'id':  	('text'),
'T1598.002': ('Astaroth has been delivered via malicious e-mail attachments.'),
'T1598.002': ('Sidewinder has sent e-mails with malicious attachments that lead victims to credential harvesting websites.'),
'T1598.002': ('A phishing campaign has been observed by researchers from Trend Micro that contain a macro-enabled document that exploits the legitimate script engine  AutoHotKey.)
'T1598.002': ('Researchers have discovered a wave of emails with malicious attachments orchestrated by Russian Advanced Persistent Threat (APT) group APT29.'),
'T1598.002': ('Using attached HTML files containing JavaScript the email will write an ISO file to disk; this contains a Cobalt Strike beacon that will activate on completion.'),
'T1598.002': ('Strrat a Java-based malware  is currently being delivered as an attached PDF document via a phishing campaign using compromised email accounts.'),
'T1598.002': ('Although the email may look official and legitimate if you have no reason to receive such an email or if the content is questionable you should not open any attached files.'),
'T1591.004': ('RestorePrivacy an information site about privacy examined the proof the seller put out and found the following information scraped from LinkedIn user profiles: Email addresses Full names Phone numbers Physical addresses LinkedIn username and profile URL Personal and professional experience  background.'),
'T1591.004': 'Targets are identified groomed and then deceived by quite sophisticated email techniques into wiring funds to burner bank accounts and thinking that the email request comes from the CEO the victim willingly sends the money.'),
'T1591.004': 'This threat group instructs its affiliates to parse companies websites and social media to identify leadership HR and accounting staff for following targeted spear phishing attacks.'),
'T1591.004': ('Some spam lists are selected to target a specific business role for example identified sales representatives.'),
'T1591.004': 'Through reading the extracted emails threat actors identified that fund transfers were originating in the accounting department by person A and approved by manager B.'),
'T1591.003': 'Threat actors identified that long holiday weekend in the US will be the best time to lunch a cyber attack against this company.'),
'T1591.003': 'The federal advisory makes note of recent holiday targeting stating that cyber actors have conducted increasingly impactful attacks against U.S. entities on or around holiday weekends. Neither FBI nor CISA has information about a cyberattack coinciding with upcoming holidays and weekends per the advisory but the document says cybercriminals may see holidays and weekends as as attractive timeframes to target potential victims.'),
'T1591.003': ('Whether you celebrate Christmas Hanukkah or Thanksgiving your chances of being the victim of a cyber attack increase. The vacation season is yet another perfect period for cyber attacks. If a hacker had a choice between attacking your organization when your IT security team is fully staffed or when it isnt- what do you think they will choose?'),
'T1591.003': ('Many times organizations are overburdened and cyberattacks during the holidays are the last thing on their minds. The current pandemic heightened the threat which has resulted in many firms operating with significant cybersecurity flaws resulting from the rapid shift to working from home. Cybercriminals exploit these flaws to get access to systems“ and vulnerabilities increase with less network supervision during the holidays.'),
'T1591.003': ('Once they had infected the computers of the personnel in charge of cash transfer systems or ATMs the attackers collected snapshots of victims screens and studied their daily activities in the bank.'),
'T1591.001': 'The majority of the actors behind the ransomware are likely based outside of the CIS for example ransomware Fonix wont run if IP geolocation is Iranian.'),
'T1591.001': ('DarkSide like a great many other malware strains has a hard-coded do-not-install list of countries which are the principal members of the Commonwealth of Independent States (CIS) former Soviet satellites that mostly have favorable relations with the Kremlin.'),
'T1591.001': ('REvil was previously known as GandCrab and one of the many things GandCrab had in common with REvil was that both programs barred affiliates from infecting victims in Syria.'),
'T1591.001': ('As we can see from the chart above Syria is also exempted from infections by DarkSide ransomware.'),
'T1591.001': ('However upon closer inspection it turns out this is actually a clever language check to ensure that the payload will not be downloaded outside of France.'),
'T1591.002': ('In preparation for its attack against the 2018 Winter Olympics Sandworm Team conducted online research of partner organizations listed on an official PyeongChang Olympics partnership site.'),
'T1591.002': ('Generally supply chain attacks on information systems begin with an advanced persistent threat (APT) that determines a member of the supply network with the weakest cyber security in order to affect the target organization.'),
'T1591.002': ('It also found that hackers can steal sensitive data including information about partners.'),
'T1591.002': 'The attackers were after Facebookinformation about partners.'),
'T1591.002': ('Clues about business partners can provide a hacker with other potential avenues of attack.'),
'T1591.002': ('Attackers identified and impersonated the companyforeign supplier in a Bogus Invoice Scheme attack.'),
'T1590.003': ('Attackers are looking for IT service providers that have privileged access to their clients networks.'),
'T1590.003': ('Nation-state sponsored hackers are targeting IT service providers and discovering network trust relationships with their client organizations from government and military sectors.'),
'T1590.003': 'The threat actors were looking for MSPs and MSSPs managing IT and security within the target organization.'),
'T1590.003': ('In all of the cases attackers enumerated network trust relationships hijacked the managed service providers internal management tools to distribute Sodinokibi ransomware to their customers.'),
'T1590.003': ('A hacker can make one strategic breach into an MSP discover network access to their clients and gain access to multiple customers information across multiple industries.'),
'T1590.004': 'The group utilizes active scanning to collect information on the victim network.'),
'T1590.004': ('After the initial foothold the actors were scanning to map the local network devices and plan the lateral movement.'),
'T1590.004': ('During the exfiltration stage attackers were identifying documents related to local accounts network security and topology.'),
'T1590.004': ('Requirement to publish procurement documents made it possible for the attackers to access specifics regarding network devices used by the organization (gateways routers etc.)'),
'T1590.004': ('All the graphs mind maps presentations including the physical and  or logical arrangement of both external-facing and internal network environments should be treated as sensitive information.'),
'T1590.006': 'This firewall company had a few large customers listed on their website thus providing the attackers with convenient targets.'),
'T1590.006': ('Requirement to publish procurement documents made it possible for the attackers to access specifics regarding network security appliances used by the organization (firewalls content filters NIDS etc.)'),
'T1590.006': ('Following the intrusion actors were scanning to identify firewalls and other deployed security appliances.'),
'T1590.006': 'This group phishes for information trying to identify deployed security appliances and leverage it for initial access.'),
'T1590.006': 'This APT group was identifying the use of proxies and company VPN and then utilizing these security appliances for stealthy lateral movement.'),
'T1590.005': ('HAFNIUM has obtained IP addresses for publicly-accessible Exchange servers.'),
'T1590.005': ('Andariel has limited its watering hole attacks to specific IP address ranges.'),
'T1590.005': ('Initially the attackers research the victimIP ranges and scan them for open ports and opportunities for the initial access.'),
'T1590.005': ('Anonymous OpIsrael campaign published a Pastebin post listing IP addresses of organizations that hacktivists plan to target.'),
'T1590.005': ('Actor obtains list of the victim IP blocks and proceeds to run a Shodan or Zoomeye scan of the ranges.'),
'T1590.005': ('Keyword search on Hurricane Electric allows attackers to find IP addresses of a certain company they want to target.'),
'T1590.001': ('Sandworm Team conducted technical reconnaissance of the Parliament of Georgia  official internet domain prior to its 2019 attack.'),
'T1590.001': 'There is an active campaign targeting domain owners via email addresses that were derived by actors in the domain registration data.'),
'T1590.001': ('Attackers were able to leverage domain registration data to find additional domains belonging to the same victim organization.'),
'T1590.001': ('Domain administrator was targeted with a tailored spear phishing after the attackers determined the domain registrar and impersonated it.'),
'T1590.001': ('Many victims avoided using domain registration anonymization services and their domain properties were leveraged by the hackers.'),
'T1590.001': 'This DDoS service offered TDoS and email bombing to target domain administrator contacts if those were available from the gathered domain properties.'),
'T1590.002': ('During the reconnaissance phase this group paid special attention to collect and analyze DNS information.'),
'T1590.002': ('Gathering DNS information allowed the attackers to identify victimsubdomains that were supposed to remain private.'),
'T1590.002': 'Targeting of mail servers were starting by gathering mail server records from the victimDNS.'),
'T1590.002': ('Some of the information on targets were gathered free of charge such as from DNS records.'),
'T1590.002': ('Passive DNS information helped the attackers to map the victimhosts and plan the intrusion.'),
'T1589.003': ('Sandworm Team  research of potential victim organizations included the identification and collection of employee information.'),
'T1589.003': ('Silent Librarian has collected lists of names for individuals from targeted organizations.'),
'T1589.003': ('Collecting victim organizationemployee list allowed the attacker to generate actual email addresses due to conservative alias naming convention.'),
'T1589.003': ('Social media such as LinkedIn and Facebook allow threat actors to identify employee names for the organizations they plan to target.'),
'T1589.003': 'This threat group collects employee names from the organizationwebsite and use them for impersonation in spear phishing attacks.'),
'T1589.002': ('APT32 has collected e-mail addresses for activists and bloggers in order to target them with spyware.'),
'T1589.002': ('HAFNIUM has collected e-mail addresses for users they intended to target.'),
'T1589.002': ('MuddyWater has specifically targeted government agency employees with spearphishing e-mails.'),
'T1589.002': ('Sandworm Team has obtained valid emails addresses while conducting research against target organizations that were subsequently used in spearphishing campaigns.'),
'T1589.002': ('Silent Librarian has collected e-mail addresses from targeted organizations from open Internet searches.'),
'T1589.002': 'TA551 has used spoofed company emails that were acquired from email clients on previously infected hosts to target other individuals.'),
'T1589.001': ('APT28 has harvested user  login credentials.'),
'T1589.001': ('Chimera has collected credentials for the target organization from previous breaches for use in brute force attacks.'),
'T1589.001': ('Magic Hound gathered credentials from two victims that they then attempted to validate across 75 different websites.'),
'T1589.001': ('Strontium is launching campaigns to harvest peoplelog-in credentials or compromise their accounts presumably to aid in intelligence gathering or disruption operations.'),
'T1589.001': ('Attackers appear to have purchased credential information from an underground forum for use in this attack.'),
'T1592.002': ('Sandworm Team has researched software code to enable supply-chain operations most notably for the 2017 NotPetya attack. Sandworm Team also collected a list of computers using specific software as part of its targeting efforts.'),
'T1592.002': ('Public procurement data such as purchase invoices for software allowed attackers to plan their exploitation for the initial access.'),
'T1592.002': ('Andariel has inserted a malicious script within compromised websites to collect potential victim information such as browser type system language Flash Player version and other data.'),
'T1592.002': ('Some threat groups use supply chain compromise as an opportunistic attack on whomever is a client others“ specifically research software suppliers for a given target.'),
'T1592.002': ('Gathering information from server banners allows attackers to use known vulnerabilities for certain kinds of server software.'),
'T1592.001': ('Actors targeting poor countries pay attention to learn victimhardware as it is often so old that doesnt support newer more secure operation systems.'),
'T1592.001': ('Another door in for initial access are IoT devices and hackers are trying to learn the used hardware versions as it is often produced to never be fully updated or secured.'),
'T1592.001': 'This group was using job postings resumes and public purchase invoices to determine the hardware used by the victim organization.'),
'T1592.001': ('After the attacker gathered information about the hardware used in the organization they proceeded to register typosquatted domains mimicking these hardware manufactures.'),
'T1592.001': 'This Russian APT gathered information on the specific type of industrial controllers used by some Ukrainian power transmission stations.'),
'T1592.003': ('Intruders impersonated the CEO and demanded information on the age and patch level of the network appliances.'),
'T1592.003': ('While the problem with the firmware update level was outlined in the previous assessment report the company failed to act on it moreover the very assessment ended up in the hands of the threat actors.'),
'T1592.003': ('Slow implementation of the firmware patch for this vulnerability became apparent to the attackers who started directing their botnets to target it.'),
'T1592.003': ('Attackers did research on the backdoor in the standard router firmware in that country.'),
'T1592.003': 'This botnet handers gather information on the dominating types of IoT firmware with known vulnerabilities.'),
'T1592.004': ('HAFNIUM has interacted with Office 365 tenants to gather details regarding target  environments.'),
'T1592.004': ('Attackers website was checking visitors host information and serving the malicious content only to those with certain language settings.'),
'T1592.004': 'This group was studying organizationpurchase invoices to learn what operating systems are in use their versions and architecture.'),
'T1592.004': 'The Scanbox framework first configures the remote C&C server that it will use and collects a small amount of information about the victim that is visiting the compromised website including:'),
'T1592.004': 'The attackers were able to compromise the website and include code that loaded a malicious Javascript file from a remote server that records visitors User-Agent Location Charset Operating System and Language.'),
'T1592.004': ('Hackers were checking client configuration virtualization status and generally were trying to avoid targeting virtual machines.'),
'T1595.002': ('APT28 has performed large-scale scans in an attempt to find vulnerable servers.'),
'T1595.002': ('Sandworm Team has scanned network infrastructure for vulnerabilities as part of its operational planning.'),
'T1595.002': ('Volatile Cedar has performed vulnerability scans of the target server.'),
'T1595.002': ('First this threat group would engage in vulnerability reconnaissance via application-specific vulnerability discovery and identifying vulnerable content management systems (CMS) and CMS components.'),
'T1595.002': ('Adversaries scan victims for vulnerabilities that can be used during targeting.'),
'T1595.002': 'These scans may also include more broad attempts to Gather Victim Host Information that can be used to identify more commonly known exploitable vulnerabilities.'),
'T1595.002': ('Vulnerability scans typically harvest running software and version numbers via server banners listening ports or other network artifacts.'),
'T1595.002': ('Vulnerability scans typically check if the configuration of a target host  application (ex: software and version) potentially aligns with the target of a specific exploit the adversary may seek to use.'),
'T1595.001': 'The adversaries were scanning victim IP blocks to gather information that can be used during targeting.'),
'T1595.001': ('After finding victimASNs attackers continued by scanning these net ranges to detect active IP addresses and open ports.'),
'T1595.001': ('One member of Anonymous was sharing victimIP addresses another“ was scanning them to reveal host software versions.'),
'T1595.001': 'This attacker was scanning companyIP space for any artifact he could find.'),
'T1595.001': ('First the attacker was using simple pings (ICMP requests and responses) to detect which targetIP addresses are actively in use.'),
'T1588.006': ('In 2017 Sandworm Team conducted technical research related to vulnerabilities associated with websites used by the Korean Sport and Olympic Committee a Korean power company and a Korean airport.'),
'T1588.006': ('Multiple threat actors obtained Log4Shell vulnerability simply by studying the public vulnerability disclosures from Apache watching POC presentations and analyzing reports of the zero-day exploitation.'),
'T1588.006': ('Israeli spyware companies were purchasing vulnerabilities from undisclosed researchers often using specialized vulnerability brokers.'),
'T1588.006': ('Soon after the patch was released the attackers were able to reverse-engineer the changes understand the fix and weaponize the vulnerability that patch was addressing.'),
'T1588.006': 'The botnet handlers were monitoring new vulnerability disclosures to add new vulnerabilities to their list.'),
'T1588.002': ('GALLIUM has used a variety of widely-available tools which in some cases they modified to add functionality and  or subvert antimalware solutions.'),
'T1588.002': ('MuddyWater has made use of legitimate tools ConnectWise and RemoteUtilities for access to target environments.'),
'T1588.002': ('Sandworm Team has acquired open-source tools for some of it  operations; for example it acquired Invoke-PSImage to establish an encrypted channel from a compromised host to Sandworm Team  C2 server as part of its preparation for the 2018 Winter Olympics attack.'),
'T1588.002': ('Silent Librarian has obtained free and publicly available tools including SingleFile and HTTrack to copy login pages of targeted organizations.'),
'T1588.002': ('Cozy Bear stole Cobalt Strike Beacon code and modified the tool to their liking.'),
'T1588.001': ('A'),P'T1 used p': ('licly available malware for privilege escalation.'),
'T1588.001': 'Turla has used malware obtained after compromising other threat actors such as OilRig.'),
'T1588.001': ('Ransomware-as-a-Service (RaaS) model allowed even unskilled hackers to obtain this malware and use it for a relatively small affiliate fee.'),
'T1588.001': ('New IoT botnet actors obtained leaked Mirai botnet code and slightly modified it.'),
'T1588.001': ('Citadel Trojan developers Vartanyan and Belorossov initially obtained Zeus Trojan code that they planned to use as a base for their own Trojan.'),
'T1588.005': ('DarkHotel APT group is known for stealing exploits from Hacking Team and use them for attacks on corporate executives staying in luxury hotels.'),
'T1588.005': ('Uzbek intelligence officers bought exploits from German subsidiary of the Gamma Group that specializes in surveillance.'),
'T1588.005': 'The attackers leveraged RIG exploit kit that they purchased on a criminal marketplace.'),
'T1588.005': ('UAE purchased NSO GroupiPhone zero-day exploits.'),
'T1588.005': 'These hacktivists were relying on exploits that they found online on various cybersecurity and hacker forums.'),
'T1555.004': ('KGH_SPY can collect credentials from the Windows Credential Manager.'),
'T1555.004': ('LaZagne can obtain credentials from Vault files.'),
'T1555.004': ('Mimikatz contains functionality to acquire credentials from the Windows Credential Manager.'),
'T1555.004': ('OilRig has used credential dumping tool named VALUEVAULT to steal credentials from the Windows Credential Manager.'),
'T1555.004': ('PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Windows vault credential objects.'),
'T1555.004': ('ROKRAT steals credentials by leveraging the Windows Vault mechanism.'),
'T1555.004': ('Stealth Falcon malware gathers passwords from the Windows Credential Vault.'),
'T1555.004': 'Turla has gathered credentials from the Windows Credential Manager tool.'),
'T1555.004': ('Valak can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager.'),
'T1574.004': ('Empire has a dylib hijacker module that generates a malicious dylib given the path to a legitimate dylib of a vulnerable application.'),
'T1574.004': ('Abusing Dynamic Loader  Linker (dyld) logic allowed attackers to perform dylib hijacking.'),
'T1574.004': ('Attackers ran Dylib Hijack Scanner tool and attacked identified vulnerable apps.'),
'T1574.004': ('Developers should replace weak linking with version check to mitigate dylib hijacking attacks from these threat actors.'),
'T1574.004': ('After the initial access to the Apple device attackers were escalating their privileges by placing malicious dylib files with expected names to hijack the normal execution flow.'),
'T1037.004': ('HiddenWasp installs reboot persistence by adding itself to etc  rc.local.'),
'T1037.004': ('iKitten adds an entry to the rc.common file for persistence.'),
'T1037.004': ('Install persistence through rc.d services: rc.d (  etc  rc.d  init.d  linux_kill).'),
'T1037.004': ('Backwards compatibility on Ubuntu allowed attackers to achieve persistence via RC scripts.'),
'T1037.004': ('As the malware tries to achieve persistence Hatching Triage analysis reports suspicious behavior:Modifies rc script.'),
'T1574.006': ('APT41 has configured payloads to load via LD_PRELOAD.'),
'T1574.006': ('Ebury has injected its dynamic library into descendent processes of sshd via LD_PRELOAD.'),
'T1574.006': ('HiddenWasp adds itself as a shared object to the LD_PRELOAD environment variable.'),
'T1574.006': ('Hildegard has modified etc  ld.so.preload to intercept shared library import functions.'),
'T1574.006': ('Rocke has modified etc  ld.so.preload to hook libc functions in order to hide the installed dropper and mining software in process lists.'),
'T1059.007': ('APT32 has used JavaScript for drive-by downloads and C2 communications.'),
'T1059.007': ('Astaroth uses JavaScript to perform its core functionalities.'),
'T1059.007': ('Bundlore can execute JavaScript by injecting it into the victim  browser.'),
'T1059.007': ('Cobalt Group has executed JavaScript scriptlets on the victim  machine.'),
'T1059.007': 'The Cobalt Strike System Profiler can use JavaScript to perform reconnaissance actions.'),
'T1059.007': ('Evilnum has used malicious JavaScript files on the victim  machine.'),
'T1059.007': ('FIN6 has used malicious JavaScript to steal payment card data from e-commerce sites.'),
'T1059.007': ('FIN7 used JavaScript scripts to help perform tasks on the victim  machine.'),
'T1059.007': ('GRIFFON is written in and executed as JavaScript.'),
'T1059.007': ('Higaisa used JavaScript to execute additional files.'),
'T1059.007': ('InvisiMole can use a JavaScript file as part of its execution chain.'),
'T1059.007': ('jRAT has been distributed as HTA files with JScript.'),
'T1059.007': ('Kimsuky has used JScript for logging and downloading additional tools.'),
'T1059.007': ('Leafminer infected victims using JavaScript code.'),
'T1059.007': ('Metamorfo includes payloads written in JavaScript.'),
'T1059.007': ('Molerats used various implants including those built with JS on target machines.'),
'T1059.007': ('MuddyWater has used JavaScript files to execute its POWERSTATS payload.'),
'T1059.007': ('NanHaiShu executes additional Jscript code on the victim  machine.'),
'T1059.007': ('POWERSTATS can use JavaScript code for execution.'),
'T1059.007': ('Sidewinder has used JavaScript to drop and execute malware loaders.'),
'T1059.007': ('Silence has used JS scripts.'),
'T1059.007': 'TA505 has used JavaScript for code execution.'),
'T1059.007': 'Turla has used various JavaScript-based backdoors.'),
'T1059.007': ('Valak can execute JavaScript containing configuration data for establishing persistence.'),
'T1059.007': ('Xbash can execute malicious JavaScript payloads on the victimmachine.'),
'T1608.005': ('Silent Librarian has cloned victim organization login pages and staged them for later use in credential harvesting campaigns. Silent Librarian has also made use of a variety of URL shorteners for these staged websites.'),
'T1608.005': 'The attackers prepared over 39  000 phishing pages mimicking the four platforms login pages.'),
'T1608.005': 'They used Ngrokpaid option to acquire customized phishing URLs displaying Metatrademarks (such as hxxp:  facebook.in.ngrok.io  ).'),
'T1608.005': ('Prior to the attack they registered typosquatted domains set up phishing pages and employed URL shortener service.'),
'T1608.005': 'The attacker placed archived malicious Office Documents at the link target.'),
'T1608.004': ('APT32 has stood up websites containing numerous articles and content scraped from the Internet to make them appear legitimate but some of these pages include malicious JavaScript to profile the potential victim or infect them via a fake software update.'),
'T1608.004': 'Threat Group-3390 has embedded malicious code into websites to screen a potential victim  IP address and then exploit their browser if they are of interest.'),
'T1608.004': 'The attackers prepared an malvertizing: an ad combined of image and a JavaScript which contained malicious code and pushed it to legitimate websites via ad networks.'),
'T1608.004': ('Second stage of the Magecart attack included injecting malicious Javascript on the vulnerable checkout pages.'),
'T1608.004': 'This APT group was looking to compromise industryonline publications to prepare for watering whole attacks.'),
'T1608.003': ('Adversaries created self-signed certificates and installed them on their web servers.'),
'T1608.003': ('Attackers installed LetEncrypt certificates on their phishing servers to gain additional trust from the visitors.'),
'T1608.003': 'They prepare phishing pages with valid SSL  TLS certificates installed.'),
'T1608.003': ('According to PhishLabs in the last quarter of 2019 74 of reported phishing websites were  ecure   being both HTTPS and with the lock symbol meaning cybercriminals installed SSL certificates and circumvented so-called verification processes.'),
'T1608.003': ('Actors installed SSL certificates they made using OpenSSL (where you can even be your own Certificate Authority).'),
'T1608.002': 'Threat Group-3390 has staged tools including gsecdump and WCE on previously compromised websites.'),
'T1608.002': ('Prior to the attack the adversaries uploaded remote administration tools to compromised websites they controlled.'),
'T1608.002': 'Threat actor placed several double-purpose tools on his GitHub repository.'),
'T1608.002': 'The attackers uploaded Remote Utilities RAT tool to a third-party compromised website to be used if the victim environment wont have a remote administration tool installed.'),
'T1608.002': ('FIN5 staged a customized version of PsExec.'),
'T1608.001': ('APT32 has hosted malicious payloads in Dropbox Amazon S3 and Google Drive for use during targeting.'),
'T1608.001': 'They were posting obfuscated malicious payloads on Pastebin to be used later during the attack.'),
