering - T1684 (41e4d77a-6275-4976-9e35-785985598519) Attack Pattern Impersonation - T1684.001 (cd92d2b8-ce43-4666-9472-f1b4b9f4f8be) Attack Pattern 4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern Phishing - T1566 (a62a8db3-f23a-4d8f-afd6-9dbc77e7813b) Attack Pattern 4
Malicious Copy and Paste - T1204.004 (e261a979-f354-41a8-963e-6cadac27c4bf) Attack Pattern User Execution - T1204 (8c32eb4d-805f-4fc5-bf60-c4d476c131b5) Attack Pattern 4
Develop Capabilities - T1587 (edadea33-549c-4ed1-9783-8f5a5853cbdf) Attack Pattern Malware - T1587.001 (212306d8-efa4-44c9-8c2d-ed3d2e224aa0) Attack Pattern 4
Masquerade Task or Service - T1036.004 (7bdca9d5-d500-4d7d-8c52-5fd47baf4c0c) Attack Pattern Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 4
Screen Capture - T1113 (0259baeb-9f63-4c69-bf10-eb038c390688) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Data from Removable Media - T1025 (1b7ba276-eedc-4951-a762-0ceea2c030ec) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Masquerading - T1036 (42e8de7b-37b2-4258-905a-6897815e58e0) Attack Pattern 4
JavaScript - T1059.007 (0f4a0c76-ab2d-4cb0-85d3-3f0efb8cba0d) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Obfuscated Files or Information - T1027 (b3d682b6-98f2-4fb0-aa3b-b4df007ca70a) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Regsvr32 - T1218.010 (b97f1d35-4249-4486-a6b5-ee60ccf24fab) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware File Deletion - T1070.004 (d63a3fb8-9452-4e9d-a60a-54be68d5998c) Attack Pattern 4
Automated Collection - T1119 (30208d3e-0d6b-43c8-883e-44462a514619) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware File and Directory Discovery - T1083 (7bc57495-ea59-4380-be31-a64af124ef18) Attack Pattern 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Exfiltration Over C2 Channel - T1041 (92d7da27-2d91-488e-a00c-059dc162766d) Attack Pattern 4
Exfiltration Over Web Service - T1567 (40597f16-0963-4249-bf4c-ac93b7fb9807) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Web Protocols - T1071.001 (df8b2a25-8bdf-4856-953c-a04372b1c161) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Local Data Staging - T1074.001 (1c34f7aa-9341-4a48-bfab-af22e51aca6c) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Fallback Channels - T1008 (f24faf46-3b26-4dbb-98f2-63460498e433) Attack Pattern 4
System Time Discovery - T1124 (f3c544dc-673c-4ef3-accb-53229f1ae077) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Archive via Utility - T1560.001 (00f90846-cbd1-4fc5-9233-df5c2bf2a662) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
System Information Discovery - T1082 (354a7f88-63fb-41b5-a801-ce3b377b36f1) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Malicious File - T1204.002 (232b7f21-adf9-4b42-b936-b9d6f7df856e) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Registry Run Keys / Startup Folder - T1547.001 (9efb1ea7-c37b-4595-9640-b7680cd84279) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Software Packing - T1027.002 (deb98323-e13f-4b0c-8d94-175379069062) Attack Pattern 4