'T1608.001': ('Some of the compromised websites were used to stage post-compromise malware such as keyloggers.'),
'T1608.001': 'These government hackers staged malicious Java scripts on the Microsoft typosquatted domains they registered earlier.'),
'T1608.001': ('Gamaredon stage malicious VBA scripts on various compromised websites.'),
'T1574.001': ('APT41 has used search order hijacking to execute malicious payloads such as Winnti RAT.'),
'T1574.001': ('Astaroth can launch itself via DLL Search Order Hijacking.'),
'T1574.001': ('BOOSTWRITE has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library which then loads the gdiplus library and ultimately loads the local Dwrite dll.'),
'T1574.001': ('Crutch can persist via DLL search order hijacking on Google Chrome Mozilla Firefox or Microsoft OneDrive.'),
'T1574.001': ('Downdelph uses search order hijacking of the Windows executable sysprep.exe to escalate privileges.'),
'T1574.001': ('Empire contains modules that can discover and exploit various DLL hijacking opportunities.'),
'T1574.001': ('Evilnum has used the malware variant TerraTV to load a malicious DLL placed in the TeamViewer directory instead of the original Windows DLL located in a system folder.'),
'T1574.001': ('A FinFisher variant uses DLL search order hijacking.'),
'T1574.001': ('Hikit has used DLL Search Order Hijacking to load oci.dll as a persistence mechanism.'),
'T1574.001': ('HTTPBrowser abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary VPDN_LU.exe to load a malicious DLL that mimics a legitimate Symantec DLL navlu.dll.'),
'T1574.001': ('InvisiMole can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library.'),
'T1574.001': ('Melcoz can use DLL hijacking to bypass security controls.'),
'T1574.001': ('menuPass has used DLL search order hijacking.'),
'T1574.001': ('MirageFox is likely loaded via DLL hijacking into a legitimate McAfee binary.'),
'T1574.001': ('PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit DLL hijacking opportunities in services and processes.'),
'T1574.001': ('Prikormka uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory.'),
'T1574.001': ('Ramsay can hijack outdated Windows application dependencies with malicious versions of its own DLL payload.'),
'T1574.001': ('RedLeaves is launched through use of DLL search order hijacking to load a malicious dll.'),
'T1574.001': ('RTM has used search order hijacking to force TeamViewer to load a malicious DLL.'),
'T1574.001': 'Threat Group-3390 has performed DLL search order hijacking to execute their payload.'),
'T1574.001': ('Variants of WEBC2 achieve persistence by using DLL search order hijacking usually by copying the DLL file to SYSTEMROOT (C:WINDOWSntshrui.dll).'),
'T1574.001': ('Whitefly has used search order hijacking to run the loader Vcrodat.'),
'T1574.002': ('A'),P'T19 launc': ('d an HTTP malware variant and a Port 22 malware variant using a legitimate executable that loaded the malicious DLL.'),
'T1574.002': ('APT3 has been known to side load DLLs with a valid version of Chrome with one of their tools.'),
'T1574.002': ('APT32 ran legitimately-signed executables from Symantec and McAfee which load a malicious DLL. The group also side-loads its backdoor by dropping a library and a legitimate signed executable (AcroTranscoder).'),
'T1574.002': ('APT41 used legitimate executables to perform DLL side-loading of their malware.'),
'T1574.002': ('BADNEWS typically loads its DLL file into a legitimate signed Java or VMware executable.'),
'T1574.002': ('DLL side-loading has been used to execute BBSRAT through a legitimate Citrix executable ssonsvr.exe. The Citrix executable was dropped along with BBSRAT by the dropper.'),
'T1574.002': ('BlackTech has used DLL side loading by giving DLLs hardcoded names and placing them in searched directories.'),
'T1574.002': ('BRONZE BUTLER has used legitimate applications to side-load malicious DLLs.'),
'T1574.002': ('Chimera has used side loading to place malicious DLLs in memory.'),
'T1574.002': ('Denis exploits a security vulnerability to load a fake DLL and execute its code.'),
'T1574.002': ('Egregor has used DLL side-loading to execute its payload.'),
'T1574.002': ('FinFisher uses DLL side-loading to load malicious programs.'),
'T1574.002': ('GALLIUM used DLL side-loading to covertly load PoisonIvy into memory on the victim machine.'),
'T1574.002': ('A gh0st RAT variant has used DLL side-loading.'),
'T1574.002': ('Goopy has the ability to side-load malicious DLLs with legitimate applications from Kaspersky Microsoft and Google.'),
'T1574.002': ('HigaisaJavaScript file used a legitimate Microsoft Office 2007 package to side-load the OINFO12.OCX dynamic link library.'),
'T1574.002': ('HTTPBrowser has used DLL side-loading.'),
'T1574.002': ('HyperBro has used a legitimate application to sideload a DLL to decrypt decompress and run a payload.'),
'T1574.002': ('Javali can use DLL side-loading to load malicious DLLs into legitimate executables.'),
'T1574.002': ('LookBack side loads its communications module as a DLL into the libcurl.dll loader.'),
'T1574.002': ('menuPass has used DLL side-loading to launch versions of Mimikatz and PwDump6 as well as UPPERCUT.'),
'T1574.002': ('Metamorfo has side-loaded its malicious DLL file.'),
'T1574.002': ('Mustang Panda has used a legitimately signed executable to execute a malicious payload within a DLL file.'),
'T1574.002': ('Naikon has used DLL side-loading to load malicious DLL  into legitimate executables.'),
'T1574.002': ('OwaAuth has been loaded onto Exchange servers and disguised as an ISAPI filter (DLL file). The IIS w3wp.exe process then loads the malicious DLL.'),
'T1574.002': ('A Patchwork .dll that contains BADNEWS is loaded and executed using DLL side-loading.'),
'T1574.002': ('PlugX has used DLL side-loading to evade anti-virus.'),
'T1574.002': ('Sakula uses DLL side-loading typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee  Outlook Scan About Box to load malicious DLL files.'),
'T1574.002': ('Sidewinder has used DLL side-loading to drop and execute malicious payloads including the hijacking of the legitimate Windows application file rekeywiz.exe.'),
'T1574.002': ('During the T9000 installation process it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware.'),
'T1574.002': 'Threat Group-3390 has used DLL side-loading including by using legitimate Kaspersky antivirus variants in which the DLL acts as a stub loader that loads and executes the shell code.'),
'T1574.002': 'Tropic Trooper has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools.'),
'T1574.002': ('Waterbear has used DLL side loading to import and load a malicious DLL loader.'),
'T1574.002': ('Wingbird side loads a malicious file sspisrv.dll in part of a spoofed lssas.exe service.'),
'T1574.002': ('ZeroT has used DLL side-loading to load malicious payloads.'),
'T1553.006': ('APT39 has used malware to turn off the RequireSigned feature which ensures only signed DLLs can be run on Windows.'),
'T1553.006': ('BlackEnergy has enabled the TESTSIGNING boot configuration option to facilitate loading of a driver component.'),
'T1553.006': ('Hikit has attempted to disable driver signing verification by tampering with several Registry keys prior to the loading of a rootkit driver component.'),
'T1553.006': 'Turla has modified variables in kernel memory to turn off Driver Signature Enforcement after exploiting vulnerabilities that obtained kernel mode privileges.'),
'T1553.006': ('ESPecter patches Windows kernel function SepInitializeCodeIntegrity directly in memory to disable Driver Signature Enforcement (DSE).'),
'T1562.003': ('APT38 has prepended a space to all of their terminal commands to operate without leaving traces in the HISTCONTROL environment.'),
'T1562.003': ('Attackers set SaveNothing option for PSReadLine to turn off logging PowerShell command history.'),
'T1562.003': 'Threat actors set the command history size to zero (export HISTFILESIZE=0) to prevent logging of commands.'),
'T1562.003': ('Prior to executing PowerShell commands attackers meddled with PSReadLine module to disable logging.'),
'T1562.003': ('After getting the initial access to the Windows Server hackers changed PSReadLine logging destination to confuse incident responders.'),
'T1036.004': ('APT-C-36 has disguised its scheduled tasks as those used by Google.'),
'T1036.004': ('APT29 named tasks MicrosoftWindowsSoftwareProtectionPlatformEventCacheManager in order to appear legitimate.'),
'T1036.004': ('APT32 has used hidden or non-printing characters to help masquerade service names such as appending a Unicode no-break space character to a legitimate service name. APT32 has also impersonated the legitimate Flash installer file name install_flashplayer.exe.'),
'T1036.004': ('Attor  dispatcher disguises itself as a legitimate task (i.e. the task name and description appear legitimate).'),
'T1036.004': ('Bazar can create a task named to appear benign.'),
'T1036.004': ('build_downer has added itself to the Registry Run key as NVIDIA to appear legitimate.'),
'T1036.004': ('Carbanak has copied legitimate service names to use for malicious services.'),
'T1036.004': ('Catchamas adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service.'),
'T1036.004': ('ComRAT has used a task name associated with Windows SQM Consolidator.'),
'T1036.004': ('Crutch has established persistence with a scheduled task impersonating the Outlook item finder.'),
'T1036.004': ('CSPY Downloader has attempted to appear as a legitimate Windows service with a fake description claiming it is used to support packed applications.'),
'T1036.004': ('Egregor has masqueraded the svchost.exe process to exfiltrate data.'),
'T1036.004': 'The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the descriptionWindows Check AV in an apparent attempt to masquerade as a legitimate service.'),
'T1036.004': ('FIN6 has renamed the psexec service name to mstdc to masquerade as a legitimate Windows service.'),
'T1036.004': ('FIN7 has created a scheduled task namedAdobeFlashSync to establish persistence.'),
'T1036.004': ('Fox Kitten has named the task for a reverse proxy lpupdate to appear legitimate.'),
'T1036.004': ('Fysbis has masqueraded as the rsyncd and dbus-inotifier services.'),
'T1036.004': ('GoldMax has impersonated systems management software to avoid detection.'),
'T1036.004': ('Higaisa named a shellcode loader binary svchast.exe to spoof the legitimate svchost.exe.'),
'T1036.004': ('InnaputRAT variants have attempted to appear legitimate by adding a new service named OfficeUpdateService.'),
'T1036.004': ('InvisiMole has attempted to disguise itself by registering under a seemingly legitimate service name.'),
'T1036.004': ('IronNetInjector has been disguised as a legitimate service using the name PythonUpdateSrvc.'),
'T1036.004': ('Kimsuky has disguised services to appear as benign software or related to operating system functions.'),
'T1036.004': ('Kwampirs establishes persistence by adding a new service with the display name WMI Performance Adapter Extension in an attempt to masquerade as a legitimate WMI service.'),
'T1036.004': ('A Lazarus Group custom backdoor implant included a custom PE loader named Security Package that was added into the lsass.exe process via registry key.'),
'T1036.004': ('Machete renamed task names to masquerade as legitimate Google Chrome Java Dropbox Adobe Reader and Python tasks.'),
'T1036.004': ('Maze operators have created scheduled tasks masquerading as Windows Update Security Windows Update Security Patches and Google Chrome Security Update designed to launch the ransomware.'),
'T1036.004': ('Nidiran can create a new service named msamger (Microsoft Security Accounts Manager) which mimics the legitimate Microsoft database by the same name.'),
'T1036.004': ('Okrum can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager.'),
'T1036.004': ('OSX_OCEANLOTUS.D has disguised its app bundle by adding special characters to the filename and using the icon for legitimate Word documents.'),
'T1036.004': ('In one instance menuPass added PlugX as a service with a display name of Corel Writing Tools Utility.'),
'T1036.004': ('POWERSTATS has created a scheduled task named MicrosoftEdge to establish persistence.'),
'T1036.004': ('PROMETHIUM has named services to appear legitimate.'),
'T1036.004': ('New services created by RawPOS are made to appear like legitimate Windows services with names such as Windows Management Help Service Microsoft Support and Windows Advanced Task Manager.'),
'T1036.004': ('RDAT has used Windows Video Service as a name for malicious services.'),
'T1036.004': ('RTM has named the scheduled task it creates Windows Update.'),
'T1036.004': ('Seasalt has masqueraded as a service called SaSaut with a display name of System Authorization Service in an apparent attempt to masquerade as a legitimate service.'),
'T1036.004': ('Shamoon creates a new service namedntssrv that attempts to appear legitimate; the service  display name isMicrosoft Network Realtime Inspection Service and its description isHelps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols. Newer versions create the MaintenaceSrv service which misspells the word maintenance.'),
'T1036.004': ('ShimRat can impersonate Windows services and antivirus products to avoid detection on compromised systems.'),
'T1036.004': ('SLOTHFULMEDIA has named a service it establishes on victim machines as TaskFrame to hide its malicious purpose.'),
'T1036.004': ('StrongPity has named services to appear legitimate.'),
'T1036.004': 'To establish persistence Truvasys adds a Registry Run key with a value TaskMgr in an attempt to masquerade as the legitimate Windows Task Manager.'),
'T1036.004': ('UNC2452 named tasks MicrosoftWindowsSoftwareProtectionPlatformEventCacheManager in order to appear legitimate.'),
'T1036.004': ('Some Volgmer variants add new services with display names generated by a list of hard-coded strings such as Application Background Security and Windows presumably as a way to masquerade as a legitimate service.'),
'T1036.004': ('Wizard Spider has used scheduled tasks to install TrickBot using task names to appear legitimate such as WinDotNet GoogleTask or Sysnetsf. It has also used common document file names for other malware binaries.'),
'T1036.004': ('ZIRCONIUM has created a run key named Dropbox Update Setup to mask a persistence mechanism for a malicious binary.'),
'T1003.006': ('APT29 leveraged privileged accounts to replicate directory service data with domain controllers.'),
'T1003.006': ('Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways including from DCSync  NetSync.'),
'T1003.006': ('Operation Wocao has used Mimikatz  DCSync to dump credentials from the memory of the targeted system.'),
'T1003.006': ('UNC2452 leveraged privileged accounts to replicate directory service data with domain controllers.'),
'T1003.006': 'The attacker discovered domain controllers (DCs) and submitted a replication request. This prompted the primary DC to replicate the credentials of other DCs back to the compromised domain administrator using the Directory Replication Service (DRS) remote protocol.'),
'T1003.004': ('APT33 has used a variety of publicly available tools like LaZagne to gather credentials.'),
'T1003.004': ('CosmicDuke collects LSA secrets.'),
'T1003.004': ('CrackMapExec can dump hashed passwords from LSA secrets for the targeted system.'),
'T1003.004': ('Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes.'),
'T1003.004': ('gsecdump can dump LSA secrets.'),
'T1003.004': ('SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.'),
'T1003.004': ('Ke3chang has dumped credentials including by using gsecdump.'),
'T1003.004': ('LaZagne can perform credential dumping from LSA secrets to obtain account and password information.'),
'T1003.004': ('Leafminer used several tools for retrieving login and password information including LaZagne.'),
'T1003.004': ('menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.'),
'T1003.004': ('Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways including from the LSA.'),
'T1003.004': ('MuddyWater has performed credential dumping with LaZagne.'),
'T1003.004': ('OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.'),
'T1003.004': ('Pupy can use Lazagne for harvesting credentials.'),
'T1003.004': 'Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.'),
'T1110.001': ('APT28 has used a brute-force  password-spray tooling that operated in two modes: in brute-force mode it typically sent over 300 authentication attempts per hour per targeted account over the course of several hours or days.'),
'T1110.001': ('China Chopper  server component can perform brute force password guessing against authentication portals.'),
'T1110.001': ('CrackMapExec can brute force passwords for a specified user on a single target system or across an entire network.'),
'T1110.001': ('Emotet has been observed using a hard coded list of passwords to brute force user accounts.'),
'T1110.001': ('Lucifer has attempted to brute force TCP ports 135 (RPC) and 1433 (MSSQL) with the default username or list of usernames and passwords.'),
'T1110.001': ('P.A.S. Webshell can use predefined users and passwords to execute brute force attacks against SSH FTP POP3 MySQL MSSQL and PostgreSQL services.'),
'T1110.001': ('Pony has used a small dictionary of common passwords against a collected list of local accounts.'),
'T1110.001': ('SpeakUp can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels.'),
'T1110.001': ('Xbash can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports.'),
'T1557.002': ('Cleaver has used custom tools to facilitate ARP cache poisoning.'),
'T1557.002': ('Irancyber hacking skills have evolved to include customized private tools with ARP poisoning function.'),
'T1557.002': ('Alireza C++ tools include the following techniques ARP poisoning'),
'T1557.002': ('Jasus is an ARP cache poisoner developed by the Operation Cleaver team.'),
'T1557.002': ('Cain & Abel is a publicly available toolkit with the ability to conduct attacks like ARP cache poisoning in order to capture credentials being transmitted on the network.'),
'T1497.001': ('Astaroth can check for Windows product ID  used by sandboxes and usernames and disk serial numbers associated with analyst environments.'),
'T1497.001': ('Attor can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts such as communication with I  O ports and using VM-specific instructions.'),
'T1497.001': ('BadPatch attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name BIOS and motherboard information.'),
'T1497.001': ('CSPY Downloader can search loaded modules PEB structure file paths Registry keys and memory to determine if it is being debugged or running in a virtual environment.'),
'T1497.001': ('Darkhotel malware has used a series of checks to determine if it  being analyzed; checks include the length of executable names if a filename ends with .Md5.exe and if the program is executed from the root of the C: drive as well as checks for sandbox-related libraries.'),
'T1497.001': ('Denis ran multiple system checks looking for processor and register characteristics to evade emulation and analysis.'),
'T1497.001': ('Dyre can detect sandbox analysis environments by inspecting the process list and Registry.'),
'T1497.001': ('EvilBunny  dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment.'),
'T1497.001': ('Evilnum has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments.'),
'T1497.001': ('FinFisher obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox  virtualized environments.'),
'T1497.001': ('Frankenstein has used WMI queries to check if various security applications were running including VMWare and Virtualbox.'),
'T1497.001': ('GoldMax will check if it is being run in a virtualized environment by comparing the collected MAC address to c8:27:cc:c2:37:5a.'),
'T1497.001': ('Grandoreiro can detect VMWare via its I  O port and Virtual PC via the vpcext instruction.'),
'T1497.001': ('GravityRAT uses WMI to check the BIOS and manufacturer information for strings like VMWare Virtual and XEN and another WMI request to get the current temperature of the hardware to determine if it  a virtual machine environment.'),
'T1497.001': ('InvisiMole can check for artifacts of VirtualBox Virtual PC and VMware environment and terminate itself if they are detected.'),
'T1497.001': ('Lucifer can check for specific usernames computer names device drivers DLL  and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected.'),
'T1497.001': ('MegaCortex has checked the number of CPUs in the system to avoid being run in a sandbox or emulator.'),
'T1497.001': ('Okrum  loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total.'),
'T1497.001': ('OopsIE performs several anti-VM and sandbox checks on the victim  machine. One technique the group has used was to perform a WMI query SELECT * FROM MSAcpi_ThermalZoneTemperature to check the temperature to see if itrunning in a virtual environment.'),
'T1497.001': ('OSX_OCEANLOTUS.D has a variant that checks a number of system parameters to see if it is being run on real hardware or in a virtual machine environment.'),
'T1497.001': ('PlugX checks if VMware tools is running in the background by searching for any process named vmtoolsd.'),
'T1497.001': ('PoetRAT checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection it would delete itself by overwriting the malware scripts with the contents of License.txt and exiting.'),
'T1497.001': ('Pupy has a module that checks a number of indicators on the system to determine if its running on a virtual machine.'),
'T1497.001': ('Remcos searches for Sandboxie and VMware on the system.'),
'T1497.001': ('RogueRobin uses WMI to check BIOS version for VBOX bochs qemu virtualbox and vm to check for evidence that the script might be executing within an analysis environment.'),
'T1497.001': ('ROKRAT checks for sandboxing libraries.'),
'T1497.001': ('Smoke Loader scans processes to perform anti-VM checks.'),
'T1497.001': ('SUNBURST checked the domain name of the compromised host to verify it was running in a real environment.'),
'T1497.001': ('SynAck checks its directory location in an attempt to avoid launching in a sandbox.'),
'T1497.001': 'ThiefQuest uses a function named is_debugging to perform anti-debugging logic. The function invokes sysctl checking the returned value of P_TRACED. ThiefQuest also calls ptrace with the PTRACE_DENY_ATTACH flag to prevent debugging.'),
'T1497.001': 'Trojan.Karagany can detect commonly used and generic virtualization platforms based primarily on drivers and file paths.'),
'T1497.001': ('UBoatRAT checks for virtualization software such as VMWare VirtualBox or QEmu on the compromised machine.'),
'T1497.001': ('yty has some basic anti-sandbox detection that tries to detect Virtual PC Sandboxie and VMware. '),
'T1556.003': ('Ebury can deactivate PAM modules to tamper with the sshd configuration.'),
'T1556.003': ('Skidmap has the ability to replace the pam_unix.so file on an infected machine with its own malicious version that accepts a specific backdoor password for all users.'),
'T1556.003': 'This malware downgrades security features by deactivating pluggable authentication modules (PAM) modules.'),
'T1556.003': 'The malware replaces the systempam_unix.so file (the module responsible for standard Unix authentication) with its own malicious version (detected as Backdoor.Linux.PAMDOR.A). As shown in Figure 2 this malicious pam_unix.so file accepts a specific password for any users thus allowing the attackers to log in as any user in the machine.'),
'T1556.003': ('Our roadmap is pretty simple: add a custom PAM module that logs the credential in plaintext and send it to our C&C though a DNS resolution.'),
'T1556.002': ('Remsec harvests plain-text credentials as a password filter registered on domain controllers.'),
'T1556.002': ('Strider has registered its persistence module on domain controllers as a Windows LSA (Local System Authority) password filter to acquire credentials any time a domain local user or administrator logs in or changes a password.'),
'T1556.002': 'The library was masquerading as a Windows password filter which is something administrators typically use to ensure passwords match specific requirements for length and complexity. The module started every time a network or local user logged in or changed a password and it was able to view passcodes in plaintext.'),
'T1556.002': ('ProjectSauron usually registers its persistence module on domain controllers as a Windows LSA (Local. System Authority) password filter.'),
'T1556.002': 'The library was registered as a Windows password filter and had access to sensitive data such as administrative passwords in cleartext.'),
'T1556.004': ('SYNful Knock has the capability to add its own custom backdoor password when it modifies the operating system of the affected network device.'),
'T1556.004': 'The SYNful Knock implant consists of a modified Cisco IOS image that allows the attacker to load different functional modules provides unrestricted access using a secret backdoor password while preventing the size of the image from changing.'),
'T1556.004': ('Adversaries used Patch System Image to hard code a password in the operating system thus bypassing of native authentication mechanisms for local accounts on network devices.'),
'T1556.004': ('Attacker modified the system image to provide attacker-controlled network devices access using a specific password.'),
'T1556.004': ('After the initial access to the router hackers modified its operation system in a way to install a backdoor access for network device authentication.'),
'T1556.001': ('Chimera  malware has altered the NTLM authentication program on domain controllers to allow Chimera to login without a valid credential.'),
'T1556.001': ('Skeleton Key is used to patch an enterprise domain controller authentication process with a backdoor password. It allows adversaries to bypass the standard authentication system to use a defined password for all accounts authenticating to that domain controller.'),
'T1556.001': ('Skeleton Key is deployed as an in-memory patch on a victim  AD domain controllers to allow the threat actor to authenticate as any user while legitimate users can continue to authenticate as normal.'),
'T1556.001': 'The malware employed a technique that altered the NTLM authentication program and implanted a skeleton key to allow adversaries to log-in without a valid credential.'),
'T1556.001': ('In the RC4 initialization function a new RC4 NTLM was injected with a pre-calculated hash value of the skeleton key. When the authentication check failed due to incorrect credentials the RC4 decryption function prompted the authentication process to compare the credentials with the skeleton key.'),
'T1573.002': ('adbupd contains a copy of the OpenSSL library to encrypt C2 traffic.'),
'T1573.002': ('A variant of ADVSTORESHELL encrypts some C2 with RSA.'),
'T1573.002': ('Attor  Blowfish key is encrypted with a public RSA key.'),
'T1573.002': ('Bazar can use TLS in C2 communications.'),
'T1573.002': ('BISCUIT uses SSL for encrypting C2 communications.'),
'T1573.002': ('Carbon has used RSA encryption for C2 communications.'),
'T1573.002': ('CHOPSTICK encrypts C2 communications with TLS.'),
'T1573.002': ('Cobalt Group has used the Plink utility to create SSH tunnels.'),
'T1573.002': ('Cobalt Strike can use RSA asymmetric encryption with PKCS1 padding to encrypt data sent to the C2 server.'),
'T1573.002': ('ComRAT can use SSL  TLS encryption for its HTTP-based C2 channel. ComRAT has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel.'),
'T1573.002': ('Doki has used the embedTLS library for network communications.'),
'T1573.002': ('Dridex has encrypted traffic with RSA.'),
'T1573.002': ('Emotet is known to use RSA keys for encrypting C2 traffic.'),
'T1573.002': ('Empire can use TLS to encrypt its C2 channel.'),
'T1573.002': ('FIN6 used the Plink command-line utility to create SSH tunnels to C2 servers.'),
'T1573.002': ('FIN8 has used the Plink utility to tunnel RDP back to C2 infrastructure.'),
'T1573.002': ('Gazer uses custom encryption for C2 that uses RSA.'),
'T1573.002': ('GoldMax has RSA-encrypted its communication with the C2 server.'),
'T1573.002': ('Grandoreiro can use SSL in C2 communication.'),
'T1573.002': ('GreyEnergy encrypts communications using RSA-2048.'),
'T1573.002': ('Hi-Zor encrypts C2 traffic with TLS.'),
'T1573.002': ('IcedID has used SSL and TLS in communications with C2.'),
'T1573.002': ('Koadic can use SSL and TLS for communications.'),
'T1573.002': ('Machete has used TLS-encrypted FTP to exfiltrate data.'),
'T1573.002': ('Metamorfo  C2 communication has been encrypted using OpenSSL.'),
'T1573.002': ('OilRig used the Plink utility and other tools to create tunnels to C2 servers.'),
'T1573.002': ('Operation Wocao  proxy implementation Agent can upgrade the socket in use to a TLS socket.'),
'T1573.002': ('Pay2Key has used RSA encrypted communications with C2.'),
'T1573.002': ('Penquin can encrypt communications using the BlowFish algorithm and a symmetric key exchanged with Diffie Hellman.'),
'T1573.002': ('PoetRAT used TLS to encrypt command and control (C2) communications.'),
'T1573.002': ('POSHSPY encrypts C2 traffic with AES and RSA.'),
'T1573.002': ('POWERSTATS has encrypted C2 traffic with RSA.'),
'T1573.002': ('Pupy  default encryption for its C2 communication channel is SSL but it also has transport options for RSA and AES.'),
'T1573.002': ('REvil has encrypted C2 communications with the ECIES algorithm.'),
'T1573.002': ('ServHelper may set up a reverse SSH tunnel to give the attacker access to services running on the victim such as RDP.'),
'T1573.002': ('StrongPity has encrypted C2 traffic using SSL  TLS.'),
'T1573.002': ('Sykipot uses SSL for encrypting C2 communications.'),
'T1573.002': 'Tor encapsulates traffic in multiple layers of encryption using TLS by default.'),
'T1573.002': 'Trojan.Karagany can secure C2 communications with SSL and TLS.'),
'T1573.002': 'Tropic Trooper has used SSL to connect to C2 servers.'),
'T1573.002': ('Some Volgmer variants use SSL to encrypt C2 communications.'),
'T1573.002': ('WannaCry uses Tor for command and control traffic and routes a custom cryptographic protocol over the Tor circuit.'),
'T1573.002': ('WellMail can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS.'),
'T1573.002': ('WellMess can communicate to C2 with mutual TLS where client and server mutually check certificates.'),
'T1573.002': ('XTunnel uses SSL  TLS and RC4 to encrypt traffic.'),
'T1573.002': ('Zebrocy uses SSL and AES ECB for encrypting C2 communications. '),
'T1036.005': ('admin@338 actors used the following command to rename one of their tools to a benign file name: ren tempupload audiodg.exe'),
'T1036.005': 'The file name AcroRD32.exe a legitimate process name for Adobe  Acrobat Reader was used by APt1 as a name for malware.'),
'T1036.005': ('APT29 renamed a version of AdFind to sqlceip.exe or csrss.exe in an attempt to appear as the SQL Server Telemetry Client or Client Service Runtime Process respectively.'),
'T1036.005': ('APT32 has renamed a NetCat binary to kb-10233.exe to masquerade as a Windows update. APT32 has also renamed a Cobalt Strike beacon payload to install_flashplayers.exe.'),
'T1036.005': ('APT39 has used malware disguised as Mozilla Firefox and a tool named mfevtpse.exe to proxy C2 communications closely mimicking a legitimate McAfee file mfevtps.exe.'),
'T1036.005': ('APT41 attempted to masquerade their files as popular anti-virus software.'),
'T1036.005': ('BackConfig has hidden malicious payloads in USERPROFILEAdobeDriverdwg and mimicked the legitimate DHCP service binary.'),
'T1036.005': ('BADNEWS attempts to hide its payloads using legitimate filenames.'),
'T1036.005': 'The Bazar loader has named malicious shortcuts adobe.'),
'T1036.005': ('BLINDINGCAN has attempted to hide its payload by using legitimate file names such as iconcache.db.'),
'T1036.005': ('Blue Mockingbird has masqueraded their XMRIG payload name by naming it wercplsupporte.dll after the legitimate wercplsupport.dll file.'),
'T1036.005': ('BRONZE BUTLER has given malware the same name as an existing file on the file share server to cause users to unwittingly launch and install the malware on additional systems.'),
'T1036.005': ('Bundlore has disguised a malicious .app file as a Flash Player update.'),
'T1036.005': ('Calisto  installation file is an unsigned DMG image under the guise of Integosecurity solution for mac.'),
'T1036.005': ('Carbanak has named malware svchost.exe  which is the name of the Windows shared service host program.'),
'T1036.005': ('Carberp has masqueraded as Windows system file names as well as chkntfs.exe and syscron.exe.'),
'T1036.005': ('ChChes copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe).'),
'T1036.005': ('Chimera has renamed malware to GoogleUpdate.exe and WinRAR to jucheck.exe RecordedTV.ms teredo.tmp update.exe and msadcs1.exe.'),
'T1036.005': ('DarkComet has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file.'),
'T1036.005': ('Darkhotel has used malware that is disguised as a Secure Shell (SSH) tool.'),
'T1036.005': ('Daserf uses file and folder names related to legitimate programs in order to blend in such as HP Intel Adobe and perflogs.'),
'T1036.005': ('Doki has disguised a file as a Linux kernel module.'),
'T1036.005': ('One of Dtrack can hide in replicas of legitimate programs like OllyDbg 7-Zip and FileZilla.'),
'T1036.005': ('If installing itself as a service fails Elise instead writes itself as a file named svchost.exe saved in APPDATAMicrosoftNetwork.'),
'T1036.005': ('FatDuke has attempted to mimic a compromised user  traffic by using the same user agent as the installed browser.'),
'T1036.005': ('Felismus has masqueraded as legitimate Adobe Content Management System files.'),
'T1036.005': ('FinFisher renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file.'),
'T1036.005': ('Fox Kitten has named binaries and configuration files svhost and dllhost respectively to appear legitimate.'),
'T1036.005': ('Fysbis has masqueraded as trusted software rsyncd and dbus-inotifier.'),
'T1036.005': ('GoldenSpy  setup file installs initial executables under the folder WinDirSystem32PluginManager.'),
'T1036.005': ('GoldMax appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder.'),
'T1036.005': ('Goopy has impersonated the legitimate goopdate.dll which was dropped on the target system with a legitimate GoogleUpdate.exe.'),
'T1036.005': ('Grandoreiro has named malicious browser extensions and update files to appear legitimate.'),
'T1036.005': ('Hildegard has disguised itself as a known Linux process.'),
'T1036.005': ('HTTPBrowser  installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL.'),
'T1036.005': ('Indrik Spider used fake updates for FlashPlayer plugin and Google Chrome as initial infection vectors.'),
'T1036.005': ('InnaputRAT variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe.'),
'T1036.005': ('InvisiMole has disguised its droppers as legitimate software or documents matching their original names and locations and saved its files as mpr.dll in the Windows folder.'),
'T1036.005': ('Ixeshe has used registry values and file names associated with Adobe software such as AcroRd32.exe.'),
'T1036.005': ('KGH_SPY has masqueraded as a legitimate Windows tool.'),
'T1036.005': ('KONNI creates a shortcut called Anti virus service.lnk in an apparent attempt to masquerade as a legitimate file.'),
'T1036.005': ('Lazarus Group has renamed the TAINTEDSCRIBE main executable to disguise itself as Microsoft  narrator.'),
'T1036.005': ('LightNeuron has used filenames associated with Exchange and Outlook for binary and configuration files such as winmail.dat.'),
'T1036.005': ('LookBack has a C2 proxy tool that masquerades as GUP.exe which is software used by Notepad++.'),
'T1036.005': ('Machete  Machete MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer.'),
'T1036.005': ('Machete renamed payloads to masquerade as legitimate Google Chrome Java Dropbox Adobe Reader and Python executables.'),
'T1036.005': ('MCMD has been named Readme.txt to appear legitimate.'),
'T1036.005': ('MechaFlounder has been downloaded as a file named lsass.exe which matches the legitimate Windows file.'),
'T1036.005': ('menuPass has been seen changing malicious files to appear legitimate.'),
'T1036.005': ('Metamorfo has disguised an MSI file as the Adobe Acrobat Reader Installer.'),
'T1036.005': ('Mis-Type saves itself as a file named msdtc.exe which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.'),
'T1036.005': ('Misdat saves itself as a file named msdtc.exe which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.'),
'T1036.005': ('MuddyWater has disguised malicious executables and used filenames and Registry key names associated with Windows Defender.'),
'T1036.005': ('Mustang Panda has used adobeupdate.dat as a PlugX loader and a file named OneDrive.exe to load a Cobalt Strike payload.'),
'T1036.005': ('NETWIRE has masqueraded as legitimate software including TeamViewer and macOS Finder.'),
'T1036.005': ('NOKKI is written to LOCALAPPDATAMicroSoft UpdateasvServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file.'),
'T1036.005': ('OLDBAIT installs itself in ALLUSERPROFILEApplication DataMicrosoftMediaPlayerupdatewindws.exe; the directory name is missing a space and the file name is missing the letter o.'),
'T1036.005': ('OSX  Shlayer can masquerade as a Flash Player update.'),
'T1036.005': ('OwaAuth uses the filename owaauth.dll which is a legitimate file that normally resides in ProgramFilesMicrosoftExchange ServerClientAccessOwaAuth; the malicious file by the same name is saved in ProgramFilesMicrosoftExchange ServerClientAccessOwabin.'),
'T1036.005': ('Patchwork installed its payload in the startup programs folder as Baidu Software Update. The group also adds its second stage payload to the startup programs asNet Monitor. They have also dropped QuasarRAT binaries as files named microsoft_network.exe and crome.exe.'),
'T1036.005': ('Penquin has mimicked the Cron binary to hide itself on compromised systems.'),
'T1036.005': ('PipeMon modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor.'),
'T1036.005': ('Pony has used the Adobe Reader icon for the downloaded file to look more trustworthy.'),
'T1036.005': ('Poseidon Group tools attempt to spoof anti-virus processes as a means of self-defense.'),
'T1036.005': ('PROMETHIUM has disguised malicious installer files by bundling them with legitimate software installers.'),
'T1036.005': ('PUNCHBUGGY mimics filenames from SYSTEMSystem32 to hide DLLs in WINDIR and  or TEMP.'),
'T1036.005': ('Pysa has executed a malicious executable by naming it svchost.exe.'),
'T1036.005': ('QUADAGENT used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1.'),
'T1036.005': ('Raindrop was installed under names that resembled legitimate Windows file and directory names.'),
'T1036.005': ('Ramsay has masqueraded as a 7zip installer.'),
'T1036.005': ('RDAT has masqueraded as VMware.exe.'),
'T1036.005': 'The Remsec loader implements itself with the name Security Support Provider a legitimate Windows function. Various Remsec .exe files mimic legitimate file names used by Microsoft Symantec Kaspersky Hewlett-Packard and VMWare. Remsec also disguised malicious modules using similar filenames as custom network encryption software on victims.'),
'T1036.005': ('REvil can mimic the names of known executables.'),
'T1036.005': ('Rocke has used shell scripts which download mining executables and saves them with the filename java.'),
'T1036.005': ('Ryuk has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher the path would appear as C:UsersPublic.'),
'T1036.005': ('S-Type may save itself as a file named msdtc.exe which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary.'),
'T1036.005': ('Sandworm Team has avoided detection by naming a malicious binary explorer.exe.'),
'T1036.005': ('ShimRatReporter spoofed itself as AlphaZawgyl_font.exe a specialized Unicode font.'),
'T1036.005': ('Sibot has downloaded a DLL to the C:windowssystem32drivers folder and renamed it with a .sys extension.'),
'T1036.005': ('Sidewinder has named malicious files rekeywiz.exe to match the name of a legitimate Windows executable.'),
'T1036.005': ('Silence has named its backdoor WINWORD.exe.'),
'T1036.005': ('Skidmap has created a fake rm binary to replace the legitimate Linux binary.'),
'T1036.005': ('SLOTHFULMEDIA has mimicked the names of known executables such as mediaplayer.exe.'),
'T1036.005': ('Sowbug named its tools to masquerade as Windows or Adobe Reader software such as by using the file name adobecms.exe and the directory CSIDL_APPDATAmicrosoftsecurity.'),
'T1036.005': 'To establish persistence SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as anOffice StartYahoo TalkMSN Gaming Z0ne orMSN Talk❠shortcut.'),
'T1036.005': ('Starloader has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel.'),
'T1036.005': ('StrongPity has been bundled with legitimate software installation files for disguise.'),
'T1036.005': ('SUNBURST created VBScripts that were named after existing services or folders to blend into legitimate activities.'),
'T1036.005': ('SUNSPOT was identified on disk with a filename of taskhostsvc.exe and it created an encrypted log file at C:WindowsTempvmware-vmdmp.log.'),
'T1036.005': ('SUPERNOVA has masqueraded as a legitimate SolarWinds DLL.'),
'T1036.005': 'The TAINTEDSCRIBE main executable has disguised itself as MicrosoftNarrator.'),
'T1036.005': 'TEARDROP files had names that resembled legitimate Window file and directory names.'),
'T1036.005': 'TEMP.Veles has renamed files to look like legitimate files such as Windows update files or Schneider Electric application files.'),
'T1036.005': 'ThiefQuest prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable.'),
'T1036.005': 'Tropic Trooper has hidden payloads in Flash directories and fake installer files.'),
'T1036.005': ('UNC2452 renamed a version of AdFind to sqlceip.exe or csrss.exe in an attempt to appear as the SQL Server Telemetry Client or Client Service Runtime Process respectively.'),
'T1036.005': ('Ursnif has used strings from legitimate system files and existing folders for its file folder and Registry entry names.'),
'T1036.005': ('USBStealer mimics a legitimate Russian program called USB Disk Security.'),
'T1036.005': ('Whitefly has named the malicious DLL the same name as DLLs belonging to legitimate software from various security vendors.'),
'T1036.005': ('A Winnti for Windows implant file was named ASPNET_FILTER.DLL mimicking the legitimate ASP.NET ISAPI filter DLL with the same name.'),
'T1036.005': ('ZLib mimics the resource version information of legitimate Realtek Semiconductor Nvidia or Synaptics modules.'),
'T1562.001': ('Agent Tesla has the capability to kill any running analysis processes and AV software.'),
'T1562.001': ('APT29 used the service control manager on a remote system to disable services associated with security monitoring products.'),
'T1562.001': ('Bazar has manually loaded ntdll from disk in order to identity and remove API hooks set by security products.'),
'T1562.001': ('Brave Prince terminates antimalware processes.'),
'T1562.001': ('BRONZE BUTLER has incorporated code into several tools that attempts to terminate anti-virus processes.'),
'T1562.001': ('Bundlore can change macOS security settings and browser preferences to enable follow-on behaviors.'),
'T1562.001': ('Carberp has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed.'),
'T1562.001': ('ChChes can alter the victim  proxy configuration.'),
'T1562.001': ('Cobalt Strike has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox.'),
'T1562.001': ('DarkComet can disable Security Center functions like anti-virus.'),
'T1562.001': ('Ebury can disable SELinux Role-Based Access Control and deactivate PAM modules.'),
'T1562.001': ('Egregor has disabled Windows Defender to evade protections.'),
'T1562.001': ('FIN6 has deployed a utility script named kill.bat to disable anti-virus.'),
'T1562.001': ('Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.'),
'T1562.001': ('Gold Dragon terminates anti-malware processes if theyre found running on the system.'),
'T1562.001': ('Goopy has the ability to disable Microsoft Outlook  security policies to disable macro warnings.'),
'T1562.001': ('Gorgon Group malware can attempt to disable security features in Microsoft Office and Windows Defender using the taskkill command.'),
'T1562.001': ('Grandoreiro can hook APIs kill processes break file system paths and change ACLs to prevent security tools from running.'),
'T1562.001': ('H1N1 kills and disables services for Windows Security Center and Windows Defender.'),
'T1562.001': ('HDoor kills anti-virus found on the victim.'),
'T1562.001': ('Hildegard has modified DNS resolvers to evade DNS monitoring tools.'),
'T1562.001': ('Imminent Monitor has a feature to disable Windows Task Manager.'),
'T1562.001': ('JPIN can lower security settings by changing Registry keys.'),
'T1562.001': ('Kimsuky has been observed turning off Windows Security Center.'),
'T1562.001': ('Lazarus Group malware TangoDelta attempts to terminate various processes associated with McAfee. Additionally Lazarus Group malware SHARPKNOT disables the Microsoft Windows System Event Notification and Alerter services.. During a 2019 intrusion Lazarus Group disabled Windows Defender and Credential Guard as some of their first actions on host.'),
'T1562.001': ('LockerGoga installation has been immediately preceded by a task kill command in order to disable anti-virus.'),
'T1562.001': ('Maze has disabled dynamic analysis and other security tools including IDA debugger x32dbg and OllyDbg. It has also disabled Windows Defender  Real-Time Monitoring feature and attempted to disable endpoint protection services.'),
'T1562.001': ('MegaCortex was used to kill endpoint security processes.'),
'T1562.001': ('Metamorfo has a function to kill processes associated with defenses and can prevent certain processes from launching.'),
'T1562.001': ('MuddyWater can disable the system  local proxy settings.'),
'T1562.001': ('NanHaiShu can change Internet Explorer settings to reduce warnings about malware activity.'),
'T1562.001': ('NanoCore can modify the victim  anti-virus.'),
'T1562.001': ('Netwalker can detect and terminate active security software-related processes on infected systems.'),
'T1562.001': ('Night Dragon has disabled anti-virus and anti-spyware tools in some instances on the victimmachines. The actors have also disabled proxy settings to allow direct communication from victims to the Internet.'),
'T1562.001': ('POWERSTATS can disable Microsoft Office Protected View by changing Registry keys.'),
'T1562.001': ('Proton kills security tools like Wireshark that are running.'),
'T1562.001': ('Malware used by Putter Panda attempts to terminate processes corresponding to two components of Sophos Anti-Virus (SAVAdminService.exe and SavService.exe).'),
'T1562.001': ('Pysa has the capability to stop antivirus services and disable Windows Defender.'),
'T1562.001': ('Ragnar Locker has attempted to terminate  stop processes and services associated with endpoint security products.'),
'T1562.001': ('REvil can connect to and disable the Symantec server on the victim  network.'),
'T1562.001': ('RobbinHood will search for Windows services that are associated with antivirus software on the system and kill the process.'),
'T1562.001': ('Rocke used scripts which detected and uninstalled antivirus software.'),
'T1562.001': ('RunningRAT kills antimalware running process.'),
'T1562.001': ('Ryuk has stopped services related to anti-virus.'),
'T1562.001': ('Skidmap has the ability to set SELinux to permissive mode.'),
'T1562.001': ('SslMM identifies and kills anti-malware processes.'),
'T1562.001': ('StrongPity can add directories used by the malware to the Windows Defender exclusions list to prevent detection.'),
'T1562.001': ('SUNBURST attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist.'),
'T1562.001': 'ThiefQuest uses the function kill_unwanted to obtain a list of running processes and kills each process matching a list of security related processes.'),
'T1562.001': 'TinyZBot can disable Avira anti-virus.'),
'T1562.001': 'TrickBot can disable Windows Defender.'),
'T1562.001': 'Turla has used a AMSI bypass which patches the in-memory amsi.dll in PowerShell scripts to bypass Windows antimalware products.'),
'T1562.001': ('UNC2452 used the service control manager on a remote system to disable services associated with security monitoring products.'),
'T1562.001': ('Unknown Logger has functionality to disable security tools including Kaspersky BitDefender and MalwareBytes.'),
'T1562.001': ('Wizard Spider has shut down or uninstalled security applications on victim systems that might prevent ransomware from executing.'),
'T1562.001': ('ZxShell can kill AV products processes. '),
'T1593.001': ('Kimsuky has used Twitter to monitor potential victims and to prepare targeted phishing e-mails.'),
'T1593.001': ('Hackers use social media observe activities by interns or new employees from targeted organizations and find relevant information using hashtags such as #NewJob #Firstday #internship #FirstDayatWork etc.'),
'T1593.001': ('Attackers analyzed company employees social media images to try to find information like internal office layouts desktop applications digital files badge pictures Outlook calendars in the background of a quintessential coffee cup post passwords openly written over whiteboards and desks etc.'),
'T1593.001': ('A short video shared by an employee about a day in the office may provide the attackers with check-in procedures building layout parking structure weak door controls credentials employees dress code trappings premise security arrangements operating systems antivirus choice phone numbers and much more.'),
'T1593.001': 'This group was identifying employees social media accounts and researching interpersonal connection to abuse it in the following spear phishing attacks.'),
'T1593.002': ('APT 31 used its own anonymization network to collect information on the victimwebsite via search engine queries.'),
'T1593.002': ('FileCobaltStrike MANUAL_V2 .docx encourage affiliates to search for the right victims based on income found using google dorks.'),
'T1593.002': 'The following Google Dork was used to detect vulnerable or hacked servers.'),
'T1593.002': ('Attackers were able to collect plaintext passwords from a specially crafted Google query looking for publicly exposed .env files.'),
'T1593.002': 'This group used search engine queries to inspect victim organization website for logfiles spreadsheets and other documents potentially exposing sensitive information.'),
'T1596.002': ('Kaseya has used a single IP address in a range to find the total size of the range.'),
'T1596.002': ('Domain names can be used to find ownership and contact information.'),
'T1596.002': ('WHOIS can be queried for assigned IP block and DNS name.'),
'T1596.002': ('Kaseya has used active scanning for reconnaissance on networks open ports and services..'),
'T1596.002': ('Kaseya has used Shodan to establish operational resources that can be exploited.'),
'T1596.005': ('Adversaries can search public databases for active IP addresses hostnames open ports certificates and even server banners.'),
'T1596.005': 'Threat actors can use online resources and lookup tools to harvest information from these services.'),
'T1596.005': ('REvil has performed recon against victims by scanning for vulnerable services and open ports.'),
'T1596.005': ('Attackers can use passive and active methods to obtain active port services.'),
'T1596.005': 'Threat actors can use shodan to search for internet-facing hosts and IP addresses.'),
'T1596.001': 'Threat actors search DNS records to gather information about target hosts.'),
'T1596.001': ('Adversaries can use DNS to discover subdomains.'),
'T1596.001': 'Threat actors can use DNS misconfigurations for initial access.'),
'T1596.001': 'Threat actors can search central repositories of logged responses for information.'),
'T1596.001': ('DNS leaks can provide information about a domain to attackers.'),
'T1596.001': ('Adversaries use the DNS information of mail servers as a pivot to attack.'),
'T1596.003': 'Threat actors use site certificates to gain intel about a target.'),
'T1596.003': 'Threat Actors often perform reconnaissance through data searching via digital certificates.'),
'T1596.003': 'Threat actors check digital certificates for geolocation information to ascertain if a potential target is outwith their protected regions.'),
'T1596.003': ('Certain CobaltStrike functionality allows the malware to check openly available digital security data to assist in reconnaissance.'),
'T1596.003': ('APT27 often checks digital certificates to consolidate and contribute to their information before launching an attack.'),
'T1596.004': ('Adversaries use content delivery networks to discover centralized assets.'),
'T1596.004': 'Threat actors can find leaked CDN content that may not have protections of other assets and can be exploited.'),
'T1596.004': ('CDNs may incorrectly expose login portals on the internet.'),
'T1596.004': 'Threat actors can use OSINT tools to scan open CDN repositories.'),
'T1596.004': ('Attackers can use found assets to determine links to CDNs.'),
'T1597.001': 'Threat actors can use threat intel feeds for valuable information.'),
'T1597.001': 'Threat actors can use paid platforms to monitor what intelligence is being provided to potential targets.'),
'T1597.001': ('Adversaries can monitor what IOCs are being discovered about their campaign to change tactics.'),
'T1597.001': 'Threat actors can determine what other groups are targeting through intel platforms.'),
'T1597.001': 'Threat actors can use intelligence feeds to target new victims.'),
'T1597.002': ('Adversaries may purchase technical information about victims that can be used during targeting.'),
'T1597.002': 'Threat actors may purchase information from dark web or black markets.'),
'T1597.002': ('Reputable private resources have scan database subscriptions.'),
'T1597.002': ('Attackers can use known or unknown repositories of data from tor sites.'),
'T1597.002': 'Threat actors can gain network and login information purchased from other attacker groups.'),
'T1598.001': ('Attackers will use spearphishing messages to elicit sensative information from targets.'),
'T1598.001': ('Spearphishing uses social engineering techniques to get credentials or other information.'),
'T1598.001': ('Emails or social media messaging spearphishing is generally aimed at IT departments C-suite executives or non-tech related departments.'),
'T1598.001': 'Threat actors use spearphishing against non-enterprise controlled services as they have less protections.'),
'T1598.001': ('Adversaries may pose as recruiters to garner interest and communication.'),
'T1598.003': ('APT32 has used malicious links to direct users to web pages designed to harvest credentials.'),
'T1598.003': ('Kimsuky has used links in e-mail to steal account information.'),
'T1598.003': ('Sandworm Team has crafted spearphishing emails with hyperlinks designed to trick unwitting recipients into revealing their account credentials.'),
'T1598.003': ('Sidewinder has sent e-mails with malicious links to credential harvesting websites.'),
'T1598.003': ('Silent Librarian has used links in e-mails to direct victims to credential harvesting websites designed to appear like the targeted organization  login page.'),
'T1588.003': ('MegaCortex has used code signing certificates issued to fake companies to bypass security controls.'),
'T1588.003': ('Wizard Spider obtained a code signing certificate signed by Digicert for some of its malware.'),
'T1588.003': ('Adversaries may buy code signing certificates to use during targeting.'),
'T1588.003': ('Certificates for fake companies provide legitimacy to run arbitrary code on targeted systems.'),
'T1588.003': ('Adversaries may also steal code signing materials directly from a compromised third-party.'),
'T1585.001': ('APT32 has set up Facebook pages in tandem with fake websites.'),
'T1585.001': ('Cleaver has created fake LinkedIn profiles that included profile photos details and connections.'),
'T1585.001': ('Fox Kitten has used a Twitter account to communicate with ransomware victims.'),