Spearphishing Attachment - T1566.001 (2e34237d-8574-43f6-aace-ae2915de8597) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Match Legitimate Resource Name or Location - T1036.005 (1c4e5d32-1fe9-4116-9d9d-59e3925bd6a2) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Deobfuscate/Decode Files or Information - T1140 (3ccef7ae-cb5e-48f6-8302-897105fbf55c) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Process Discovery - T1057 (8f4a33ec-8b1f-4b80-a2f6-642b2e479580) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Data Transfer Size Limits - T1030 (c3888c54-775d-4b2f-b759-75a2ececcbfd) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Data from Local System - T1005 (3c4a2599-71ee-4405-ba1e-0e28414b4bc5) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
Keylogging - T1056.001 (09a60ea3-a8d1-4ae5-976e-5783248b72a4) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
PowerShell - T1059.001 (970a3432-3237-47ad-bcca-7d8cbb217736) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Native API - T1106 (391d824f-0ef1-47a0-b0ee-c59a75e27670) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
System Network Configuration Discovery - T1016 (707399d6-ab3e-4963-9315-d9d3818cd6a0) Attack Pattern AppleSeed - S0622 (295721d2-ee20-4fa3-ade3-37f4146b4570) Malware 4
Archive via Custom Method - T1560.003 (143c0cbb-a297-4142-9624-87ffc778980b) Attack Pattern Archive Collected Data - T1560 (53ac20cd-aca3-406e-9aa0-9fc7fdc60a5a) Attack Pattern 4
SMS Messages - T1636.004 (c6421411-ae61-42bb-9098-73fddb315002) Attack Pattern Protected User Data - T1636 (11c2c2b7-1fd4-408f-bc2e-fe772ef9df5e) Attack Pattern 5
Input Capture - T1417 (a8c31121-852b-46bd-9ba4-674ae5afe7ad) Attack Pattern GUI Input Capture - T1417.002 (4c58b7c6-a839-4789-bda9-9de33e4d4512) Attack Pattern 5
Mark-of-the-Web Bypass - T1553.005 (7e7c2fba-7cca-486c-9582-4c1bb2851961) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 5
Dynamic Resolution - T1568 (7bd9c723-2f78-4309-82c5-47cad406572b) Attack Pattern Fast Flux DNS - T1568.001 (29ba5a15-3b7b-4732-b817-65ea8f6468e6) Attack Pattern 5
Security Support Provider - T1547.005 (5095a853-299c-4876-abd7-ac0050fb5462) Attack Pattern Boot or Logon Autostart Execution - T1547 (1ecb2399-e8ba-4f6b-8ba7-5c27d49405cf) Attack Pattern 5
Pass the Ticket - T1550.003 (7b211ac6-c815-4189-93a9-ab415deca926) Attack Pattern Use Alternate Authentication Material - T1550 (51a14c76-dd3b-440b-9c20-2bf91d25a814) Attack Pattern 5
Windows Credential Manager - T1555.004 (d336b553-5da9-46ca-98a8-0b23f49fb447) Attack Pattern Credentials from Password Stores - T1555 (3fc9b85a-2862-4363-a64d-d692e3ffbee0) Attack Pattern 5
SID-History Injection - T1134.005 (b7dc639b-24cd-482d-a7f1-8897eda21023) Attack Pattern Access Token Manipulation - T1134 (dcaa092b-7de9-4a21-977f-7fcb77e89c48) Attack Pattern 5
Mimikatz (7f3a035d-d83a-45b8-8111-412aa8ade802) Tool MimiKatz (588fb91d-59c6-4667-b299-94676d48b17b) Malpedia 5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern DCSync - T1003.006 (f303a39a-6255-4b89-aecc-18c4d8ca7163) Attack Pattern 5
LSA Secrets - T1003.004 (1ecfdab8-7d59-4c98-95d4-dc41970f57fc) Attack Pattern OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern 5
Silver Ticket - T1558.002 (d273434a-448e-4598-8e14-607f4a0d5e27) Attack Pattern Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern 5