'T1585.001': ('Sandworm Team has established social media accounts to disseminate victim internal-only documents and other sensitive data.'),
'T1585.001': ('Leviathan has created new social media accounts for targeting efforts.'),
'T1585.002': ('A'),P'T1 has cr': ('ted email accounts for later use in social engineering phishing and when registering domains.'),
'T1585.002': ('Magic Hound has established email accounts using fake personas for spear-phishing operations.'),
'T1585.002': ('Sandworm Team has created email accounts that mimic legitimate organizations for its spearphishing operations.'),
'T1585.002': ('Silent Librarian has established e-mail accounts to receive e-mails forwarded from compromised accounts.'),
'T1585.002': ('Leviathan has created new email accounts for targeting efforts.'),
'T1587.001': ('APT29 developed SUNSPOT SUNBURST TEARDROP and Raindrop; SUNSPOT and SUNBURST were tailored to be incorporated into SolarWind  Orion software library.'),
'T1587.001': ('Cleaver has created customized tools and payloads for functions including ARP poisoning encryption credential dumping ASP.NET shells web backdoors process enumeration WMI querying HTTP and SMB communications network interface sniffing and keystroke logging.'),
'T1587.001': ('FIN7 has developed malware for use in operations including the creation of infected removable media.'),
'T1587.001': ('Lazarus Group has developed several custom malware for use in operations.'),
'T1587.001': ('Night Dragon used privately developed and customized remote access tools.'),
'T1587.001': ('Sandworm Team has developed malware for its operations including malicious mobile applications and destructive malware such as NotPetya and Olympic Destroyer.'),
'T1587.001': 'Turla has developed its own unique malware for use in operations.'),
'T1587.001': ('UNC2452 developed SUNSPOT SUNBURST TEARDROP and Raindrop; SUNSPOT and SUNBURST were tailored to be incorporated into SolarWind  Orion software library.'),
'T1587.004': ('Phosphorous has been deploying ransomware using a Log4J exploit.'),
'T1587.004': ('Wizard Spider developed an exploit targeting CVE-2021-40444.'),
'T1587.004': ('Adversaries may develop exploits that can be used during targeting.'),
'T1587.004': ('DEV-0322 created exploits for ZOHO ManageEngine ADSelfService Plus software.'),
'T1587.004': 'TG1021 uses a custom-made malware framework built around a common core tailor-made for IIS servers.'),
'T1587.002': ('Patchwork has created self-signed certificates from fictitious and spoofed legitimate software companies that were later used to sign malware.'),
'T1587.002': ('PROMETHIUM has created self-signed certificates to sign malicious installers.'),
'T1587.002': ('Adversaries may create self-signed code signing certificates that can be used during targeting.'),
'T1587.002': ('Users are more likely to run signed code certificates which can be attached to malware.'),
'T1587.002': ('Malware actors can spoof legitimate certificates.'),
'T1584.006': 'Turla has frequently used compromised WordPress sites for C2 infrastructure.'),
'T1584.006': ('Adversaries may compromise access to third-party web services that can be used during targeting.'),
'T1584.006': ('Adversaries may try to take ownership of a legitimate user  access to a
web service and use that web service as infrastructure in support of cyber operations.'),
'T1584.006': ('Using common services such as those offered by Google or Twitter makes it easier for adversaries to hide in expected noise.'),
'T1584.006': ('NotPetya it is suspected that attackers compromised a vulnerable server used to distribute the software and replaced the legitimate code with their compromised version.'),
'T1584.003': 'Turla has used the VPS infrastructure of compromised Iranian threat actors.'),
'T1584.003': ('By compromising a VPS to use as infrastructure adversaries can make it difficult to physically tie back operations to themselves.'),
'T1584.003': ('NOBELLIUM compromised a Microsoft Azure AD account within a Cloud Service Provider(CSP) tenant.'),
'T1584.003': ('UNC2452 provisioned a system within Microsoft Azure that was within close proximity to a legitimate Azure-hosted system belonging to the CSP that they used to access their customerenvironment.'),
'T1584.003': ('A threat actor performed initial reconnaissance via a VPS provider located in the same region as the victim.'),
'T1584.004': ('A'),P'T16 has c': ('promised otherwise legitimate sites as staging servers for second-stage payloads.'),
'T1584.004': ('Indrik Spider has served fake updates via legitimate websites that have been compromised.'),
'T1584.004': 'Turla has used compromised servers as infrastructure.'),
'T1584.004': ('Malicious emails sent to targets contain links to a compromised server that redirects to the download of Janeleiro.'),
'T1584.004': ('Candiru operators compromised several high-profile websites.'),
'T1584.001': ('A'),P'T1 hijack': (' FQDNs associated with legitimate websites hosted by hop points.'),
'T1584.001': ('APT29 has compromised domains to use for C2.'),
'T1584.001': ('UNC2452 has compromised domains to use for C2.'),
'T1584.001': ('Magic Hound has used compromised domains to host links targeted to specific phishing victims.'),
'T1584.001': 'Transparent Tribe has compromised domains for use in targeted malicious campaigns.'),
'T1584.002': ('Adversaries may utilize DNS traffic for various tasks including for Command and Control.'),
'T1584.002': ('Adversaries may compromise third-party DNS servers that can be used during targeting.'),
'T1584.002': 'Threat actors can alter DNS records.'),
'T1584.002': ('DNS control can allow for redirection of an organization  traffic facilitating Collection and Credential Access efforts for the adversary.'),
'T1584.002': ('Adversaries may also be able to silently create subdomains pointed at malicious servers without tipping off the actual owner of the DNS server.'),
'T1584.005': ('Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting.'),
'T1584.005': ('Attackers may conduct a takeover of an existing botnet such as redirecting bots to adversary-controlled C2 servers.'),
'T1584.005': ('FreakOut attacked POS systems in order to use them as a botnet infrastructure.'),
'T1584.005': ('Mirai malware created a botnet used by multiple threat actor groups.'),
'T1584.005': ('Meris attacked Yandex with DDOS using botnets.'),
'T1586.001': ('Leviathan has compromised social media accounts to conduct social engineering attacks.'),
'T1586.001': ('Adversaries may compromise social media accounts that can be used during targeting.'),
'T1586.001': ('Utilizing an existing persona may engender a level of trust in a potential victim if they have a relationship or knowledge of the compromised persona.'),
'T1586.001': ('Attackers can gather credentials via Phishing for Information purchasing credentials from third-party sites or by brute forcing credentials.'),
'T1586.001': ('Attacker personas may exist on a single site or across multiple sites.'),
'T1586.002': ('Kimsuky has compromised web portal email accounts to send spearphishing e-mails.'),
'T1586.002': ('Magic Hound has compromised personal email accounts through the use of legitimate credentials and gathered additional victim information.'),
'T1586.002': ('IndigoZebra has compromised legitimate email accounts to use in their spearphishing operations.'),
'T1586.002': ('Leviathan has compromised email accounts to conduct social engineering attacks.'),
'T1586.002': ('Emotet compromised email systems to spread the trojan.'),
'T1583.006': ('A'),P'T17 has c': ('ated profile pages in Microsoft TechNet that were used as C2 infrastructure.'),
'T1583.006': ('APT29 has registered algorithmically generated Twitter handles that are used for C2 by malware such as HAMMERTOSS.'),
'T1583.006': ('APT32 has set up Dropbox Amazon S3 and Google Drive to host malicious downloads.'),
'T1583.006': ('HAFNIUM has acquired web services for use in C2 and exfiltration.'),
'T1583.006': ('Lazarus Group has hosted malicious downloads on Github.'),
'T1583.006': ('MuddyWater has used file sharing services including OneHub to distribute tools.'),
'T1583.006': 'Turla has created web accounts including Dropbox and GitHub for C2 and document exfiltration.'),
'T1583.006': ('ZIRCONIUM has used GitHub to host malware linked in spearphishing e-mails.'),
'T1583.003': ('HAFNIUM has operated from leased virtual private servers (VPS) in the United States.'),
'T1583.003': 'TEMP.Veles has used Virtual Private Server (VPS) infrastructure.'),
'T1583.003': ('Adversaries may rent Virtual Private Servers (VPSs) that can be used during targeting.'),
'T1583.003': ('Attackers can make it difficult to physically tie back operations to them using a VPS.'),
'T1583.003': ('Adversaries may also acquire infrastructure from VPS service providers that are known for renting VPSs with minimal registration information.'),
'T1583.004': ('GALLIUM has used Taiwan-based servers that appear to be exclusive to GALLIUM.'),
'T1583.004': ('Sandworm Team has leased servers from resellers instead of leasing infrastructure directly from hosting companies to enable its operations.'),
'T1583.004': ('Adversaries may buy lease or rent physical servers that can be used during targeting.'),
'T1583.004': ('Famous Sparrow rented servers at Shanghai Ruisu Network Technology and DAOU TECHNOLOGY.'),
'T1583.004': ('Sparkling Goblin uses servers hosted by various providers for its C&C servers.'),
'T1583.001': ('A'),P'T1 has re': ('stered hundreds of domains for use in operations.'),
'T1583.001': ('APT28 registered domains imitating NATO OSCE security websites Caucasus information resources and other organizations.'),
'T1583.001': ('APT29 has acquired C2 domains through resellers.'),
'T1583.001': ('APT32 has set up and operated websites to gather information and deliver malware.'),
'T1583.001': ('Kimsuky has registered domains to spoof targeted organizations and trusted third parties.'),
'T1583.001': ('Lazarus Group has acquired infrastructure related to their campaigns to act as distribution points and C2 channels.'),
'T1583.001': ('menuPass has registered malicious domains for use in intrusion campaigns.'),
'T1583.001': ('Mustang Panda have acquired C2 domains prior to operations.'),
'T1583.001': ('Sandworm Team has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites such as email login pages online file sharing and storage websites and password reset pages.'),
'T1583.001': ('Silent Librarian has acquired domains to establish credential harvesting pages often spoofing the target organization and using free top level domains .TK .ML .GA .CF and .GQ.'),
'T1583.001': ('UNC2452 has acquired C2 domains through resellers.'),
'T1583.001': ('ZIRCONIUM has purchased domains for use in targeted campaigns.'),
'T1583.002': ('Attackers may opt to configure and run their own DNS servers in support of operations.'),
'T1583.002': ('Adversaries may utilize DNS traffic for various tasks including for Command and Control.'),
'T1583.002': ('APT31 will utilize their own DNS server for use when conducting malicious activities.'),
'T1583.002': ('Moses Staff will acquire their own infrastructure usually domains and DNS.'),
'T1583.002': 'TigerRAT variants can be modified to utilize a threat actor  own DNS infrastructure.'),
'T1583.005': ('Adversaries may compromise numerous third-party systems to form a botnet that can be used during targeting.'),
'T1583.005': ('Attackers may conduct a takeover of an existing botnet such as redirecting bots to adversary-controlled C2 servers.'),
'T1583.005': ('FreakOut attacked POS systems in order to use them as a botnet infrastructure.'),
'T1583.005': ('Mirai malware created a botnet used by multiple threat actor groups.'),
'T1583.005': ('Meris attacked Yandex with DDOS using botnets.'),
'T1587.003': ('APT29 has created self-signed digital certificates to enable mutual TLS authentication for malware.'),
'T1587.003': ('PROMETHIUM has created self-signed digital certificates for use in HTTPS C2 traffic.'),
'T1587.003': ('Adversaries may create self-signed SSL  TLS certificates that can be used to further their operations such as encrypting C2 traffic.'),
'T1587.003': ('UNC2190 created self-signed certificates to spread SABBATH ransomware.'),
'T1587.003': ('FIN13 used SSL certificates for C2 communication via email.'),
'T1588.004': ('Lazarus Group has obtained SSL certificates for their C2 domains.'),
'T1588.004': ('Silent Librarian has obtained free Let  Encrypt SSL certificates for use on their phishing pages.'),
'T1588.004': ('Adversaries may buy and  or steal SSL  TLS certificates that can be used during targeting.'),
'T1588.004': ('Certificate authorities exist that allow adversaries to acquire SSL  TLS certificates such as domain validation certificates for free.'),
'T1588.004': ('Adversaries may register or hijack domains that they will later purchase an SSL  TLS certificate for..'),
'T1555.005': ('Fox Kitten has used scripts to access credential information from the KeePass database.'),
'T1555.005': ('Operation Wocao has accessed and collected credentials from password managers.'),
'T1555.005': ('Proton gathers credentials in files for 1password.'),
'T1555.005': 'TrickBot can steal passwords from the KeePass open source password manager.'),
'T1555.005': ('MarkiRAT can gather information from the Keepass password manager.'),
'T1550.001': ('APT28 has used several malicious applications that abused OAuth access tokens to gain access to target email accounts including Gmail and Yahoo Mail.'),
'T1550.001': ('Adversaries may use alternate authentication material such as password hashes Kerberos tickets and application access tokens in order to move laterally within an environment and bypass normal system access controls.'),
'T1550.001': ('With an OAuth access token an adversary can use the user-granted REST API to perform functions such as email searching and contact enumeration.'),
'T1550.001': ('Obtaining a token which grants access to a victimprimary email the adversary may be able to extend access to all other services which the target subscribes by triggering forgotten password routines.'),
'T1550.001': ('OAuth is one commonly implemented framework that issues tokens to users for access to Software-as-a-Service.'),
'T1059.003': ('4H RAT has the capability to create a remote shell.'),
'T1059.003': ('ABK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.'),
'T1059.003': ('adbupd can run a copy of cmd.exe.'),
'T1059.003': ('Following exploitation with LOWBALL malware admin@338 actors created a file containing a list of commands to be executed on the compromised computer.'),
'T1059.003': ('ADVSTORESHELL can create a remote shell and run a given command.'),
'T1059.003': ('Anchor has used cmd.exe to run its self deletion routine.'),
'T1059.003': ('A'),P'T1 has us': (' the Windows command shell to execute commands and batch scripting to automate execution.'),
'T1059.003': ('A'),P'T18 uses ': ('d.exe to execute commands on the victimmachine.'),
'T1059.003': ('An APT28 loader Trojan uses a cmd.exe and batch script to run its payload. The group has also used macros to execute payloads.'),
'T1059.003': ('APT29 used cmd.exe to execute commands on remote machines.'),
'T1059.003': ('An APT3 downloader uses the Windows command cmd.exe C whoami. The group also uses a tool to execute commands on remote computers.'),
'T1059.003': ('APT32 has used cmd.exe for execution.'),
'T1059.003': ('APT37 has used the command-line interface.'),
'T1059.003': ('APT38 has used a command-line tunneler NACHOCHEESE to give them shell access to a victimmachine.'),
'T1059.003': ('APT41 used cmd.exe c to execute commands on remote machines. APT41 used a batch file to install persistence for the Cobalt Strike BEACON loader.'),
'T1059.003': ('Astaroth spawns a CMD process to execute commands.'),
'T1059.003': ('AuditCred can open a reverse shell on the system to execute commands.'),
'T1059.003': ('BabyShark has used cmd.exe to execute commands.'),
'T1059.003': ('BackConfig can download and run batch files to execute commands on a compromised host.'),
'T1059.003': ('Adversaries can direct BACKSPACE to execute from the command line on infected hosts or have BACKSPACE create a reverse shell.'),
'T1059.003': ('BADNEWS is capable of executing commands via cmd.exe.'),
'T1059.003': ('Bandook is capable of spawning a Windows command shell.'),
'T1059.003': ('Bankshot uses the command-line interface to execute arbitrary commands.'),
'T1059.003': ('Bazar can launch cmd.exe to perform reconnaissance commands.'),
'T1059.003': ('BBK has the ability to use cmd to run a Portable Executable (PE) on the compromised host.'),
'T1059.003': ('BISCUIT has a command to launch a command shell on the system.'),
'T1059.003': ('Bisonal can launch cmd.exe to execute commands on the system.'),
'T1059.003': ('BLACKCOFFEE has the capability to create a reverse shell.'),
'T1059.003': ('BlackMould can run cmd.exe with parameters.'),
'T1059.003': ('BLINDINGCAN has executed commands via cmd.exe.'),
'T1059.003': ('Blue Mockingbird has used batch script files to automate execution and deployment of payloads.'),
'T1059.003': ('BONDUPDATER can read batch commands in a file sent from its C2 server and execute them with cmd.exe.'),
'T1059.003': ('BRONZE BUTLER has used batch scripts and the command-line interface for execution.'),
'T1059.003': ('CALENDAR has a command to run cmd.exe to execute commands.'),
'T1059.003': ('Carbanak has a command to create a reverse shell.'),
'T1059.003': ('Cardinal RAT can execute commands.'),
'T1059.003': ('CARROTBAT has the ability to execute command line arguments on a compromised host.'),
'T1059.003': ('Caterpillar WebShell can run commands on the compromised asset with CMD functions.'),
'T1059.003': ('Chimera has used the Windows Command Shell and batch scripts for execution on compromised hosts.'),
'T1059.003': ('China Chopper  server component is capable of opening a command terminal.'),
'T1059.003': ('cmd is used to execute programs and other actions at the command-line interface.'),
'T1059.003': ('Cobalt Group has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands. The group has used an exploit toolkit known as Threadkit that launches .bat files.'),
'T1059.003': ('Cobalt Strike uses a command-line interface to interact with systems.'),
'T1059.003': ('Cobian RAT can launch a remote command shell interface for executing commands.'),
'T1059.003': ('CoinTicker executes a bash script to establish a reverse shell.'),
'T1059.003': ('Comnie executes BAT scripts.'),
'T1059.003': ('ComRAT has used cmd.exe to execute commands.'),
'T1059.003': ('Conti can utilize command line options to allow an attacker control over how it scans and encrypts files.'),
'T1059.003': ('A module in CozyCar allows arbitrary commands to be executed by invoking C:WindowsSystem32cmd.exe.'),
'T1059.003': ('Dark Caracal has used macros in Word documents that would download a second stage if executed.'),
'T1059.003': ('DarkComet can launch a remote shell to execute commands on the victimmachine.'),
'T1059.003': ('Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.'),
'T1059.003': ('Daserf can execute shell commands.'),
'T1059.003': ('DealersChoice makes modifications to open-source scripts from GitHub and executes them on the victimmachine.'),
'T1059.003': ('Denis can launch a remote shell to execute arbitrary commands on the victimmachine.'),
'T1059.003': ('Dipsind can spawn remote shells.'),
'T1059.003': ('DownPaper uses the command line.'),
'T1059.003': ('Dragonfly 2.0 used various types of scripting to perform operations including batch scripts.'),
'T1059.003': ('DropBook can execute arbitrary shell commands on the victims machines.'),
'T1059.003': ('Dtrack has used cmd.exe to add a persistent service.'),
'T1059.003': ('ECCENTRICBANDWAGON can use cmd to execute commands on a victimmachine.'),
'T1059.003': ('Egregor has used batch files for execution and can launch Internet Explorer from cmd.exe.'),
'T1059.003': ('Emissary has the capability to create a remote shell and execute specified commands.'),
'T1059.003': ('Emotet has used cmd.exe to run a PowerShell script.'),
'T1059.003': ('Empire has modules for executing scripts.'),
'T1059.003': ('EvilBunny has an integrated scripting engine to download and execute Lua scripts.'),
'T1059.003': ('Exaramel for Windows has a command to launch a remote shell and executes commands on the victimmachine.'),
'T1059.003': ('Felismus uses command line for execution.'),
'T1059.003': ('FELIXROOT executes batch scripts on the victimmachine and can launch a reverse shell for command execution.'),
'T1059.003': ('FIN10 has executed malicious .bat files containing PowerShell commands.'),
'T1059.003': ('FIN6 has used kill.bat script to disable security tools.'),
'T1059.003': ('FIN7 used the command prompt to launch commands on the victimmachine.'),
'T1059.003': ('FIN8 has used a Batch file to automate frequently executed post compromise cleanup activities. FIN8 executes commands remotely via cmd.exe.'),
'T1059.003': ('Fox Kitten has used cmd.exe likely as a password changing mechanism.'),
'T1059.003': ('Frankenstein has run a command script to set up persistence as a scheduled task named WinUpdate as well as other encoded commands from the command-line.'),
'T1059.003': ('GALLIUM used the Windows command shell to execute commands.'),
'T1059.003': ('Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group  backdoor malware has also been written to a batch file.'),
'T1059.003': ('Gold Dragon uses cmd.exe to execute commands for discovery.'),
'T1059.003': ('GoldenSpy can execute remote commands via the command-line interface.'),
'T1059.003': ('GoldMax can spawn a command shell and execute native commands.'),
'T1059.003': ('Goopy has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.'),
'T1059.003': ('Gorgon Group malware can use cmd.exe to download and execute payloads and to execute commands on the system.'),
'T1059.003': ('GravityRAT executes commands remotely on the infected host.'),
'T1059.003': ('GreyEnergy uses cmd.exe to execute itself in-memory.'),
'T1059.003': ('H1N1 kills and disables services by using cmd.exe.'),
'T1059.003': ('HARDRAIN uses cmd.exe to execute netshcommands.'),
'T1059.003': ('HAWKBALL has created a cmd.exe reverse shell executed commands and uploaded output via the command line.'),
'T1059.003': ('hcdLoader provides command-line access to the compromised system.'),
'T1059.003': ('Helminth can provide a remote shell. One version of Helminth uses batch scripting.'),
'T1059.003': ('Hi-Zor has the ability to create a reverse shell.'),
'T1059.003': ('HiddenWasp uses a script to automate tasks on the victim  machine and to assist in execution.'),
'T1059.003': ('Higaisa used cmd.exe for execution.'),
'T1059.003': ('Hikit has the ability to create a remote shell and run given commands.'),
'T1059.003': ('HOMEFRY uses a command-line interface.'),
'T1059.003': ('Several commands are supported by the Honeybee  implant via the command-line interface and therealso a utility to execute any custom command on an infected endpoint. Honeybee used batch scripting.'),
'T1059.003': ('HOPLIGHT can launch cmd.exe to execute commands on the system.'),
'T1059.003': ('HotCroissant can remotely open applications on the infected host with the ShellExecuteA command.'),
'T1059.003': ('HTTPBrowser is capable of spawning a reverse shell on a victim.'),
'T1059.003': ('httpclient opens cmd.exe on the victim.'),
'T1059.003': ('Indrik Spider has used batch scripts on victim  machines.'),
'T1059.003': ('InnaputRAT launches a shell to execute commands on the victimmachine.'),
'T1059.003': ('InvisiMole can launch a remote shell to execute commands.'),
'T1059.003': ('Ixeshe is capable of executing commands via cmd.'),
'T1059.003': ('JCry has used cmd.exe to launch PowerShell.'),
'T1059.003': ('JHUHUGIT uses a .bat file to execute a .dll.'),
'T1059.003': ('JPIN can use the command-line utility cacls.exe to change file permissions.'),
'T1059.003': ('jRAT has command line access.'),
'T1059.003': ('Kasidet can execute commands using cmd.exe.'),
'T1059.003': ('Kazuar uses cmd.exe to execute commands on the victimmachine.'),
'T1059.003': ('Ke3chang has used batch scripts in its malware to install persistence mechanisms.'),
'T1059.003': ('KeyBoy can launch interactive shells for communicating with the victim machine.'),
'T1059.003': ('KEYMARBLE can execute shell commands using cmd.exe.'),
'T1059.003': ('KGH_SPY has the ability to set a Registry key to run a cmd.exe command.'),
'T1566.002': ('AppleJeus has been distributed via spearphishing link.'),
'T1566.002': ('A'),P'T1 has se': (' spearphishing emails containing hyperlinks to malicious files.'),
'T1566.002': ('APT28 sent spearphishing emails which used a URL-shortener service to masquerade as a legitimate service and to redirect targets to credential harvesting sites.'),
'T1566.002': ('APT29 has used spearphishing with a link to trick victims into clicking on a link to a zip file containing malicious files.'),
'T1566.002': ('APT32 has sent spearphishing emails containing malicious links.'),
'T1566.002': ('APT33 has sent spearphishing emails containing links to .hta files.'),
'T1566.002': ('APT39 leveraged spearphishing emails with malicious links to initially compromise victims.'),
'T1566.002': ('Bazar has been spread via e-mails with embedded malicious links.'),
'T1566.002': ('BlackTech has used spearphishing e-mails with links to cloud services to deliver malware.'),
'T1566.002': ('Cobalt Group has sent emails with URLs pointing to malicious documents.'),
'T1566.002': ('Dragonfly 2.0 used spearphishing with PDF attachments containing malicious links that redirected to credential harvesting websites.'),
'T1566.002': ('Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing a link to malicious content hosted on an uncommon Web server.'),
'T1566.002': ('Emotet has been delivered by phishing emails containing links.'),
'T1566.002': ('Evilnum has sent spearphishing emails containing a link to a zip file hosted on Google Drive.'),
'T1566.002': ('FIN4 has used spearphishing emails (often sent from compromised accounts) containing malicious links.'),
'T1566.002': ('FIN8 has distributed targeted emails containing links to malicious documents with embedded macros.'),
'T1566.002': ('Grandoreiro has been spread via malicious links embedded in e-mails.'),
'T1566.002': ('GuLoader has been spread in phishing campaigns using malicious web links.'),
'T1566.002': ('Hancitor has been delivered via phishing emails which contained malicious links.'),
'T1566.002': ('Javali has been delivered via malicious links embedded in e-mails.'),
'T1566.002': ('Kerrdown has been distributed via e-mails containing a malicious link.'),
'T1566.002': ('Kimsuky has used an email containing a link to a document that contained malicious macros.'),
'T1566.002': ('Leviathan has sent spearphishing emails with links often using a fraudulent lookalike domain and stolen branding.'),
'T1566.002': ('Machete has sent phishing emails that contain a link to an external server with ZIP and RAR archives.'),
'T1566.002': ('Magic Hound sent shortened URL links over email to victims. The URLs linked to Word documents with malicious macros that execute PowerShells scripts to download Pupy.'),
'T1566.002': ('Melcoz has been spread through malicious links embedded in e-mails.'),
'T1566.002': ('Mofang delivered spearphishing emails with malicious links included.'),
'T1566.002': ('Molerats has sent phishing emails with malicious links included.'),
'T1566.002': ('MuddyWater has sent targeted spearphishing e-mails with malicious links.'),
'T1566.002': ('Mustang Panda has delivered spearphishing links to their target.'),
'T1566.002': ('NETWIRE has been spread via e-mail campaigns utilizing malicious links.'),
'T1566.002': ('Night Dragon sent spearphishing emails containing links to compromised websites where malware was downloaded.'),
'T1566.002': ('OilRig has sent spearphising emails with malicious links to potential victims.'),
'T1566.002': ('Patchwork has used spearphishing with links to deliver files with exploits to initial victims. The group has also used embedded image tags (known as web bugs) with unique per-recipient tracking links in their emails for the purpose of identifying which recipients opened messages.'),
'T1566.002': ('Pony has been delivered via spearphishing emails which contained malicious links.'),
'T1566.002': ('Sandworm Team has crafted phishing emails containing malicious hyperlinks.'),
'T1566.002': ('Sidewinder has sent e-mails with malicious links often crafted for specific targets.'),
'T1566.002': ('Stolen Pencil sent spearphishing emails containing links to domains controlled by the threat actor.'),
'T1566.002': 'TA505 has sent spearphishing emails containing malicious links.'),
'T1566.002': 'TrickBot has been delivered via malicious links in phishing e-mails.'),
'T1566.002': 'Turla attempted to trick targets into clicking on a link featuring a seemingly legitimate domain from Adobe.com to download their malware and gain initial access.'),
'T1566.002': ('Valak has been delivered via malicious links in e-mail.'),
'T1566.002': ('Windshift has sent spearphishing emails with links to harvest credentials and deliver malware.'),
'T1566.002': ('Wizard Spider has sent phishing emails containing a link to an actor-controlled Google Drive document or other free online file hosting services.'),
'T1566.002': ('ZIRCONIUM has used malicious links and web beacons in e-mails for malware download and to track hits to attacker-controlled URL .'),
'T1606.002': ('APT29 created tokens using compromised SAML signing certificates.'),
'T1606.002': ('UNC2452 created tokens using compromised SAML signing certificates.'),
'T1606.002': ('Supply chain breaches such as Solarwinds are partially exploited via forged credentials that obtain access such as the forging of SMAL tokens.'),
'T1606.002': ('APT30 can break single sign on (SSO) if it is SMAL v2.0 through the forgery of SMAL tokens.'),
'T1606.002': 'Threat actors can change the normal 1 hour limit upon the legitimacy of a token through accessing the AccessTokenLifetime element.'),
'T1555.003': ('Agent Tesla can gather credentials from a number of browsers.'),
'T1555.003': ('Ajax Security Team has used FireMalv custom-developed malware which collected passwords from the Firefox browser storage.'),
'T1555.003': ('APT3 has used tools to dump passwords from browsers.'),
'T1555.003': ('APT33 has used a variety of publicly available tools like LaZagne to gather credentials.'),
'T1555.003': ('APT37 has used a credential stealer known as ZUMKONG that can harvest usernames and passwords stored in browsers.'),
'T1555.003': ('Azorult can steal credentials from the victim  browser.'),
'T1555.003': ('Some Backdoor.Oldrea samples contain a publicly available Web browser password recovery tool.'),
'T1555.003': ('BlackEnergy has used a plug-in to gather credentials from web browsers including FireFox Google Chrome and Internet Explorer.'),
'T1555.003': ('Carberp  passw.plug plugin can gather passwords saved in Opera Internet Explorer Safari Firefox and Chrome.'),
'T1555.003': ('ChChes steals credentials stored inside Internet Explorer.'),
'T1555.003': ('CookieMiner can steal saved usernames and passwords in Chrome as well as credit card credentials.'),
'T1555.003': ('CosmicDuke collects user credentials including passwords for various programs including Web browsers.'),
'T1555.003': ('Crimson contains a module to steal credentials from Web browsers on the victim machine.'),
'T1555.003': ('Emotet has been observed dropping browser password grabber modules.'),
'T1555.003': ('Empire can use modules that extract passwords from common web browsers such as Firefox and Chrome.'),
'T1555.003': ('FIN6 has used the Stealer One credential stealer to target web browsers.'),
'T1555.003': ('Grandoreiro can steal cookie data and credentials from Google Chrome.'),
'T1555.003': ('H1N1 dumps usernames and passwords from Firefox Internet Explorer and Outlook.'),
'T1555.003': ('Imminent Monitor has a PasswordRecoveryPacket module for recovering browser passwords.'),
'T1555.003': ('Inception used a browser plugin to steal passwords and sessions from Internet Explorer Chrome Opera Firefox Torch and Yandex.'),
'T1555.003': ('Javali can capture login credentials from open browsers including Firefox Chrome Internet Explorer and Edge.'),
'T1555.003': ('jRAT can capture passwords from common web browsers such as Internet Explorer Google Chrome and Firefox.'),
'T1555.003': ('KeyBoy attempts to collect passwords from browsers.'),
'T1555.003': ('KGH_SPY has the ability to steal data from the Chrome Edge Firefox Thunderbird and Opera browsers.'),
'T1555.003': ('Kimsuky has used browser extensions including Google Chrome to steal passwords and cookies from browsers.'),
'T1555.003': ('KONNI can steal profiles (containing credential information) from Firefox Chrome and Opera.'),
'T1555.003': ('LaZagne can obtain credentials from web browsers such as Google Chrome Internet Explorer and Firefox.'),
'T1555.003': ('Leafminer used several tools for retrieving login and password information including LaZagne.'),
'T1555.003': ('Lokibot has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers.'),
'T1555.003': ('Machete collects stored credentials from several web browsers.'),
'T1555.003': ('Melcoz has the ability to steal credentials from web browsers.'),
'T1555.003': ('Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways including from DPAPI.'),
'T1555.003': ('Molerats used the public tool BrowserPasswordDump10 to dump passwords saved in browsers on victims.'),
'T1555.003': ('MuddyWater has run tools including Browser64 to steal passwords saved in victim web browsers.'),
'T1555.003': ('NETWIRE has the ability to steal credentials from web browsers including Internet Explorer Opera Yandex and Chrome.'),
'T1555.003': ('njRAT has a module that steals passwords saved in victim web browsers.'),
'T1555.003': ('OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access. OilRig has also used tool named PICKPOCKET to dump passwords from web browsers.'),
'T1555.003': ('OLDBAIT collects credentials from Internet Explorer Mozilla Firefox and Eudora.'),
'T1555.003': ('Olympic Destroyer contains a module that tries to obtain stored credentials from web browsers.'),
'T1555.003': ('Patchwork dumped the login data database from AppDataLocalGoogleChromeUser DataDefaultLogin Data.'),
'T1555.003': ('PinchDuke steals credentials from compromised hosts. PinchDuke  credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by PinchDuke include ones associated with many sources such as Netscape Navigator Mozilla Firefox Mozilla Thunderbird and Internet Explorer.'),
'T1555.003': ('PLEAD has the ability to steal saved credentials from web browsers.'),
'T1555.003': ('PoetRAT has used a Python tool named Browdec.exe to steal browser credentials.'),
'T1555.003': ('A module in Prikormka gathers logins and passwords stored in applications on the victims including Google Chrome Mozilla Firefox and several other browsers.'),
'T1555.003': ('Proton gathers credentials for Google Chrome.'),
'T1555.003': ('Pupy can use Lazagne for harvesting credentials.'),
'T1555.003': ('QuasarRAT can obtain passwords from common web browsers.'),
'T1555.003': ('RedLeaves can gather browser usernames and passwords.'),
'T1555.003': ('ROKRAT steals credentials stored in Web browsers by querying the sqlite database.'),
'T1555.003': ('Sandworm Team  CredRaptor tool can collect saved passwords from various internet browsers.'),
'T1555.003': ('Smoke Loader searches for credentials stored from web browsers.'),
'T1555.003': ('Stealth Falcon malware gathers passwords from multiple sources including Internet Explorer Firefox and Chrome.'),
'T1555.003': ('Stolen Pencil has used tools that are capable of obtaining credentials from web browsers.'),
'T1555.003': 'TA505 has used malware to gather credentials from Internet Explorer.'),
'T1555.003': 'TrickBot can obtain passwords stored in files from web browsers such as Chrome Firefox Internet Explorer and Microsoft Edge sometimes using esentutl.'),
'T1555.003': 'Trojan.Karagany can steal data and credentials from browsers.'),
'T1555.003': 'TSCookie has the ability to steal saved passwords from the Internet Explorer Edge Firefox and Chrome browsers.'),
'T1555.003': ('Unknown Logger is capable of stealing usernames and passwords from browsers on the victim machine.'),
'T1555.003': ('XAgentOSX contains the getFirefoxPassword function to attempt to locate Firefox passwords.'),
'T1555.003': ('Zebrocy has the capability to upload dumper tools that extract credentials from web browsers and store them in database files.'),
'T1555.003': ('ZIRCONIUM has used a tool to steal credentials from installed web browsers including Microsoft Internet Explorer and Google Chrome.'),
'T1550.004': ('APT29 used a forged duo-sid cookie to bypass MFA set on an email account.'),
'T1550.004': ('UNC2452 used a forged duo-sid cookie to bypass MFA set on an email account.'),
'T1550.004': ('Attackers bypass some multi-factor authentication protocols since the session is already authenticated.'),
'T1550.004': 'Threat actors may have used browser cookies to defeat MFA with apass-the-cookie attack.'),
'T1550.004': ('Solarwinds attackers bypassed MFA to obtain access on multiple target networks.'),
'T1553.005': 'TA505 has used .iso files to deploy malicious .lnk files.'),
'T1553.005': ('Adversaries may abuse specific file formats to subvert Mark-of-the-Web (MOTW) controls.'),
'T1553.005': ('Attackers use ZIP archives to disseminate malware bypassing security controls.'),
'T1553.005': ('Maldocs often abuse MOTW policies to get users to run macros and ActiveX controls.'),
'T1553.005': ('Adversaries bypass Microsoft SmartScreen using archive files that do not have MOTW NTFS streams.'),
'T1087.001': ('admin@338 actors used the following commands following exploitation of a machine with LOWBALL malware to enumerate user accounts: net user >> tempdownload net user domain >> tempdownload'),
'T1087.001': ('Agent Tesla can collect account information from the victimmachine.'),
'T1087.001': ('A'),P'T1 used t': (' commands net localgroup net user and net group to find accounts on the system.'),
'T1087.001': ('APT3 has used a tool that can obtain info about local and global group users power users and administrators.'),
'T1087.001': ('APT32 enumerated administrative users using the commands net localgroup administrators.'),
'T1087.001': ('Bankshot gathers domain and account names  information through process monitoring.'),
'T1087.001': ('Bazar can identify administrator accounts on an infected host.'),
'T1087.001': ('BitPaymer can enumerate the sessions for each user logged onto the infected host.'),
'T1087.001': ('BloodHound can identify users with local administrator rights.'),
'T1087.001': ('Chimera has used net user for account discovery.'),
'T1087.001': ('Comnie uses the net user command.'),
'T1087.001': 'The discovery modules used with Duqu can collect information on accounts and permissions.'),
'T1087.001': ('Elise executes net user after initial communication is made to the remote server.'),
'T1087.001': ('Empire can acquire local and domain user account information.'),
'T1087.001': ('Epic gathers a list of all user accounts privilege classes and time of last logon.'),
'T1087.001': ('Fox Kitten has accessed ntuser.dat and UserClass.dat on compromised hosts.'),
'T1087.001': ('GeminiDuke collects information on local user accounts from the victim.'),
'T1087.001': ('HyperStack can enumerate all account names on a remote share.'),
'T1087.001': ('InvisiMole has a command to list account information on the victimmachine.'),
'T1087.001': ('Kazuar gathers information on local groups and members on the victimmachine.'),
'T1087.001': ('Ke3chang performs account discovery using commands such as net localgroup administrators and net group REDACTED domain on specific permissions groups.'),
'T1087.001': ('Kwampirs collects a list of accounts with the command net users.'),
'T1087.001': ('Mis-Type may create a file containing the results of the command cmd.exe c net user {Username}.'),
'T1087.001': ('MURKYTOP has the capability to retrieve information about users on remote hosts.'),
'T1087.001': ('Commands under net user can be used in Net to gather information about and manipulate user accounts.'),
'T1087.001': ('OilRig has run net user net user domain net groupdomain admins domain and net groupExchange Trusted Subsystem domain to get account listings on a victim.'),
'T1087.001': ('OSInfo enumerates local and domain users'),
'T1087.001': ('P.A.S. Webshell can display the etc  passwd file on a compromised host.'),
'T1087.001': ('Pony has used the NetUserEnum function to enumerate local accounts.'),
'T1087.001': ('Poseidon Group searches for administrator accounts on both the local victim machine and the network.'),
'T1087.001': ('PoshC2 can enumerate local and domain user account information.'),
'T1087.001': ('PowerSploit  Get-ProcessTokenGroup Privesc-PowerUp module can enumerate all SIDs associated with its current token.'),
'T1087.001': ('POWERSTATS can retrieve usernames from compromised hosts.'),
'T1087.001': ('PUNCHBUGGY can gather user names.'),
'T1087.001': ('Pupy uses PowerView and Pywerview to perform discovery commands such as net user net group net local group etc.'),
'T1087.001': ('RATANKBA uses the net user command.'),
'T1087.001': ('Remsec can obtain a list of users.'),
'T1087.001': ('S-Type runs the command net user on a victim. S-Type also runs tests to determine the privilege level of the compromised user.'),
'T1087.001': ('SHOTPUT has a command to retrieve information about connected users.'),
'T1087.001': ('SoreFang can collect usernames from the local system via net.exe user.'),
'T1087.001': 'Threat Group-3390 has used net user to conduct internal discovery of systems.'),
'T1087.001': 'TrickBot collects the users of the system.'),
'T1087.001': 'Turla has used net user to enumerate local accounts on the system.'),
'T1087.001': ('USBferry can use net user to gather information about local accounts.'),
'T1087.001': ('Valak has the ability to enumerate local admin accounts.'),
'T1546.003': ('adbupd can use a WMI script to achieve persistence.'),
'T1546.003': ('APT29 has used WMI event subscriptions for persistence.'),
'T1546.003': ('APT33 has attempted to use WMI event subscriptions to establish persistence on compromised hosts.'),
'T1546.003': ('Blue Mockingbird has used mofcomp.exe to establish WMI Event Subscription persistence mechanisms configured from a *.mof file.'),
'T1546.003': ('Leviathan has used WMI for persistence.'),
'T1546.003': ('Mustang Panda  custom ORat tool uses a WMI event consumer to maintain persistence.'),
'T1546.003': ('PoshC2 has the ability to persist on a system using WMI events.'),
'T1546.003': ('POSHSPY uses a WMI event subscription to establish persistence.'),
'T1546.003': ('POWERTON can use WMI for persistence.'),
'T1546.003': ('RegDuke can persist using a WMI consumer that is launched every time a process named WINWORD.EXE is started.'),
'T1546.003': ('SeaDuke uses an event filter in WMI code to execute a previously dropped executable shortly after system startup.'),
'T1546.003': 'Turla has used WMI event filters and consumers to establish persistence.'),
'T1546.003': ('UNC2452 used WMI event subscriptions for persistence.'),
'T1547.009': ('APT29 drops a Windows shortcut file for execution.'),
'T1547.009': ('APT39 has modified LNK shortcuts.'),
'T1547.009': ('Astaroth  initial payload is a malicious .LNK file.'),
'T1547.009': ('BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.'),
'T1547.009': ('Bazar can establish persistence by writing shortcuts to the Windows Startup folder.'),
'T1547.009': 'The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.'),
'T1547.009': ('Comnie establishes persistence via a .lnk file in the victimstartup path.'),
'T1547.009': ('Darkhotel has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.'),
'T1547.009': ('Dragonfly 2.0 manipulated .lnk files to gather user credentials in conjunction with Forced Authentication.'),
'T1547.009': ('Empire can persist by modifying a .LNK file to include a backdoor.'),
'T1547.009': ('FELIXROOT creates a .LNK file for persistence.'),
'T1547.009': ('Gazer can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe.'),
'T1547.009': ('Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.'),
'T1547.009': ('Grandoreiro can write or modify browser shortcuts to enable launching of malicious browser extensions.'),
'T1547.009': ('Helminth establishes persistence by creating a shortcut.'),
'T1547.009': ('InvisiMole can use a .lnk shortcut for the Control Panel to establish persistence.'),
'T1547.009': ('Kazuar adds a .lnk file to the Windows startup folder.'),
'T1547.009': ('A version of KONNI drops a Windows shortcut on the victimmachine to establish persistence.'),
'T1547.009': ('A Lazarus Group malware sample adds persistence on the system by creating a shortcut in the userStartup folder.'),
'T1547.009': ('Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.'),
'T1547.009': ('Micropsia creates a shortcut to maintain persistence.'),
'T1547.009': ('Okrum can establish persistence by creating a .lnk shortcut to itself in the Startup folder.'),
'T1547.009': ('Reaver creates a shortcut file and saves it in a Startup folder to establish persistence.'),
'T1547.009': ('RedLeaves attempts to add a shortcut file in the Startup folder to achieve persistence.'),
'T1547.009': ('RogueRobin establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in.'),
'T1547.009': ('S-Type may create the file HOMEPATHStart MenuProgramsStartupRealtek {Unique Identifier}.lnk which points to the malicious msdtc.exe file already created in the CommonFiles directory.'),
'T1547.009': ('SeaDuke is capable of persisting via a .lnk file stored in the Startup directory.'),
'T1547.009': ('SHIPSHAPE achieves persistence by creating a shortcut in the Startup folder.'),
'T1547.009': ('SPACESHIP achieves persistence by creating a shortcut in the current user  Startup folder.'),
'T1547.009': 'To establish persistence SslMM identifies the Start Menu Startup directory and drops a link to its own executable disguised as anOffice StartYahoo TalkMSN Gaming Z0ne orMSN Talk shortcut.'),
'T1547.009': 'TinyZBot can create a shortcut in the Windows startup folder for persistence.'),
'T1552.001': ('Agent Tesla has the ability to extract credentials from configuration or support files.'),
'T1552.001': ('APT3 has a tool that can locate credentials in files on the file system such as those from Firefox or Chrome.'),
'T1552.001': ('APT33 has used a variety of publicly available tools like LaZagne to gather credentials.'),
'T1552.001': ('Azorult can steal credentials in files belonging to common software such as Skype Telegram and Steam.'),
'T1552.001': ('BlackEnergy has used a plug-in to gather credentials stored in files on the host by various software programs including The Bat! email client Outlook and Windows Credential Store.'),
'T1552.001': ('Emotet has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user.'),
'T1552.001': ('Empire can use various modules to search for files containing passwords.'),
'T1552.001': ('Fox Kitten has accessed files to gain valid credentials.'),
'T1552.001': ('Hildegard has searched for SSH keys Docker credentials and Kubernetes service tokens.'),
'T1552.001': ('jRAT can capture passwords from common chat applications such as MSN Messenger AOL Instant Messenger and and Google Talk.'),
'T1552.001': ('LaZagne can obtain credentials from chats databases mail and WiFi.'),
'T1552.001': ('Leafminer used several tools for retrieving login and password information including LaZagne.'),
'T1552.001': ('MuddyWater has run a tool that steals passwords saved in victim email.'),
'T1552.001': ('OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.'),
'T1552.001': ('If an initial connectivity check fails pngdowner attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access.'),
'T1552.001': ('PoshC2 contains modules for searching for passwords in local and remote files.'),
'T1552.001': ('Pupy can use Lazagne for harvesting credentials.'),
'T1552.001': ('Pysa has extracted credentials from the password database before encrypting the files.'),
'T1552.001': ('QuasarRAT can obtain passwords from FTP clients.'),
'T1552.001': ('Smoke Loader searches for files named logins.json to parse for credentials.'),
'T1552.001': ('Stolen Pencil has used tools that are capable of obtaining credentials from saved mail.'),
'T1552.001': 'TA505 has used malware to gather credentials from FTP clients and Outlook.'),
'T1552.001': 'TrickBot can obtain passwords stored in files from several applications such as Outlook Filezilla OpenSSH OpenVPN and WinSCP. Additionally it searches for the .vnc.lnk affix to steal VNC credentials.'),
'T1552.001': ('XTunnel is capable of accessing locally stored passwords on victims.'),
'T1552.007': ('Limit communications with the container service to local Unix sockets or remote access via SSH.'),
'T1552.007': ('Require secure port access to communicate with the APIs over TLS by disabling unauthenticated access to the Docker API and Kubernetes API Server.'),
'T1552.007': ('Deny direct remote access to internal systems through the use of network proxies gateways and firewalls.'),
'T1552.007': ('Use the principle of least privilege for privileged accounts such as the service account in Kubernetes.'),
'T1552.007': ('An adversary may access the Docker API to collect logs that contain credentials to cloud container and various other resources in the environment.'),
'T1053.007': ('Ensure containers are not running as root by default.'),
'T1053.007': ('Limit privileges of user accounts and remediate privilege escalation vectors so only authorized administrators can create container orchestration jobs.'),
'T1053.007': 'Threat actors can create clusters of containers to maintain persistence.'),
'T1053.007': ('Ransomware such as DarkMatter can utilize containers to schedule the execution of the encryption payload.'),
'T1053.007': ('APT23 abuses container creation programs such as Kubernetes to repeatedly execute malicious code.'),
'T1204.003': 'TeamTNT relies on users to download and execute malicious Docker images.'),
'T1204.003': 'TigerDownloader can be modified to be executed once a user is tricked into downloading a malicious AWS image.'),
'T1204.003': ('DarkSide ransomware can be executed once a user downloads a malicious GCP image.'),
'T1204.003': ('Persistence can be maintained via backdoor installations through the medium of malicious docker images.'),
'T1204.003': ('REvil ransomware can install itself once a user downloads an image that has been modified to contain malicious functionality.'),
'T1110.003': ('APT28 has used a brute-force  password-spray tooling that operated in two modes: in password-spraying mode it conducted approximately four authentication attempts per hour per targeted account over the course of several days or weeks.'),
'T1110.003': ('APT33 has used password spraying to gain access to target systems.'),
'T1110.003': ('Chimera has used multiple password spraying attacks against victim  remote services to obtain valid user and administrator accounts.'),
'T1110.003': ('CrackMapExec can brute force credential authentication by using a supplied list of usernames and a single password.'),
'T1110.003': ('Lazarus Group malware attempts to connect to Windows shares for lateral movement by using a generated list of usernames which center around permutations of the username Administrator and weak passwords.'),
'T1110.003': ('Leafminer used a tool called Total SMB BruteForcer to perform internal password spraying.'),
'T1110.003': ('Linux Rabbit brute forces SSH passwords in order to attempt to gain access and install its malware onto the server.'),
'T1110.003': ('MailSniper can be used for password spraying against Exchange and Office 365.'),
'T1110.003': ('Silent Librarian has used collected lists of names and e-mail accounts to use in password spraying attacks against private sector targets.'),
'T1110.004': ('Chimera has used credential stuffing against victim  remote services to obtain valid accounts.'),
'T1110.004': 'TrickBot uses brute-force attack against RDP with rdpscanDll module.'),
'T1110.004': ('APT22 uses credential stuffing to enumerate the number of compromised accounts they can access.'),
'T1110.004': ('Skimmers such as those utilised by Magecart will often use credential stuffing to access multiple user accounts across multiple ecommerce websites.'),
'T1110.004': ('Credential stuffing is a technique often used by threat actors to gain access to new accounts which they can then abuse the trust of to assist in social engineering attacks.'),
'T1110.004': ('Ransomware such as REvil can credential stuff to gain access to more valid accounts before moving laterally and vertically within the network.'),
'T1110.004': 'Threat actors can credential stuff to gain access to users accounts if they reuse passwords.'),
'T1078.001': ('HyperStack can use default credentials to connect to IPC$ shares on remote machines.'),
'T1078.001': ('Stuxnet infected WinCC machines via a hardcoded database server password.'),
'T1078.001': 'Threat actors targeting government sectors will abuse default guest and administrator accounts on older windows OS to gain initial access.'),
'T1078.001': ('APT40 abuses default administrator accounts for initial access.'),
'T1078.001': ('Certain CobaltStrike beacons can maintain persistence via access to default administrator accounts.'),
'T1078.003': ('APT32 has used legitimate local admin account credentials.'),
'T1078.003': ('Cobalt Strike can use known credentials to run commands and spawn processes as a local user account.'),
'T1078.003': ('Emotet can brute force a local admin password then use it to facilitate lateral movement.'),
'T1078.003': ('FIN10 has moved laterally using the Local Administrator account.'),
'T1078.003': ('HAFNIUM has used the NT AUTHORITYSYSTEM account to create files on Exchange servers.'),
'T1078.003': ('NotPetya can use valid credentials with PsExec or wmic to spread itself to remote systems.'),
'T1078.003': ('Operation Wocao has used local account credentials found during the intrusion for lateral movement and privilege escalation.'),
'T1078.003': ('PROMETHIUM has created admin accounts on a compromised host.'),
'T1078.003': ('Stolen Pencil has a tool to add a Windows admin account in order to allow them to ensure continued access via RDP.'),
'T1078.003': 'Tropic Trooper has used known administrator account credentials to execute the backdoor directly.'),
'T1078.003': 'Turla has abused local accounts that have the same password across the victimnetwork.'),
'T1078.003': ('Umbreon creates valid local users to provide access to the system.'),
'T1566.001': ('admin@338 has sent emails with malicious Microsoft Office documents attached.'),
'T1566.001': 'The primary delivered mechaism for Agent Tesla is through email phishing messages.'),
'T1566.001': ('Ajax Security Team has used personalized spearphishing attachments.'),
'T1566.001': ('APT-C-36 has used spearphishing emails with password protected RAR attachment to avoid being detected by the email gateway.'),
'T1566.001': ('A'),P'T1 has se': (' spearphishing emails containing malicious attachments.'),
'T1566.001': ('A'),P'T12 has s': ('t emails with malicious Microsoft Office documents and PDFs attached.'),
'T1566.001': ('A'),P'T19 sent ': ('rphishing emails with malicious attachments in RTF and XLSM formats to deliver initial exploits.'),
'T1566.001': ('APT28 sent spearphishing emails containing malicious Microsoft Office and RAR attachments.'),
'T1566.001': ('APT29 has used spearphishing emails with an attachment to deliver files with exploits to initial victims.'),
'T1566.001': ('APT30 has used spearphishing emails with malicious DOC attachments.'),
'T1566.001': ('APT32 has sent spearphishing emails with a malicious executable disguised as a document or spreadsheet.'),
'T1566.001': ('APT33 has sent spearphishing e-mails with archive attachments.'),
'T1566.001': ('APT37 delivers malware using spearphishing emails with malicious HWP attachments.'),
'T1566.001': ('APT39 leveraged spearphishing emails with malicious attachments to initially compromise victims.'),
'T1566.001': ('APT41 sent spearphishing emails with attachments such as compiled HTML (.chm) files to initially compromise their victims.'),