OS Credential Dumping - T1003 (0a3ead4e-6d47-4ccb-854c-a6a4f9d96b22) Attack Pattern Security Account Manager - T1003.002 (1644e709-12d2-41e5-a60f-3470991f5011) Attack Pattern 5
Steal or Forge Kerberos Tickets - T1558 (3fc01293-ef5e-41c6-86ce-61f10706b64a) Attack Pattern Golden Ticket - T1558.001 (768dce68-8d0d-477a-b01d-0eea98b963a1) Attack Pattern 5
System Services - T1569 (d157f9d2-d09a-4efa-bb2a-64963f94e253) Attack Pattern Service Execution - T1569.002 (f1951e8a-500e-4a26-8803-76d95c4554b4) Attack Pattern 5
Hijack Execution Flow - T1574 (aedfca76-3b30-4866-b2aa-0f1d7fd1e4b6) Attack Pattern DLL - T1574.001 (2fee9321-3e71-4cf4-af24-d4d40d355b34) Attack Pattern 5
Clear Windows Event Logs - T1685.005 (75b9a4d2-d4e2-4ca1-9aab-1badd9e05fd0) Attack Pattern Disable or Modify Tools - T1685 (bbde9781-60aa-4b8a-a911-895b0c1b3872) Attack Pattern 5
Install Root Certificate - T1553.004 (c615231b-f253-4f58-9d47-d5b4cbdb6839) Attack Pattern Subvert Trust Controls - T1553 (b83e166d-13d7-4b52-8677-dff90c548fd7) Attack Pattern 5
Create Account - T1136 (e01be9c5-e763-4caf-aeb7-000b416aef67) Attack Pattern Domain Account - T1136.002 (7610cada-1499-41a4-b3dd-46467b68d177) Attack Pattern 5
Remote Services - T1021 (54a649ff-439a-41a4-9856-8d144a2551ba) Attack Pattern SMB/Windows Admin Shares - T1021.002 (4f9ca633-15c5-463c-9724-bdcd54fde541) Attack Pattern 5
Exfiltration Over Unencrypted Non-C2 Protocol - T1048.003 (fb8d023d-45be-47e9-bc51-f56bcae6435b) Attack Pattern Exfiltration Over Alternative Protocol - T1048 (a19e86f8-1c0a-4fea-8407-23b73d615776) Attack Pattern 5
Email Collection - T1114 (1608f3e1-598a-42f4-a01a-2e252e81728f) Attack Pattern Local Email Collection - T1114.001 (1e9eb839-294b-48cc-b0d3-c45555a2a004) Attack Pattern 5
Logon Script (Windows) - T1037.001 (eb125d40-0b2d-41ac-a71a-3229241c2cd3) Attack Pattern Boot or Logon Initialization Scripts - T1037 (03259939-0b57-482f-8eb5-87c0e0d54334) Attack Pattern 5
Input Capture - T1056 (bb5a00de-e086-4859-a231-fa793f6797e2) Attack Pattern Credential API Hooking - T1056.004 (f5946b5e-9408-485f-a7f7-b5efc88909b6) Attack Pattern 5
Encrypted Channel - T1573 (b8902400-e6c5-4ba2-95aa-2d35b442b118) Attack Pattern Asymmetric Cryptography - T1573.002 (bf176076-b789-408e-8cba-7275e81c0ada) Attack Pattern 5
Cron - T1053.003 (2acf44aa-542f-4366-b4eb-55ef5747759c) Attack Pattern Scheduled Task/Job - T1053 (35dd844a-b219-4e2b-a6bb-efa9a75995a9) Attack Pattern 5
Command and Scripting Interpreter - T1059 (7385dfaf-6886-4229-9ecd-6fd678040830) Attack Pattern Unix Shell - T1059.004 (a9d4b653-6915-42af-98b2-5758c4ceee56) Attack Pattern 5
Local Groups - T1069.001 (a01bf75f-00b2-4568-a58f-565ff9bf202b) Attack Pattern Permission Groups Discovery - T1069 (15dbf668-795c-41e6-8219-f0447c0e64ce) Attack Pattern 5
Proxy - T1090 (731f4f55-b6d0-41d1-a7a9-072a66389aea) Attack Pattern Internal Proxy - T1090.001 (f6dacc85-b37d-458e-b58d-74fc4bbf5755) Attack Pattern 5
Create or Modify System Process - T1543 (106c0cf6-bf73-4601-9aa8-0945c2715ec5) Attack Pattern Systemd Service - T1543.002 (dfefe2ed-4389-4318-8762-f0272b350a1b) Attack Pattern 5