'T1566.001': ('BlackTech has used spearphishing e-mails with malicious documents to deliver malware.'),
'T1566.001': ('BLINDINGCAN has been delivered by phishing emails containing malicious Microsoft Office documents.'),
'T1566.001': ('BRONZE BUTLER used spearphishing emails with malicious Microsoft Word attachments to infect victims.'),
'T1566.001': ('Cobalt Group has sent spearphishing emails with various attachment types to corporate and personal email accounts of victim organizations. Attachment types have included .rtf .doc .xls archives containing LNK files and password protected archives containing .exe and .scr executables.'),
'T1566.001': ('Darkhotel has sent spearphishing emails with malicious RAR and .LNK attachments.'),
'T1566.001': ('DarkHydrus has sent spearphishing emails with password-protected RAR archives containing malicious Excel Web Query files (.iqy). The group has also sent spearphishing emails that contained malicious Microsoft Office documents that use theattachedTemplate technique to load a template from a remote server.'),
'T1566.001': ('Dragonfly 2.0 used spearphishing with Microsoft Office attachments to target victims.'),
'T1566.001': ('Elderwood has delivered zero-day exploits and malware to victims via targeted emails containing malicious attachments.'),
'T1566.001': ('Emotet has been delivered by phishing emails containing attachments.'),
'T1566.001': ('FIN4 has used spearphishing emails containing attachments (which are often stolen legitimate documents sent from compromised accounts) with embedded malicious macros.'),
'T1566.001': ('FIN6 has targeted victims with e-mails containing malicious attachments.'),
'T1566.001': ('FIN7 sent spearphishing emails with either malicious Microsoft Documents or RTF files attached.'),
'T1566.001': ('FIN8 has distributed targeted emails containing Word documents with embedded malicious macros.'),
'T1566.001': ('Frankenstein has used spearphishing emails to send trojanized Microsoft Word documents.'),
'T1566.001': ('Gallmaker sent emails with malicious Microsoft Office documents attached.'),
'T1566.001': ('Gamaredon Group has delivered spearphishing emails with malicious attachments to targets.'),
'T1566.001': ('Gorgon Group sent emails to victims with malicious Microsoft Office documents attached.'),
'T1566.001': ('Hancitor has been delivered via phishing emails with malicious attachments.'),
'T1566.001': ('Higaisa has sent spearphishing emails containing malicious attachments.'),
'T1566.001': ('IcedID has been delivered via phishing e-mails with malicious attachments.'),
'T1566.001': ('Inception has used weaponized documents attached to spearphishing emails for reconnaissance and initial compromise.'),
'T1566.001': ('Javali has been delivered as malicious e-mail attachments.'),
'T1566.001': ('Kerrdown has been distributed through malicious e-mail attachments.'),
'T1566.001': ('Kimsuky has used emails containing Word Excel and  or HWP (Hangul Word Processor) documents in their spearphishing campaigns.'),
'T1566.001': ('Lazarus Group has targeted victims with spearphishing emails containing malicious Microsoft Word documents.'),
'T1566.001': ('Leviathan has sent spearphishing emails with malicious attachments including .rtf .doc and .xls files.'),
'T1566.001': ('Machete has delivered spearphishing emails that contain a zipped file with malicious contents.'),
'T1566.001': ('menuPass has sent malicious Office documents via email as part of spearphishing campaigns as well as executables disguised as documents.'),
'T1566.001': ('Metamorfo has been delivered to victims via emails containing malicious HTML attachments.'),
'T1566.001': ('Mofang delivered spearphishing emails with malicious documents PDFs or Excel files attached.'),
'T1566.001': ('Molerats has sent phishing emails with malicious Microsoft Word and PDF attachments.'),
'T1566.001': ('MuddyWater has compromised third parties and used compromised accounts to send spearphishing emails with targeted attachments to recipients.'),
'T1566.001': ('Mustang Panda has used spearphishing attachments to deliver initial access payloads.'),
'T1566.001': ('Naikon has used malicious e-mail attachments to deliver malware.'),
'T1566.001': ('NETWIRE has been spread via e-mail campaigns utilizing malicious attachments.'),
'T1566.001': ('OceanSalt has been delivered via spearphishing emails with Microsoft Office attachments.'),
'T1566.001': ('OilRig has sent spearphising emails with malicious attachments to potential victims using compromised and  or spoofed email accounts.'),
'T1566.001': ('Patchwork has used spearphishing with an attachment to deliver files with exploits to initial victims.'),
'T1566.001': ('PLATINUM has sent spearphishing emails with attachments to victims as its primary initial access vector.'),
'T1566.001': ('PoetRAT was distributed via malicious Word documents.'),
'T1566.001': ('Pony has been delivered via spearphishing attachments.'),
'T1566.001': ('Ramsay has been distributed through spearphishing emails with malicious attachments.'),
'T1566.001': ('Rancor has attached a malicious document to an email to gain initial access.'),
'T1566.001': ('REvil has been distributed via malicious e-mail attachments including MS Word Documents.'),
'T1566.001': ('Rifdoor has been distributed in e-mails with malicious Excel or Word documents.'),
'T1566.001': ('RTM has been delivered via spearphishing attachments disguised as PDF documents.'),
'T1566.001': ('RTM has used spearphishing attachments to distribute its malware.'),
'T1566.001': ('Sandworm Team has delivered malicious Microsoft Office attachments via spearphishing emails.'),
'T1566.001': ('Sharpshooter has sent malicious attachments via emails to targets.'),
'T1566.001': ('Sidewinder has sent e-mails with malicious attachments often crafted for specific targets.'),
'T1566.001': ('Silence has sent emails with malicious DOCX CHM LNK and ZIP attachments.'),
'T1566.001': 'TA459 has targeted victims using spearphishing emails with malicious Microsoft Word attachments.'),
'T1566.001': 'TA505 has used spearphishing emails with malicious attachments to initially compromise victims.'),
'T1566.001': 'TA551 has sent spearphishing attachments with password protected ZIP files.'),
'T1566.001': 'The White Company has sent phishing emails with malicious Microsoft Word attachments to victims.'),
'T1566.001': 'TrickBot has used an email with an Excel sheet containing a malicious macro to deploy the malware'),
'T1566.001': 'Tropic Trooper sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments.'),
'T1566.001': ('Valak has been delivered via spearphishing e-mails with password protected ZIP files.'),
'T1566.001': ('Windshift has sent spearphishing emails with attachment to harvest credentials and deliver malware.'),
'T1566.001': ('Wizard Spider has used spearphishing attachments to deliver Microsoft documents containing macros or PDFs containing malicious links to download either Emotet Bokbot TrickBot or Bazar.'),
'T1497.003': ('AppleJeus has waited a specified time before downloading a second stage payload.'),
'T1497.003': ('Bazar can use a timer to delay execution of core functionality.'),
'T1497.003': ('BendyBear can check for analysis environments and signs of debugging using the Windows API kernel32!GetTickCountKernel32 call.'),
'T1497.003': ('Egregor can perform a long sleep (greater than or equal to 3 minutes) to evade detection.'),
'T1497.003': ('EvilBunny has used time measurements from 3 different APIs before and after performing sleep operations to check and abort if the malware is running in a sandbox.'),
'T1497.003': ('FatDuke can turn itself on or off at random intervals.'),
'T1497.003': ('GoldenSpy  installer has delayed installation of GoldenSpy for two hours after it reaches a victim system.'),
'T1497.003': ('GoldMax has set an execution trigger date and time stored as an ASCII Unix  Epoch time value.'),
'T1497.003': ('Okrum  loader can detect presence of an emulator by using two calls to GetTickCount API and checking whether the time has been accelerated.'),
'T1497.003': ('Pony has delayed execution using a built-in function to avoid detection and analysis.'),
'T1497.003': ('After initial installation Raindrop runs a computation to delay execution.'),
'T1497.003': ('SUNBURST remained dormant after initial access for a period of up to two weeks.'),
'T1497.003': 'ThiefQuest invokes time call to check the system  time executes a sleep command invokes a second time call and then compares the time difference between the two time calls and the amount of time the system slept to identify the sandbox.'),
'T1497.003': ('Ursnif has used a 30 minute delay after execution to evade sandbox monitoring tools.'),
'T1552.005': ('Hildegard has queried the Cloud Instance Metadata API for cloud credentials.'),
'T1552.005': 'TeamTNT has queried the AWS instance metadata service for credentials.'),
'T1552.005': ('APT33 will query Cloud Instance APIs to harvest insecurely stored credentials that can then be used for user enumeration.'),
'T1552.005': ('In addition to credential harvesting other valuable data can be extracted by threat actors via the AWS instance if it is not properly secured.'),
'T1552.005': ('APT25 can harvest credentials from Cloud Instance APIs then use those credentials to gain access to systems.'),
'T1087.003': ('Backdoor.Oldrea collects address book information from Outlook.'),
'T1087.003': ('Emotet has been observed leveraging a module that can scrape email addresses from Outlook.'),
'T1087.003': ('Grandoreiro can parse Outlook .pst files to extract e-mail addresses.'),
'T1087.003': ('MailSniper can be used to obtain account names from Exchange and Office 365 using the Get-GlobalAddressList cmdlet.'),
'T1087.003': ('Ruler can be used to enumerate Exchange users and dump the GAL.'),
'T1087.003': ('Sandworm Team used malware to enumerate email settings including usernames and passwords from the M.E.Doc application.'),
'T1087.003': 'TA505 has used the tool EmailStealer to steal and send lists of e-mail addresses to a remote server.'),
'T1087.003': 'TrickBot collects email addresses from Outlook.'),
'T1087.003': 'Threat actors will often attempt to gather more targets by using tools that lists of users from memory and combine this with a companyemail naming convention to create a target list of email addresses.'),
'T1087.003': ('Some actors use open-source malware and tools to target and steal email account credentials from popular email clients such as Apple Mail Gmail and Outlook.'),
'T1087.003': ('Spearphising is used by the most advanced threat groups in the world which shows the potential value that skilled threat actors can extract by discovering which email addresses to target.'),
'T1087.003': ('Malware can used by actors to automate email account discovery.'),
'T1087.003': ('Actors can exploit vulnerabilities such as Log4Shell to move into different directories to quickly locate email addresses.'),
'T1069.003': 'Threat actors will attempt to gather cloud accounts and their appropriate groups in attempts to find weak or default settings to exploit for malicious purposes.'),
'T1069.003': ('Identifying cloud groups and cloud permissions can be accomplished by various commands such as:Ëœaz ad user get-member-groups to get groups associated to a user account in Azure.'),
'T1069.003': ('Some actors and malware will attempt to launch commands via PowerShell for example (among others) to gather cloud group user settings and permissions for Google with the command:ËœGET https:  cloudidentity.googleapis.com  v1  groups.'),
'T1069.003': ('As more organizations utilize cloud services more actors and malware will attempt to engage in malicious activity by locating cloud groups and their corresponding cloud user settings.'),
'T1069.003': 'Targeting an access control list (ACL) could grant actors the ability to discover cloud account users and settings for Amazon Web Services (AWS) this can be done with theËœGetBucketAcl command.'),
'T1547.006': ('Drovorub can use kernel modules to establish persistence.'),
'T1547.006': ('Skidmap has the ability to install several loadable kernel modules (LKMs) on infected machines.'),
'T1547.006': 'Threat actors can leverage malicious loadable kernel modules (LKMs) to gain Rootkit level access on an affected machine.'),
'T1547.006': ('Actors are always looking for ways keep control of an infected machine one way this can be done is through malicious kernel modules to covertly escalate privileges and maintain persistence.'),
'T1547.006': ('LKMs used by actors and malware are often loaded into the˜  lib  modules with a .ko extension on Linux systems.'),
'T1547.006': ('Malware trying to get kernel access may run commands before loading a malicious module and some of these includeËœmodprobe  Ëœinsmod  Ëœlsmod  Ëœrmmod andËœmodinfo.'),
'T1547.006': ('Some malware will attempt to load Kexts into the kernel which create new rows in KextPolicy tables.'),
'T1547.011': ('Dok persists via a plist login item.'),
'T1547.011': ('LoudMiner used plists to execute shell scripts and maintain persistence on boot. LoudMiner also added plist files in Library  LaunchDaemons with KeepAlive set to true which would restart the process if stopped.'),
'T1547.011': ('NETWIRE can persist via startup options for Login items.'),
'T1547.011': ('Property list (plist) files can be manipulated by malware to execute their own malicious executables.'),
'T1547.011': ('Some malware will create property list files (.plist) to download and execute code as part of maintaining persistence.'),
'T1547.011': ('macOs malware may try to use theËœplist command to manipulate keys in property list (plist) files to elevate privileges or establish persistence.'),
'T1547.011': ('Modifying plist files in specific locations can be advantageous to threat actors withËœLSEnvironment for persistence andËœDYLD_INSERT_LIBRARIES with a path to a malicious DLL underËœEnvironmentVariables for execution.'),
'T1547.011': ('Plist files which are written in XML are valuable targets on macOS because actors can gain elevated privileges execute code and maintain persistence if the correct areas are modified.'),
'T1546.006': 'Threat actors may create malicious Macho-O binaries with modified LC_LOAD_DYLIB headers to change which dynamic link libraries (DLLs) should be executed on execution.'),
'T1546.006': ('While changing binaries will invalidate digital signatures threat actors can remove the LC_CODE_SIGNATURE command from the binary to prevent signature checks when loading dynamic libraries (DYLIB).'),
'T1546.006': ('Malware focused on macOS may change the Mach-O header (LC_LOAD_DYLIB) to instruct the executable which DLLs will be ran upon execution.'),
'T1546.006': ('Actors will create malware targeting macOS that will have custom LC_LOAD_DYLIB headers to instruct which dylibs (DLLs) should be executed.'),
'T1546.006': ('Malicious dylibs (DLLs) targeting macOS can be loaded and executed through the LC_LOAD_DYLIB header in a Mach-O binary.'),
'T1480.001': ('APT41 has encrypted payloads using the Data Protection API (DPAPI) which relies on keys tied to specific user accounts on specific machines. APT41 has also environmentally keyed second stage malware with an RC5 key derived in part from the infected system  volume serial number.'),
'T1480.001': ('Equation has been observed utilizing environmental keying in payload delivery.'),
'T1480.001': ('InvisiMole can use Data Protection API to encrypt its components on the victimcomputer to evade detection and to make sure the payload can only be decrypted and loaded on one specific compromised computer.'),
'T1480.001': ('Malware with actor-created environment keys can gather elements to use in deciding if a second-stage encrypted payload should be dropped.'),
'T1480.001': ('Some actors will implement environmental keying to gather legitimate cryptographic processes such as data protection API (DPAPI) to encrypt their payloads.'),
'T1480.001': ('Malware using environmental keying will check for specific items to be present on an infected machine or system and use the discoveries to encrypt its malicious activity.'),
'T1480.001': ('Environmental keying using data protection API makes an encrypted payload that can only be decrypted from the infected hist.'),
'T1480.001': ('Searching for environment keys within a compromised environment can allow an actor to abuse legitimate components to encrypt their malicious activity.'),
'T1498.002': 'Threat actors can use third-party services to conduct network denial-of-service (DoS) by spoofing the target IP and forcing the real IP to attempt to resolve high volumes of network traffic back and forth via UDP or TCP.'),
'T1498.002': ('Some botnet malware may attempt to use denial of service reflection attacks by tricking a target IP address into responding to a third party server in a back and forth of UDP  TCP packets.'),
'T1498.002': ('Actors can conduct denial-of-service (DoS) attacks by using tricking a legitimate sever into responding to requests made from a spoofed (target) IP address in a reflection attack and then combined with small request and a large reply to amplify the attack.'),
'T1498.002': ('A large flood of packets flooding into the same source port but with different destination port numbers may be a sign of an amplification reflection attack.'),
'T1498.002': ('Malware can use seemingly benign servers that show no indication of compromised and force them to request information from a targetIP forcing them to respond to the requests and filling up bandwidth.'),
'T1498.001': ('Denial of service attacks that consist of packets directly sent to target in aims of exhausting that resource'),
'T1498.001': ('Distributed denial-of-service attacks are conducted by botnets such as Mirai with the objective of sending so much fake traffic or legitimate requests as to prevent the target from functioning normally.'),
'T1498.001': 'Threat actors may conduct reconnaissance to find targets that are most vulnerable to flooding the network with traffic to deny or disrupt service.'),
'T1498.001': ('Network flooding is a common tool amongst threat actors and there are online locations that offer DDoS services for purchase.'),
'T1498.001': ('Some botnet malware will use thousands if not millions of compromised devices to conduct distributed denial-of-service (DDoS) attacks directly at their target.'),
'T1499.002': ('Actors can conduct endpoint denial of service attacks by targeting endpoints including DNS email services and web-based applications in attempts to prevent that one target from functioning.'),
'T1499.002': ('Botnet malware can launch distributed denial-of-service (DDoS) attacks targeting endpoints to flood traffic and overwhelm the target system with service exhaustion.'),
'T1499.002': ('Malware may use HTTP flooding or SSL renegotiation attacks to create a service exhaustion flood.'),
'T1499.002': ('Actors can attack targets in attempts to render them unusable to users through HTTP requests or renegotiating SSL  TSL crypto algorithms.'),
'T1499.002': ('Exhausting services with fake requests or protocol negotiations can be an affect way to prevent users from accessing the target.'),
'T1499.004': ('Industroyer uses a custom DoS tool that leverages CVE-2015-5374 and targets hardcoded IP addresses of Siemens SIPROTEC devices.'),
'T1499.004': ('Actors may try to exploit a vulnerability in an application or system to launch denial of service (DoS) attacks some of these vulnerabilities include CVE-2021-45078 CVE-2021-45046 CVE-2021-44686 CVE-2021-44429 among thousands of others.'),
'T1499.004': ('Some malware will attempt to cause applications or systems to crash by exploiting a vulnerability and denying service.'),
'T1499.004': ('Some actors will exploit vulnerabilities to force apps and systems to crash or restart leaving it inaccessible by users.'),
'T1499.004': ('Exploitation of vulnerabilities can cause applications or systems to overflow and crash and persistent re-exploitation can deny service completely.'),
'T1499.004': ('Successful exploitation of certain vulnerabilities can result in denial-of-service attacks.'),
'T1499.003': ('Web applications positioned on top of web servers are attractive targets during endpoint denial-of-service attacks.'),
'T1499.003': ('Public-facing apps are easily identifiable targets for denial of service.'),
'T1499.003': ('Application servers can be targeted for denial of service (DoS) attacks by simply repeating legitimate requests at a large scale.'),
'T1499.003': ('Legitimate apps and services are open targets for malware that repeats legitimate or spoofed requests to deny access by sheer volume.'),
'T1499.003': ('Exhausting resources can cause real damage to a company and threat actors will sometimes threaten specific applications (apps) with denial-of-service (DoS) to disrupt business operations at key points in time.'),
'T1518.001': ('ABK has the ability to identify the installed anti-virus product on the compromised host.'),
'T1518.001': ('Astaroth checks for the presence of Avast antivirus in the C:ProgramFiles folder.'),
'T1518.001': ('Avenger has the ability to identify installed anti-virus products on a compromised host.'),
'T1518.001': ('BadPatch uses WMI to enumerate installed security products in the victimenvironment.'),
'T1518.001': ('Bazar can identify the installed antivirus engine.'),
'T1518.001': ('build_downer has the ability to detect if the infected host is running an anti-virus process.'),
'T1518.001': ('Carberp has queried the infected system  registry searching for specific registry keys associated with antivirus products.'),
'T1518.001': ('CHOPSTICK checks for antivirus and forensics software.'),
'T1518.001': ('Cobalt Group used a JavaScript backdoor that is capable of collecting a list of the security solutions installed on the victim  machine.'),
'T1518.001': ('Comnie attempts to detect several anti-virus products.'),
'T1518.001': ('CookieMiner has checked for the presence of Little Snitch macOS network monitoring and application firewall software stopping and exiting if it is found.'),
'T1518.001': 'The main CozyCar dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list the dropper will exit.'),
'T1518.001': ('Crimson contains a command to collect information about anti-virus software on the victim.'),
'T1518.001': ('Darkhotel has searched for anti-malware strings and anti-virus processes running on the system.'),
'T1518.001': ('down_new has the ability to detect anti-virus products and processes on a compromised host.'),
'T1518.001': ('DustySky checks for the existence of anti-virus.'),
'T1518.001': ('Empire can enumerate antivirus software on the target.'),
'T1518.001': ('Epic searches for anti-malware services running on the victimmachine and terminates itself if it finds them.'),
'T1518.001': ('EvilBunny has been observed querying installed antivirus software.'),
'T1518.001': ('EVILNUM can search for anti-virus products on the system.'),
'T1518.001': ('Felismus checks for processes associated with anti-virus vendors.'),
'T1518.001': ('FELIXROOT checks for installed security software like antivirus and firewall.'),
'T1518.001': ('FIN8 has used Registry keys to detect and avoid executing in potential sandboxes.'),
'T1518.001': ('FinFisher probes the system to check for antimalware processes.'),
'T1518.001': ('Flame identifies security software such as antivirus through the Security module.'),
'T1518.001': ('FlawedAmmyy will attempt to detect anti-virus products during the initial infection.'),
'T1518.001': ('Frankenstein has used WMI queries to detect if virtualization environments or analysis tools were running on the system.'),
'T1518.001': ('Gold Dragon checks for anti-malware products and processes.'),
'T1518.001': ('Grandoreiro can list installed security products including the Trusteer and Diebold Warsaw GAS Tecnologia online banking protections.'),
'T1518.001': ('InvisiMole can check for the presence of network sniffers AV and BitDefender firewall.'),
'T1518.001': ('JPIN checks for the presence of certain security-related processes and deletes its installer  uninstaller component if it identifies any of them.'),
'T1518.001': ('jRAT can list security software such as by using WMIC to identify anti-virus products installed on the victimmachine and to obtain firewall details.'),
'T1518.001': ('Kasidet has the ability to identify any anti-virus installed on the infected system.'),
'T1518.001': ('Metamorfo collects a list of installed antivirus software from the victimsystem.'),
'T1518.001': ('Micropsia searches for anti-virus software and firewall products installed on the victimmachine using WMI.'),
'T1518.001': ('MoleNet can use WMI commands to check the system for firewall and antivirus software.'),
'T1518.001': ('More_eggs can obtain information on installed anti-malware programs.'),
'T1518.001': ('Mosquito  installer searches the Registry and system to see if specific antivirus tools are installed on the system.'),
'T1518.001': ('MuddyWater has used malware to check running processes against a hard-coded list of security tools often used by malware researchers.'),
'T1518.001': ('Naikon uses commands such as netsh advfirewall firewall to discover local firewall settings.'),
'T1518.001': ('netsh can be used to discover system firewall settings.'),
'T1518.001': ('Netwalker can detect and terminate active security software-related processes on infected systems.'),
'T1518.001': ('NotPetya determines if specific antivirus programs are running on an infected host machine.'),
'T1518.001': ('Operation Wocao has used scripts to detect security software.'),
'T1518.001': ('Patchwork scanned theProgram Files directories for a directory with the stringTotal Security (the installation path of the360 Total Security antivirus tool).'),
'T1518.001': ('PipeMon can check for the presence of ESET and Kaspersky security software.'),
'T1518.001': ('POWERSTATS has detected security tools.'),
'T1518.001': ('POWRUNER may collect information on the victim  anti-virus software.'),
'T1518.001': ('A module in Prikormka collects information from the victim about installed anti-virus software.'),
'T1518.001': ('PUNCHBUGGY can gather AVs registered in the system.'),
'T1518.001': ('Remsec has a plugin to detect active drivers of some security products.'),
'T1518.001': ('Rocke used scripts which detected and uninstalled antivirus software.'),
'T1518.001': ('RogueRobin enumerates running processes to search for Wireshark and Windows Sysinternals suite.'),
'T1518.001': ('ROKRAT checks for debugging tools.'),
'T1518.001': ('RTM can obtain information about security software on the victim.'),
'T1518.001': ('Sidewinder has used the Windows service winmgmts:.rootSecurityCenter2 to check installed antivirus products.'),
'T1518.001': ('Skidmap has the ability to check if usr  sbin  setenforce exists. This file controls what mode SELinux is in.'),
'T1518.001': ('StoneDrill can check for antivirus and antimalware programs.'),
'T1518.001': ('StreamEx has the ability to scan for security tools such as firewalls and antivirus tools.'),
'T1518.001': ('StrongPity can identify if ESET or BitDefender antivirus are installed before dropping its payload.'),
'T1518.001': ('SUNBURST checked for a variety of antivirus  endpoint detection agents prior to execution.'),
'T1518.001': 'T9000 performs checks for various antivirus and security products during installation.'),
'T1518.001': 'TajMahal has the ability to identify which anti-virus products firewalls and anti-spyware products are in use.'),
'T1518.001': 'Tasklist can be used to enumerate security software currently running on a system by process name of known products.'),
'T1518.001': 'The White Company has checked for specific antivirus products on the targetcomputer including Kaspersky Quick Heal AVG BitDefender Avira Sophos Avast! and ESET.'),
'T1518.001': 'ThiefQuest uses the kill_unwanted function to get a list of running processes compares each process with an encrypted list ofunwanted security related programs and kills the processes for security related programs.'),
'T1518.001': 'Tropic Trooper can search for anti-virus software running on the system.'),
'T1518.001': 'Turla has obtained information on security software including security logging information that may indicate whether their malware has been detected.'),
'T1518.001': ('Valak can determine if a compromised host has security products installed.'),
'T1518.001': ('VERMIN uses WMI to check for anti-virus software installed on the system.'),
'T1518.001': ('Waterbear can find the presence of a specific security software.'),
'T1518.001': ('Windshift has used malware to identify installed AV and commonly used forensic and malware analysis tools.'),
'T1518.001': ('Wingbird checks for the presence of Bitdefender security software.'),
'T1518.001': ('Wizard Spider has used WMI to identify anti-virus products installed on a victim  machine.'),
'T1518.001': ('YAHOYAH checks for antimalware solution processes on the system.'),
'T1518.001': ('Zeus Panda checks to see if anti-virus anti-spyware or firewall products are installed in the victimenvironment.'),
'T1016.001': ('APT29 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.'),
'T1016.001': ('GoldFinder performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through.'),
'T1016.001': ('More_eggs has used HTTP GET requests to check internet connectivity.'),
'T1016.001': 'Turla has used tracert to check internet connectivity.'),
'T1016.001': ('UNC2452 has used GoldFinder to perform HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request travels through.'),
'T1114.002': ('A'),P'T1 uses t': (' utilities GETMAIL and MAPIGET to steal email. MAPIGET steals email still on Exchange servers that has not yet been archived.'),
'T1114.002': ('APT28 has collected emails from victim Microsoft Exchange servers.'),
'T1114.002': ('APT29 collected emails from specific individuals such as executives and IT staff using New-MailboxExportRequest followed by Get-MailboxExportRequest.'),
'T1114.002': ('Chimera has harvested data from remote mailboxes including through execution of c$UsersAppDataLocalMicrosoftOutlook*.ost.'),
'T1114.002': ('Dragonfly 2.0 accessed email accounts using Outlook Web Access.'),
'T1114.002': ('FIN4 has accessed and hijacked online email communications using stolen credentials.'),
'T1114.002': ('HAFNIUM has used web shells to export mailbox data.'),
'T1114.002': ('Ke3chang used a .NET tool to dump data from Microsoft Exchange mailboxes.'),
'T1114.002': ('Leafminer used a tool called MailSniper to search through the Exchange server mailboxes for keywords.'),
'T1114.002': ('LightNeuron collects Exchange emails matching rules specified in its configuration.'),
'T1114.002': ('MailSniper can be used for searching through email in Exchange and Office 365 environments.'),
'T1114.002': ('Some SeaDuke samples have a module to extract email from Microsoft Exchange servers using compromised credentials.'),
'T1114.002': ('UNC2452 collected emails from specific individuals such as executives and IT staff using New-MailboxExportRequest followed by Get-MailboxExportRequest.'),
'T1114.002': ('Valak can collect sensitive mailing information from Exchange servers including credentials and the domain certificate of an enterprise.'),
'T1114.003': ('Kimsuky has set auto-forward rules on victim  e-mail accounts.'),
'T1114.003': ('Silent Librarian has set up auto forwarding rules on compromised e-mail accounts.'),
'T1114.003': ('Some groups will have their malware create email forwarding rules to gain control over a mail servers sent and received messages.'),
'T1114.003': ('Email forwarding rules can grant malware the ability to retain control over a mail server even if the credentials have been changed.'),
'T1114.003': ('Actors may use Microsoft Messaging API (MAPI) to modify email rule properties to conceal them from email clients and tools.'),
'T1114.003': ('Information-motivated groups may use previously-compromised email credentials to set up email forwarding rules on multiple compromised accounts in attempts to cast a wide net to steal valuable data.'),
'T1114.003': 'Threat groups may set up forwarding rules on compromised email accounts to gather more information and credentials.'),
'T1087.004': ('Actors can use theËœGet-MsolRoleMember PowerShell command-let (cmdlet) to get user role and permissions groups in Office 365.'),
'T1087.004': ('In Azure malware or actors may try to run commands to get user and group information and this can be done with theËœaz ad user list command.'),
'T1087.004': ('In Kubernetes actors may try to run commands such asËœkubectl config view -o jsonpath=  {.users*.name} to get a list of all users orËœkubectl config get-users to display users defined in the kubeconfig.'),
'T1087.004': ('Actors or malware may run the AWS commandËœaws iam list-users to get users on a the account or runËœaws iam list-roles to get IAM role information.'),
'T1087.004': ('For GCP actors or malware may run theËœgcloud iam service-accounts list orËœgcloud projects get-iam-policy to obtain cloud account and project information.'),
'T1136.003': ('Some actors will create additional accounts on target cloud environments to deploy tools or other malicious activity.'),
'T1136.003': ('Adversaries may create accounts that only have access to specific cloud services which can reduce the chance of detection.'),
'T1136.003': ('Creating accounts on specific cloud systems with the correct permissions can allow malware or actors to conceal themselves while stealing data.'),
'T1136.003': ('Actors targeting cloud providers may create fake accounts to blend in with normal activity.'),
'T1136.003': ('Malware or actors will sometimes create dedicated accounts for their targets such as cloud providers to maintain persistence in the environment.'),
'T1078.004': ('APT33 has used compromised Office 365 accounts in tandem with Ruler in an attempt to gain control of endpoints.'),
'T1078.004': ('APT28 has used compromised Office 365 service accounts with Global Administrator privileges to collect email from user inboxes.'),
'T1078.004': ('Some threat actors will create legitimate accounts on targeted platforms or services such as cloud providers to elevate privileges and maintain persistence.'),
'T1078.004': 'Threat actors and adversaries may create accounts with global administrator privileges on targeted cloud environment to steal large amounts of data.'),
'T1078.004': ('Compromised credentials for cloud-related accounts can allow malware or actors to steal data and information by using authentic accounts for malicious purposes.'),
'T1078.004': ('Using valid cloud accounts for malicious purposes is a good technique for actors and malware to remain under the radar while conducting nefarious activity.'),
'T1078.004': ('Abusing trusted relationships of any cloud account given to employees is an effective means to conduct malicious activity.'),
'T1550.003': ('APT29 used Kerberos ticket attacks for lateral movement.'),
'T1550.003': ('APT32 successfully gained remote access by using pass the ticket.'),
'T1550.003': ('BRONZE BUTLER has created forged Kerberos Ticket Granting Ticket (TGT) and Ticket Granting Service (TGS) tickets to maintain administrative access.'),
'T1550.003': ('MimikatzLSADUMP::DCSync and KERBEROS::PTT modules implement the three steps required to extract the krbtgt account hash and create  use Kerberos tickets.'),
'T1550.003': ('Pupy can also perform pass-the-ticket.'),
'T1550.003': ('Some SeaDuke samples have a module to use pass the ticket with Kerberos for authentication.'),
'T1550.002': 'The A'),P'T1 group ': (' known to have used pass the hash.'),
'T1550.002': ('APT28 has used pass the hash for lateral movement.'),
'T1550.002': ('APT32 has used pass the hash for lateral movement.'),
'T1550.002': ('Chimera has dumped password hashes for use in pass the hash authentication attacks.'),
'T1550.002': ('Cobalt Strike can perform pass the hash.'),
'T1550.002': ('CrackMapExec can pass the hash to authenticate via SMB.'),
'T1550.002': ('Empire can perform pass the hash attacks.'),
'T1550.002': ('GALLIUM used dumped hashes to authenticate to other machines via pass the hash.'),
'T1550.002': ('HOPLIGHT has been observed loading several APIs associated with Pass the Hash.'),
'T1550.002': ('Kimsuky has used pass the hash for authentication to remote access software used in C2.'),
'T1550.002': ('Mimikatz  SEKURLSA::Pth module can impersonate a user with only a password hash to execute arbitrary commands.'),
'T1550.002': ('Night Dragon used pass-the-hash tools to gain usernames and passwords.'),
'T1550.002': ('Pass-The-Hash Toolkit can perform pass the hash.'),
'T1550.002': ('PoshC2 has a number of modules that leverage pass the hash for lateral movement.'),
'T1562.008': 'Threat actors may try to collect cloud log data and subsequently disable the logs to hide their activity.'),
'T1562.008': ('Malware or actors may disable cloud logs in Amazon Web Services (AWS) with commands likeËœStopLogging andËœDeleteTrail.'),
'T1562.008': ('Disabling logs in cloud environments can allow actors or malware to conceal their malicious activity.'),
'T1562.008': ('In efforts to conceal their actions adversaries may disable cloud logs in GCP while deploying other apps or containers.'),
'T1562.008': ('Adversaries may disable event logging in Kubernetes to hide their deployment applications or containers on a target environment.'),
'T1546.004': ('Linux Rabbit maintains persistence on an infected machine through rc.local and .bashrc files.'),
'T1546.004': ('Some malware will maintain persistence via rc.local and .bashrc files.'),
'T1546.004': ('On Linux and Unix systems malware may try to maintain persistence by using bash scripts.'),
'T1546.004': ('Login environments such as .bash or ZSH can be used by malware to create events that are launched on every boot or login.'),
'T1546.004': ('Using shell commands contained in files actors can instruct infected hosts to launch specific events at pre-determined times.'),
'T1546.004': ('Many actors and malware will use login environments to force an infected machine to execute scripts at any specified time.'),
'T1562.007': ('Adversaries may attempt to modify cloud firewall settings to allow connections for further downloads or uploads.'),
'T1562.007': ('Some actors and malware will disable cloud firewall settings for short periods of time to allow connections and then restore restrictions to avoid detection.'),
'T1562.007': ('Malware that manipulates cloud firewall settings can allow threat actors to steal data and resources.'),
'T1562.007': ('If actors get control of a cloud firewall they will be able to change settings to allow further malicious activity.'),
'T1562.007': ('Modifying or disabling a cloud firewall may enable adversary C2 communications lateral movement and  or data exfiltration that would otherwise not be allowed.'),
'T1578.004': ('Reverting cloud infrastructure instances allows malware and actors to conduct malicious activities and then revert to a clean state to hide their actions.'),
'T1578.004': ('Actors can hide their malicious activity while in cloud instances by restoring the virtual machine to a previous state.'),
'T1578.004': ('Restoring a virtual machine to its original state after malicious activity has been completed is a good technique to conceal malicious activity.'),
'T1578.004': ('Adversaries may restore cloud environments to previous snapshots once cybercriminal activity has been completed.'),
'T1578.004': ('Actors and malware can take advantage of ephemeral storage types because they often restart  reset once the VM is stopped or rebooted.'),
'T1578.003': 'Threat actors may delete a cloud instance or virtual machine to hide their malicious activity.'),
'T1578.003': ('CloudTrail logs in Amazon Web Services (AWS) can capture cloud instance deletion in theËœTerminateInstaces event.'),
'T1578.003': ('Within GoogleAdmin Activity audit logs the Cloud Audit logs can detect when instances or virtual machines (VMs) are deleted via the gcloudËœcompute instances delete command.'),
'T1578.003': ('In Kubernetes malware or threat actors may attempt to remove finalizers (finalizer key) prior to deleting a cloud instance.'),
'T1578.003': ('Deleting evidence of malicious operations such as manipulating or removing cloud instances or VMs may be done by actors or malware to conceal their operations.'),
'T1578.001': ('Malware may attempt to modify existing cloud infrastructure by creating new snapshots to steal resources or data.'),
'T1578.001': ('Cybercriminals may create snapshots on cloud systems and grant only themselves access to it establish or maintain persistence.'),
'T1578.001': ('Creating a snapshot with firewall-restricted access in a cloud instance can give adversaries concealed access and persistence on a target system.'),
'T1578.001': ('Actors may create a snapshot on a virtual hard drive or volume from which to maintain access onto a targetsystem.'),
'T1578.001': ('Actors can create snapshots on cloud systems to launch attacks from.'),
'T1578.002': ('On Google Admin Activity audit logs actors can use the commandËœgcloud compute instances create to create a new cloud instance.'),
'T1578.002': ('Adversaries may a new virtual machine to launch attacks from and evade defenses.'),
'T1578.002': 'Threat actors can create a new cloud instance to bypass firewall rules and permissions that may exist in an account.'),
'T1578.002': ('Cybercriminals can utilize cloud systems by creating new instances that are hidden from view and do not affect the targets operations.'),
'T1578.002': ('Actors may setup their own infrastructure in a target network by creating cloud instances with custom security settings to avoid detection.'),
'T1074.002': ('APT29 staged data and files in password-protected archives on a victim  OWA server.'),
'T1074.002': ('Chimera has staged stolen data on designated servers in the target environment.'),
'T1074.002': ('FIN6 actors have compressed data from remote systems and moved it to another staging system before exfiltration.'),
'T1074.002': ('FIN8 aggregates staged data from a network into a single location.'),
'T1074.002': ('menuPass has staged data on remote MSP systems or other victim networks prior to exfiltration.'),
'T1074.002': ('Night Dragon has copied files to company web servers and subsequently downloaded them.'),
'T1074.002': 'Threat Group-3390 has moved staged encrypted archives to Internet-facing servers that had previously been compromised with China Chopper prior to exfiltration.'),
'T1074.002': ('UNC2452 staged data and files in password-protected archives on a victim  OWA server.'),
'T1491.002': ('Sandworm Team defaced approximately 15 000 websites belonging to Georgian government non-government and private sector organizations in 2019.'),
'T1491.002': 'Threat actors who want to make a socioeconomical point or deliver a message may deface well-known websites to ensure their point is seen.'),
'T1491.002': ('Some websites are defaced by hacktivists or malware in attempts to gather support from other adversaries to accomplish an objective.'),
'T1491.002': ('Cybercriminals of lower sophisticated are typically the ones that deface websites however advanced groups such as Sandworm Team have defaced thousands of websites.'),
'T1491.002': ('Some state-sponsored groups may use website defacement as a diversionary tactic to distract from their true objectives.'),
'T1491.002': ('Website defacements may be used to setup future attacks as an initial access point.'),
'T1098.001': ('APT29 has added credentials to OAuth Applications and Service Principals.'),
'T1098.001': ('UNC2452 added credentials to OAuth Applications and Service Principals.'),
'T1098.001': 'Threat actors may add their own credentials into a created or compromised cloud service account to setup legitimate services on a system under their control.'),
'T1098.001': ('Some malware and actors will gain illicit access to an account that inside a cloud environment such as AWS GCP or Kubernetes and credentials for own accounts.'),
'T1098.001': ('If an actor can breach cloud accounts with the correct privileges there are numerous ways the adversary could add their own credentials into a target system.'),
'T1547.014': ('PoisonIvy creates a Registry key in the Active Setup pointing to a malicious executable.'),
'T1547.014': ('Cybercriminals may manipulate Active Setup by adding a registry key so that the malicious key will be executed when a user logs in.'),
'T1547.014': 'Threat actors can maintain persistence on a machine by adding a registry to the Active Setup on Windows operating systems.'),
'T1547.014': ('An actor can add registry keys to Windows Active Setup to execute programs from a useraccount every time he  she  them logs in.'),
'T1547.014': ('Malware may attempt to use Active Setup components on Windows systems to execute specific actions upon every login.'),
'T1547.014': ('Active Setup components can be utilized by adversaries to force breached or compromised accounts to conduct malicious activity while disguised as a legitimate user.'),
'T1127.001': ('Empire can use built-in modules to abuse trusted utilities like MSBuild.exe.'),
'T1127.001': ('Frankenstein has used MSbuild to execute an actor-created file.'),
'T1127.001': ('A version of PlugX loads as shellcode within a .NET Framework project using msbuild.exe presumably to bypass application control techniques.'),
'T1127.001': ('Adversaries may use MSBuild to proxy execution of code through a trusted Windows utility.'),
'T1127.001': ('Legitimate software such as Windows Microsoft Build Engine (MSBuild.exe) can be abused by threat actors to execute malware under the guise of a trusted utility.'),
'T1127.001': ('Malware or actors can bypass security features by using MSBuild to execute files that will be allowed by security controls because it is a trusted program.'),
'T1553.003': ('Adversaries may tamper with SIP and trust provider components to mislead the operating system and application control tools when conducting signature validation checks.'),
'T1553.003': ('Subject Interface Packages (SIPs) can be manipulated by threat actors to trick operating systems into executing code that could otherwise blocked by security features.'),
'T1553.003': ('Cybercriminals or malware may try to change trust controls that only allow code execution from software with valid digital certificates to conduct malicious activity.'),
'T1553.003': ('Actors may try to subvert operating system (OS) trust controls to hide from security solutions when executing malware.'),
'T1553.003': 'Threat actors or groups are known to try to hijack OS trust provider architecture to allow execution of code that does not have a valid digital certificate.'),
'T1484.001': ('Egregor can modify the GPO to evade detection.'),
'T1484.001': ('Empire can use New-GPOImmediateTask to modify a GPO that will install and execute a malicious Scheduled Task  Job.'),
'T1484.001': ('Indrik Spider has used Group Policy Objects to deploy batch scripts.'),
'T1484.001': ('Adversaries may modify group policy objects (GPOs) to subvert the intended discretionary access controls for a domain usually with the intention of escalating privileges on the domain.'),
'T1484.001': 'Threat actors can use GPOs (virtual collection of policy settings) to force infect machines to connect to command and control (C2) IPs domains or servers for further malicious activity.'),
'T1484.001': ('Policy settings for groups on Windows operating systems (OSs) can be used to created scheduled tasks for persistence download payloads modify settings and steal data.'),
'T1484.001': ('Group policy objects can be modified by cybercriminals to disable tools elevate privileges establish persistence and execute code among numerous other malicious activities.'),
'T1484.001': ('Malicious GPO modifications can be used to implement many other malicious behaviors such as Scheduled Task  Job Disable or Modify Tools Ingress Tool Transfer Create Account Service Execution and more.'),
'T1134.005': ('Empire can add a SID-History to a user if on a domain controller.'),
'T1134.005': ('Mimikatz  MISC::AddSid module can appended any SID or user  group account to a user  SID-History. Mimikatz also utilizes SID-History Injection to expand the scope of other components such as generated Kerberos Golden Tickets and DCSync beyond a single domain.'),
'T1134.005': ('Adversaries may use SID-History Injection to escalate privileges and bypass access controls.'),
'T1134.005': ('Cybercriminals can manipulate the Windows security identifier (SID) to gather user account history and identifiers to impersonate other users or groups to conduct malicious activity.'),
'T1134.005': ('User account and group information stored in Sid-history can be stolen by threat actors to masquerade as legitimate users while launching attacks.'),
'T1055.013': ('Bazar can inject into a target process using process doppelgänging.'),
'T1055.013': ('Leafminer has used Process Doppelgänging to evade security software while deploying tools on compromised systems.'),
'T1055.013': ('SynAck abuses NTFS transactions to launch and conceal malicious processes.'),
'T1055.013': ('Adversaries may inject malicious code into process via process doppelgänging to evade process-based defenses as well as possibly elevate privileges.'),
'T1055.013': ('Process doppelgänging is a method of executing arbitrary code in the address space of a separate live process.'),
'T1134.004': ('Cobalt Strike can spawn processes with alternate PPIDs.'),
'T1134.004': ('PipeMon can use parent PID spoofing to elevate privileges.'),
'T1134.004': ('Adversaries may spoof the parent process identifier (PPID) of a new process to evade process-monitoring defenses or to elevate privileges.'),
'T1134.004': ('Cybercriminals can create fake PPIDs for their malicious activity to elevate privileges or evade security defenses.'),
'T1134.004': ('Parent process identifiers can be spoofed by actors or malware to allow and conceal execution of malicious processes.'),
'T1070.005': ('InvisiMole can disconnect previously connected remote drives.'),
'T1070.005': 'The net use systemshare delete command can be used in Net to remove an established connection to a network share.'),
'T1070.005': ('RobbinHood disconnects all network shares from the computer with the command net use * DELETE Y.'),
'T1070.005': 'Threat Group-3390 has detached network shares after exfiltrating files likely to evade detection.'),
'T1070.005': ('Adversaries may remove share connections that are no longer useful to clean up traces of their operation.'),
'T1218.011': ('ADVSTORESHELL has used rundll32.exe in a Registry value to establish persistence.'),
'T1218.011': ('A'),P'T19 confi': ('red its payload to inject into the rundll32.exe.'),
'T1218.011': ('APT28 executed CHOPSTICK by using rundll32 commands such as rundll32.exeC:Windowstwain_64.dll. APT28 also executed a .dll for a first stage dropper using rundll32.exe. An APT28 loader Trojan saved a batch script that uses rundll32 to execute a DLL payload.'),
'T1218.011': ('APT29 has used Rundll32.exe to execute payloads.'),
'T1218.011': ('APT3 has a tool that can run DLLs.'),
'T1218.011': ('APT32 malware has used rundll32.exe to execute an initial infection process.'),
'T1218.011': ('APT41 has used rundll32.exe to execute a loader.'),
'T1218.011': ('Attor  installer plugin can schedule rundll32.exe to load the dispatcher.'),
'T1218.011': ('Bisonal uses rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER SoftwareMicrosoftWindowsCurrentVersionRunvert =rundll32.exe c:windowstemppvcu.dll Qszdez.'),
'T1218.011': ('BLINDINGCAN has used Rundll32 to load a malicious DLL.'),
'T1218.011': ('Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using rundll32.exe.'),
'T1218.011': ('Briba uses rundll32 within Registry Run Keys  Startup Folder entries to execute malicious DLLs.'),
'T1218.011': ('Carbanak installs VNC server software that executes through rundll32.'),
'T1218.011': ('Comnie uses Rundll32 to load a malicious DLL.'),
'T1218.011': ('CopyKittens uses rundll32 to load various tools on victims including a lateral movement tool named Vminst Cobalt Strike and shellcode.'),
'T1218.011': ('CORESHELL is installed via execution of rundll32 with an export named init or InitW.'),
'T1218.011': 'The CozyCar dropper copies the system file rundll32.exe to the install location for the malware then uses the copy of rundll32.exe to load and execute the main CozyCar component.'),
'T1218.011': ('DDKONG uses Rundll32 to ensure only a single instance of itself is running at once.'),
'T1218.011': ('Egregor has used rundll32 during execution.'),
'T1218.011': ('After copying itself to a DLL file a variant of Elise calls the DLL file using rundll32.exe.'),
'T1218.011': ('Variants of Emissary have used rundll32.exe in Registry values added to establish persistence.'),
'T1218.011': ('EVILNUM can execute commands and scripts through rundll32.'),
'T1218.011': ('FatDuke can execute via rundll32.'),
'T1218.011': ('FELIXROOT uses Rundll32 for executing the dropper program.'),
'T1218.011': ('Rundll32.exe is used as a way of executing Flame at the command-line.'),
'T1218.011': ('Gamaredon Group malware has used rundll32 to launch additional malicious components.'),
'T1218.011': ('A gh0st RAT variant has used rundll32 for execution.'),
'T1218.011': ('GreyEnergy uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITYSYSTEM).'),
'T1218.011': ('HAFNIUM has used rundll32 to load malicious DLLs.'),
'T1218.011': ('InvisiMole has used rundll32.exe for execution.'),
'T1218.011': ('JHUHUGIT is executed using rundll32.exe.'),
'T1218.011': ('Koadic can use Rundll32 to execute additional payloads.'),
'T1218.011': ('KONNI has used Rundll32 to execute its loader for privilege escalation purposes.'),
'T1218.011': ('Kwampirs uses rundll32.exe in a Registry value added to establish persistence.'),
'T1218.011': ('Matryoshka uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism.'),
'T1218.011': ('MegaCortex has used rundll32.exe to load a DLL for file encryption.'),
'T1218.011': ('Mosquito  launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability.'),
'T1218.011': ('MuddyWater has used malware that leveraged rundll32.exe in a Registry Run key to execute a .dll.'),
'T1218.011': ('NOKKI has used rundll32 for execution.'),
'T1218.011': ('NotPetya uses rundll32.exe to install itself on remote systems when accessed via PsExec or wmic.'),
'T1218.011': ('PolyglotDuke can be executed using rundll32.exe.'),
'T1218.011': ('PowerDuke uses rundll32.exe to load.'),
'T1218.011': ('Prikormka uses rundll32.exe to load its DLL.'),
'T1218.011': ('Pteranodon executes functions using rundll32.exe.'),
'T1218.011': ('PUNCHBUGGY can load a DLL using Rundll32.'),
'T1218.011': ('Ragnar Locker has used rundll32.exe to execute components of VirtualBox.'),
'T1218.011': ('RTM runs its core DLL file using rundll32.exe.'),
'T1218.011': ('Sakula calls cmd.exe to run various DLL files via rundll32.'),
'T1218.011': ('Sandworm Team used a backdoor which could execute a supplied DLL using rundll32.exe.'),
'T1218.011': ('ServHelper contains a module for downloading and executing DLLs that leverages rundll32.exe.'),
'T1218.011': ('Sibot has executed downloaded DLLs with rundll32.exe.'),
'T1218.011': ('StreamEx uses rundll32 to call an exported function.'),
'T1218.011': ('SUNBURST used Rundll32 to execute payloads.'),
'T1218.011': 'TA505 has leveraged rundll32.exe to execute malicious DLLs.'),
'T1218.011': 'TA551 has used rundll32.exe to load malicious DLLs.'),
'T1218.011': ('UNC2452 used Rundll32 to execute payloads.'),
'T1218.011': ('USBferry can execute rundll32.exe in memory to avoid detection.'),
'T1218.011': 'The Winnti for Windows installer loads a DLL using rundll32.'),
'T1218.011': ('ZxShell has used rundll32.exe to execute other DLLs and named pipes. '),
'T1562.006': ('Ebury can hook logging functions so that nothing from the backdoor gets sent to the logging facility.'),
'T1562.006': ('Waterbear can hook the ZwOpenProcess and GetExtendedTcpTable APIs called by the process of a security product to hide PIDs and TCP records from detection.'),
'T1562.006': ('An adversary may attempt to block indicators or events typically captured by sensors from being gathered and analyzed.'),
'T1562.006': ('Actors or malware may prevent IOCs from their operations from being detected with redirections disabling security tools or changing the telemetry flow inside a target environment.'),
'T1562.006': ('Cybercriminals can block indicators and event traffic on compromised systems to avoid detection.'),
'T1606.001': ('APT29 has bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.'),
'T1606.001': ('UNC2452 bypassed MFA set on OWA accounts by generating a cookie value from a previously stolen secret key.'),
'T1606.001': ('Adversaries may forge web cookies that can be used to gain access to web applications or Internet services.'),
'T1606.001': ('Generating cookies for web apps often requires previously known or illicitly-acquired information but once created these spoofed web cookies.'),
'T1606.001': ('Some actors and malware may create fake web cookies for to access additional resources.'),
'T1484.002': ('APT29 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.'),
'T1484.002': ('UNC2452 changed domain federation trust settings using Azure AD administrative permissions to configure the domain to accept authorization tokens signed by their own SAML signing certificate.'),
'T1484.002': ('Adversaries may add new domain trusts or modify the properties of existing domain trusts to evade defenses and  or elevate privileges.'),
'T1484.002': ('Manipulating the domain trusts may allow an adversary to escalate privileges and  or evade defenses by modifying settings to add objects which they control.'),
'T1484.002': ('Actors or malware can modify domain trust settings for the next phase of the attack such as communicating to domains that may otherwise be unreachable.'),
'T1547.001': ('ADVSTORESHELL achieves persistence by adding itself to the HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun Registry key.'),
'T1547.001': ('Agent Tesla can add itself to the Registry as a startup program to establish persistence.'),
'T1547.001': ('A'),P'T18 estab': ('shes persistence via the HKCUSoftwareMicrosoftWindowsCurrentVersionRun key.'),
'T1547.001': ('An A'),P'T19 HTTP ': ('lware variant establishes persistence by setting the Registry key HKCUSoftwareMicrosoftWindowsCurrentVersionRunWindows Debug Tools-LOCALAPPDATA.'),
'T1547.001': ('APT28 has deployed malware that has copied itself to the startup directory for persistence.'),
'T1547.001': ('APT29 added Registry Run keys to establish persistence.'),
'T1547.001': ('APT3 places scripts in the startup folder for persistence.'),
'T1547.001': ('APT32 established persistence using Registry Run keys both to execute PowerShell and VBS scripts as well as to execute their backdoor directly.'),
'T1547.001': ('APT33 has deployed a tool known as DarkComet to the Startup folder of a victim and used Registry run keys to gain persistence.'),
'T1547.001': ('APT37  has added persistence via the Registry key HKCUSoftwareMicrosoftCurrentVersionRun.'),
'T1547.001': ('APT39 has maintained persistence using the startup folder.'),
'T1547.001': ('APT41 created and modified startup files for persistence. APT41 added a registry key in HKLMSOFTWAREMicrosoftWindows NTCurrentVersionSvchost to establish persistence for Cobalt Strike.'),
'T1547.001': ('Aria-body has established persistence via the Startup folder or Run Registry key.'),
'T1547.001': ('Astaroth creates a startup item for persistence.'),
'T1547.001': ('BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.'),
'T1547.001': ('Backdoor.Oldrea adds Registry Run keys to achieve persistence.'),
'T1547.001': ('BACKSPACE achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory.'),
'T1547.001': ('BADNEWS installs a registry Run key to establish persistence.'),
'T1547.001': ('BadPatch establishes a foothold by adding a link to the malware executable in the startup folder.'),
'T1547.001': ('Bazar can create or add files to Registry Run Keys to establish persistence.'),
'T1547.001': ('BBSRAT has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunssonsvr.exe.'),
'T1547.001': ('Bisonal adds itself to the Registry key HKEY_CURRENT_USERSoftwareMicrosoftCurrentVersionRun for persistence.'),
'T1547.001': ('BitPaymer has set the run key HKCUSoftwareMicrosoftWindowsCurrentVersionRun for persistence.'),
'T1547.001': 'The BlackEnergy 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder.'),
'T1547.001': ('Briba creates run key Registry entries pointing to malicious DLLs dropped to disk.'),
'T1547.001': ('BRONZE BUTLER has used a batch script that adds a Registry Run key to establish malware persistence.'),
'T1547.001': ('build_downer has the ability to add itself to the Registry Run key for persistence.'),
'T1547.001': ('Carbanak stores a configuration files in the startup directory to automatically execute commands in order to persist across reboots.'),
'T1547.001': ('Carberp has maintained persistence by placing itself inside the current user  startup folder.'),
'T1547.001': ('Cardinal RAT establishes Persistence by setting the HKCUSoftwareMicrosoftWindows NTCurrentVersionWindowsLoad Registry key to point to its executable.'),
'T1547.001': ('ChChes establishes persistence by adding a Registry Run key.'),
'T1547.001': ('Cobalt Group has used Registry Run keys for persistence. The group has also set a Startup path to launch the PowerShell shell command and download Cobalt Strike.'),
'T1547.001': ('Cobian RAT creates an autostart Registry key to ensure persistence.'),
'T1547.001': ('Comnie achieves persistence by adding a shortcut of itself to the startup path in the Registry.'),
'T1547.001': ('CORESHELL has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys as well as by creating shortcuts in the Internet Explorer Quick Start folder.'),
'T1547.001': ('One persistence mechanism used by CozyCar is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys: HKLMSoftwareMicrosoftWindowsCurrentVersionRun HKCUSoftwareMicrosoftWindowsCurrentVersionRun HKLMSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorerRun'),
'T1547.001': ('CrossRAT uses run keys for persistence on Windows'),
'T1547.001': ('Dark Caracal  version of Bandook adds a registry key to HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRun for persistence.'),
'T1547.001': ('DarkComet adds several Registry entries to enable automatic execution at every system startup.'),
'T1547.001': ('Darkhotel has been known to establish persistence by adding programs to the Run Registry key.'),
'T1547.001': ('DownPaper uses PowerShell to add a Registry Run key in order to establish persistence.'),
'T1547.001': ('Dragonfly 2.0 added the registry value ntdll to the Registry Run key to establish persistence.'),
'T1547.001': ('DustySky achieves persistence by creating a Registry entry in HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun.'),
'T1547.001': ('If establishing persistence by installation as a new service fails one variant of Elise establishes persistence for the created .exe file by setting the following Registry key: HKCUSoftwareMicrosoftWindowsCurrentVersionRunsvchost : APPDATAMicrosoftNetworksvchost.exe. Other variants have set the following Registry keys for persistence: HKCUSoftwareMicrosoftWindowsCurrentVersionRunimejp : self and HKCUSoftwareMicrosoftWindowsCurrentVersionRunIAStorD.'),
'T1547.001': ('Variants of Emissary have added Run Registry keys to establish persistence.'),
'T1547.001': ('Emotet has been observed adding the downloaded payload to the HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun key to maintain persistence.'),
'T1547.001': ('Empire can modify the registry run keys HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun and HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun for persistence.'),
'T1547.001': ('EvilBunny has created Registry keys for persistence in HKLM|HKCU¦CurrentVersionRun.'),
'T1547.001': ('EvilGrab adds a Registry Run key for ctfmon.exe to establish persistence.'),
'T1547.001': ('EVILNUM can achieve persistence through the Registry Run key.'),
'T1547.001': ('FatDuke has used HKLMSOFTWAREMicrosoftCurrentVersionRun to establish persistence.'),
'T1547.001': ('FELIXROOT adds a shortcut file to the startup folder for persistence.'),
'T1547.001': ('FIN10 has established persistence by using the Registry option in PowerShell Empire to add a Run key.'),
'T1547.001': ('FIN6 has used Registry Run keys to establish persistence for its downloader tools known as HARDTACK and SHIPBREAD.'),
'T1547.001': ('FIN7 malware has created Registry Run and RunOnce keys to establish persistence and has also added items to the Startup folder.'),
'T1547.001': ('Final1stspy creates a Registry Run key to establish persistence.'),
'T1547.001': ('FinFisher establishes persistence by creating the Registry key HKCUSoftwareMicrosoftWindowsRun.'),
'T1547.001': ('FLASHFLOOD achieves persistence by making an entry in the Registry  Run key.'),
'T1547.001': ('Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.'),
'T1547.001': ('Gazer can establish persistence by creating a .lnk file in the Start menu.'),
'T1547.001': ('gh0st RAT has added a Registry Run key to establish persistence.'),
'T1547.001': ('Gold Dragon establishes persistence in the Startup folder.'),
'T1547.001': ('Gorgon Group malware can create a .lnk file and add a Registry Run key to establish persistence.'),
'T1547.001': ('Grandoreiro can use run keys and create link files in the startup folder for persistence.'),
'T1547.001': ('GRIFFON has used a persistence module that stores the implant inside the Registry which executes at logon.'),
'T1547.001': ('GuLoader can establish persistence via the Registry under HKCUSoftwareMicrosoftWindowsCurrentVersionRunOnce.'),
'T1547.001': ('Hancitor has added Registry Run keys to establish persistence.'),
'T1547.001': ('Helminth establishes persistence by creating a shortcut in the Start Menu folder.'),
'T1547.001': ('Hi-Zor creates a Registry Run key to establish persistence.'),
'T1547.001': ('Higaisa added a spoofed binary to the start-up folder for persistence.'),
'T1547.001': ('Honeybee uses a batch file that configures the ComSysApp service to autostart in order to establish persistence.'),
'T1547.001': ('HTTPBrowser has established persistence by setting the HKCUSoftwareMicrosoftWindowsCurrentVersionRun key value for wdm to the path of the executable. It has also used the Registry entry HKEY_USERSSoftwareMicrosoftWindowsCurrentVersionRun vpdn œALLUSERPROFILEAPPDATAvpdnVPDN_LU.exe to establish persistence.'),
'T1547.001': ('IcedID has established persistence by creating a Registry run key.'),
'T1547.001': ('Inception has maintained persistence by modifying Registry run key value HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun.'),
'T1547.001': ('Some InnaputRAT variants establish persistence by modifying the Registry key HKUSoftwareMicrosoftWindowsCurrentVersionRun:appdataNeutralAppNeutralApp.exe.'),
'T1547.001': ('InvisiMole can place a lnk file in the Startup Folder to achieve persistence.'),
'T1547.001': ('Ixeshe can achieve persistence by adding itself to the HKCUSoftwareMicrosoftWindowsCurrentVersionRun Registry key.'),
'T1547.001': ('JCry has created payloads in the Startup directory to maintain persistence.'),
'T1547.001': ('JHUHUGIT has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process.'),
'T1547.001': ('Kasidet creates a Registry Run key to establish persistence.'),
'T1547.001': ('Kazuar adds a sub-key under several Registry run keys.'),
'T1547.001': ('Several Ke3chang backdoors achieved persistence by adding a Run key.'),
'T1547.001': ('Kimsuky has placed scripts in the startup folder for persistence.'),
'T1547.001': ('A version of KONNI drops a Windows shortcut into the Startup folder to establish persistence.'),
'T1547.001': ('Lazarus Group malware attempts to maintain persistence by saving itself in the Start menu folder or by adding a Registry Run key.'),
'T1547.001': ('Leviathan has used JavaScript to create a shortcut file in the Startup folder that points to its main backdoor.'),
'T1547.001': ('LoJax has modified the Registry key ËœHKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlSession ManagerBootExecuteâ„¢ from Ëœautocheck autochk â„¢ to Ëœautocheck autoche'),
'T1218.005': ('APT32 has used mshta.exe for code execution.'),
'T1218.005': ('BabyShark has used mshta.exe to download and execute applications from a remote server.'),
'T1218.005': ('FIN7 has used mshta.exe to execute VBScript to execute malicious code on victim systems.'),
'T1218.005': ('Inception has used malicious HTA files to drop and execute malware.'),
'T1218.005': ('Kimsuky has used mshta.exe to run malicious scripts on the system.'),
'T1218.005': ('Koadic can use MSHTA to serve additional payloads.'),
'T1218.005': ('Lazarus Group has used mshta.exe to run malicious scripts and download programs.'),
'T1218.005': ('Metamorfo has used mshta.exe to execute a HTA payload.'),
'T1218.005': ('MuddyWater has used mshta.exe to execute its POWERSTATS payload and to pass a PowerShell one-liner for execution.'),
'T1218.005': ('Mustang Panda has used mshta.exe to launch collection scripts.'),
'T1218.005': ('NanHaiShu uses mshta.exe to load its program and files.'),
'T1218.005': ('POWERSTATS can use Mshta.exe to execute additional payloads on compromised hosts.'),
'T1218.005': ('Revenge RAT uses mshta.exe to run malicious scripts on the system.'),
'T1218.005': ('Sibot has been executed via MSHTA application.'),
'T1218.005': ('Sidewinder has used mshta.exe to execute malicious payloads.'),
'T1218.005': 'TA551 has used mshta.exe to execute malicious payloads.'),
'T1218.005': ('Xbash can use mshta for executing scripts.'),
'T1053.005': ('Agent Tesla has achieved persistence via scheduled tasks.'),
'T1053.005': ('Anchor can create a scheduled task for persistence.'),
'T1053.005': ('AppleJeus has created a scheduled SYSTEM task that runs when a user logs in.'),
'T1053.005': ('APT-C-36 has used a macro function to set scheduled tasks disguised as those used by Google.'),
'T1053.005': ('APT29 used scheduler and schtasks to create new tasks on remote hosts as part of lateral movement. They have manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration. APT29 also created a scheduled task to maintain SUNSPOT persistence when the host booted during the 2020 SolarWinds intrusion. They previously used named and hijacked scheduled tasks to also establish persistence.'),
'T1053.005': ('An APT3 downloader creates persistence by creating the following scheduled task: schtasks create tn mysc tr C:UsersPublictest.exe sc ONLOGON ru System.'),
'T1053.005': ('APT32 has used scheduled tasks to persist on victim systems.'),
'T1053.005': ('APT33 has created a scheduled task to execute a .vbe file multiple times a day.'),
'T1053.005': ('APT39 has created scheduled tasks for persistence.'),
'T1053.005': ('APT41 used a compromised account to create a scheduled task on a system.'),
'T1053.005': ('Attor  installer plugin can schedule a new task that loads the dispatcher on boot  logon.'),
'T1053.005': ('BabyShark has used scheduled tasks to maintain persistence.'),
'T1053.005': ('BackConfig has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.'),
'T1053.005': ('BADNEWS creates a scheduled task to establish by executing a malicious payload every subsequent minute.'),
'T1053.005': ('Bazar can create a scheduled task for persistence.'),
'T1053.005': ('Blue Mockingbird has used Windows Scheduled Tasks to establish persistence on local and remote hosts.'),
'T1053.005': ('BONDUPDATER persists using a scheduled task that executes every minute.'),
'T1053.005': ('BRONZE BUTLER has used schtasks to register a scheduled task to execute malware during lateral movement.'),
'T1053.005': ('Carbon creates several tasks for later execution to continue persistence on the victimmachine.'),
'T1053.005': ('Chimera has used scheduled tasks to invoke Cobalt Strike including through batch script schtasks create ru SYSTEM tn update tr cmd c c:windowstempupdate.bat sc once f st and to maintain persistence.'),
'T1053.005': ('Cobalt Group has created Windows tasks to establish persistence.'),
'T1053.005': ('ComRAT has used a scheduled task to launch its PowerShell loader.'),
'T1053.005': ('CosmicDuke uses scheduled tasks typically named Watchmon Service for persistence.'),
'T1053.005': ('One persistence mechanism used by CozyCar is to register itself as a scheduled task.'),
'T1053.005': ('Crutch has the ability to persist using scheduled tasks.'),
'T1053.005': ('CSPY Downloader can use the schtasks utility to bypass UAC.'),
'T1053.005': ('Dragonfly 2.0 used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.'),
'T1053.005': ('Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.'),
'T1053.005': ('Dyre has the ability to achieve persistence by adding a new task in the task scheduler to run every minute.'),
'T1053.005': ('Emotet has maintained persistence through a scheduled task.'),
'T1053.005': ('Empire has modules to interact with the Windows task scheduler.'),
'T1053.005': ('EvilBunny has executed commands via scheduled tasks.'),
'T1053.005': ('FIN10 has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.'),
'T1053.005': ('FIN6 has used scheduled tasks to establish persistence for various malware it uses including downloaders known as HARDTACK and SHIPBREAD and FrameworkPOS.'),
'T1053.005': ('FIN7 malware has created scheduled tasks to establish persistence.'),
'T1053.005': ('FIN8 has used scheduled tasks to maintain RDP backdoors.'),
'T1053.005': ('Fox Kitten has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary.'),
'T1053.005': ('Frankenstein has established persistence through a scheduled task using the command: Create F SC DAILY ST 09:00 TN WinUpdate TR named WinUpdate.'),
'T1053.005': ('GALLIUM established persistence for PoisonIvy by created a scheduled task.'),
'T1053.005': ('Gamaredon Group has created a scheduled task to launch an executable every 10 minutes.'),
'T1053.005': ('Gazer can establish persistence by creating a scheduled task.'),
'T1053.005': ('GoldMax has used scheduled tasks to maintain persistence.'),
'T1053.005': ('Goopy has the ability to maintain persistence by creating scheduled tasks set to run every hour.'),
'T1053.005': ('GravityRAT creates a scheduled task to ensure it is re-executed everyday.'),
'T1053.005': ('GRIFFON has used sctasks for persistence.'),
'T1053.005': ('Helminth has used a scheduled task for persistence.'),
'T1053.005': ('Higaisa dropped and added officeupdate.exe to scheduled tasks.'),
'T1053.005': ('HotCroissant has attempted to install a scheduled task namedJava Maintenance64 on startup to establish persistence.'),
'T1053.005': ('IcedID has created a scheduled task that executes every hour to establish persistence.'),
'T1053.005': ('InvisiMole has used scheduled tasks named MSST and MicrosoftWindowsAutochkScheduled to establish persistence.'),
'T1053.005': ('IronNetInjector has used a task XML file named mssch.xml to run an IronPython script when a user logs in or when specific system events are created.'),
'T1053.005': ('ISMInjector creates scheduled tasks to establish persistence.'),
'T1053.005': ('JHUHUGIT has registered itself as a scheduled task to run each time the current user logs in.'),
'T1053.005': ('Lucifer has established persistence by creating the following scheduled task schtasks create sc minute mo 1 tn QQMusic ^ tr C:UsersUSERPROFILEDownloadsspread.exe F.'),
'T1053.005': 'The different components of Machete are executed by Windows Task Scheduler.'),
'T1053.005': ('Machete has created scheduled tasks to maintain Machete  persistence.'),
'T1053.005': ('Matryoshka can establish persistence by adding a Scheduled Task named Microsoft Boost Kernel Optimization.'),
'T1053.005': ('Maze has created scheduled tasks using name variants such as Windows Update Security Windows Update Security Patches and Google Chrome Security Update to launch Maze at a specific time.'),
'T1053.005': ('MCMD can use scheduled tasks for persistence.'),
'T1053.005': ('menuPass has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.'),
'T1053.005': ('Molerats has created scheduled tasks to persistently run VBScripts.'),
'T1053.005': ('MuddyWater has used scheduled tasks to establish persistence.'),
'T1053.005': ('Mustang Panda has created a scheduled task to execute additional malicious software as well as maintain persistence.'),
'T1053.005': ('NETWIRE can create a scheduled task to establish persistence.'),
'T1053.005': ('NotPetya creates a task to reboot the system one hour after infection.'),
'T1053.005': ('OilRig has created scheduled tasks that run a VBScript to execute a payload on victim machines.'),
'T1053.005': ('Okrum  installer can attempt to achieve persistence by creating a scheduled task.'),
'T1053.005': ('OopsIE creates a scheduled task to run itself every three minutes.'),
'T1053.005': ('Operation Wocao has used scheduled tasks to execute malicious PowerShell code on remote systems.'),
'T1053.005': ('A Patchwork file stealer can run a TaskScheduler DLL to add persistence.'),
'T1053.005': ('PowerSploit  New-UserPersistenceOption Persistence argument can be used to establish via a Scheduled Task  Job.'),
'T1053.005': ('POWERSTATS has established persistence through a scheduled task using the commandC:Windowssystem32schtasks.exe Create F SC DAILY ST 12:00 TN MicrosoftEdge TRc:Windowssystem32wscript.exe C:WindowstempWindows.vbe.'),
'T1053.005': ('POWRUNER persists through a scheduled task that executes it every minute.'),
'T1053.005': ('Pteranodon schedules tasks to invoke its components in order to establish persistence.'),
'T1053.005': ('QUADAGENT creates a scheduled task to maintain persistence on the victimmachine.'),
'T1053.005': ('QuasarRAT contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.'),
'T1053.005': ('Ramsay can schedule tasks via the Windows COM API to maintain persistence.'),
'T1053.005': ('Rancor launched a scheduled task to gain persistence using the schtasks create sc command.'),
'T1053.005': ('Remexi utilizes scheduled tasks as a persistence mechanism.'),
'T1053.005': ('RemoteCMD can execute commands remotely by creating a new schedule task on the remote system'),
'T1053.005': ('Revenge RAT schedules tasks to run malicious scripts at different intervals.'),
'T1053.005': ('RTM tries to add a scheduled task to establish persistence.'),
'T1053.005': ('Ryuk can remotely create a scheduled task to execute itself on a system.'),
'T1053.005': ('schtasks is used to schedule tasks on a Windows system to run at a specific date and time.'),
'T1053.005': ('ServHelper contains modules that will use schtasks to carry out malicious operations.'),
'T1053.005': ('Shamoon copies an executable payload to the target system by using SMB  Windows Admin Shares and then scheduling an unnamed task to execute the malware.'),
'T1053.005': ('SharpStage has a persistence component to write a scheduled task for the payload.'),
'T1053.005': ('Sibot has been executed via a scheduled task.'),
'T1053.005': ('Silence has used scheduled tasks to stage its operation.'),
'T1053.005': ('Smoke Loader launches a scheduled task.'),
'T1053.005': ('SoreFang can gain persistence through use of scheduled tasks.'),
'T1053.005': ('SQLRat has created scheduled tasks in appdataRoamingMicrosoftTemplates.'),
'T1053.005': ('Stealth Falcon malware creates a scheduled task entitledIE Web Cache to execute a malicious file hourly.'),
'T1053.005': 'TEMP.Veles has used scheduled task XML triggers.'),
'T1053.005': 'TrickBot creates a scheduled task on the system that provides persistence.'),
'T1053.005': ('UNC2452 used scheduler and schtasks to create new tasks on remote hosts as part of lateral movement. They also manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration. UNC2452 also created a scheduled task to maintain SUNSPOT persistence when the host booted.'),
'T1053.005': ('Valak has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.'),
'T1053.005': ('Wizard Spider has used scheduled tasks establish persistence for TrickBot and other malware.'),
'T1053.005': ('yty establishes persistence by creating a scheduled task with the command SchTasks Create SC DAILY TN BigData TR + path_file +  ST 09:30.'),
'T1053.005': ('Zebrocy has a command to create a scheduled task for persistence.'),
'T1053.005': ('zwShell has used SchTasks for execution.'),
'T1003.003': ('Chimera has gathered the SYSTEM registry and ntds.dit files from target systems. Chimera specifically has used the NtdsAudit tool to dump the password hashes of domain users via cmsadcs.exe NTDS.dit -s SYSTEM -p RecordedTV_pdmp.txt --users-csv RecordedTV_users.csv and used ntdsutil to copy the Active Directory database.'),
'T1003.003': ('CrackMapExec can dump hashed passwords associated with Active Directory using Windows Directory Replication Services API (DRSUAPI) or Volume Shadow Copy.'),
'T1003.003': ('Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes. They also obtained ntds.dit from domain controllers.'),
'T1003.003': ('esentutl can use Volume Shadow Copy to copy locked files such as ntds.dit.'),
'T1003.003': ('FIN6 has used MetasploitPsExec NTDSGRAB module to obtain a copy of the victim  Active Directory database.'),
'T1003.003': ('Fox Kitten has used Volume Shadow Copy to access credential information from NTDS.'),
'T1003.003': ('HAFNIUM has stolen copies of the Active Directory database (NTDS.DIT).'),
'T1003.003': ('SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information from NTDS.dit.'),
'T1003.003': ('Koadic can gather hashed passwords by gathering domain controller hashes from NTDS.'),
'T1003.003': ('menuPass has used Ntdsutil to dump credentials.'),
'T1003.003': ('Mustang Panda has used vssadmin to create a volume shadow copy and retrieve the NTDS.dit file. Mustang Panda has also used reg save on the SYSTEM file Registry location to help extract the NTDS.dit file.'),
'T1003.003': ('Wizard Spider has gained access to credentials via exported copies of the ntds.dit Active Directory database.'),
'T1218.007': ('AppleJeus has been installed via MSI installer.'),
'T1218.007': ('Duqu has used msiexec to execute malicious Windows Installer packages. Additionally a PROPERTY=VALUE pair containing a 56-bit encryption key has been used to decrypt the main payload from the installer packages.'),
'T1218.007': ('Grandoreiro can use MSI files to execute DLLs.'),
'T1218.007': ('IcedID can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application.'),
'T1218.007': ('Javali has used the MSI installer to download and execute malicious payloads.'),
'T1218.007': ('LoudMiner used an MSI installer to install the virtualization software.'),
'T1218.007': ('Machete has used msiexec to install the Machete malware.'),
'T1218.007': ('Maze has delivered components for its ransomware attacks using MSI files some of which have been executed from the command-line using msiexec.'),
'T1218.007': ('Melcoz can use MSI files with embedded VBScript for execution.'),
'T1218.007': ('Metamorfo has used MsiExec.exe to automatically execute files.'),
'T1218.007': ('Molerats has used msiexec.exe to execute an MSI payload.'),
'T1218.007': ('Ragnar Locker has been delivered as an unsigned MSI package that was executed with msiexec.exe.'),
'T1218.007': ('Rancor has used msiexec to download and execute malicious installer files over HTTP.'),
'T1218.007': ('RemoteUtilities can use Msiexec to install a service.'),
'T1218.007': 'TA505 has used msiexec to download and execute malicious Windows Installer files.'),
'T1218.007': ('ZIRCONIUM has used the msiexec.exe command-line utility to download and execute malicious MSI files.'),
'T1036.003': ('APT32 has moved and renamed pubprn.vbs to a .txt file to avoid detection.'),
'T1036.003': 'The CozyCar dropper has masqueraded a copy of the infected system  rundll32.exe executable that was moved to the malware  install directory and renamed according to a predefined configuration file.'),
'T1036.003': ('GALLIUM used a renamed cmd.exe file to evade detection.'),
'T1036.003': ('menuPass has renamed certutil and moved it to a different location on the system to avoid detection based on use of the tool.'),
'T1036.003': ('Adversaries may rename legitimate system utilities to try to evade security mechanisms concerning the usage of those utilities.'),
'T1056.004': ('Carberp has hooked several Windows API functions during its Man in the Browser attack to steal credentials.'),
'T1056.004': ('Empire contains some modules that leverage API hooking to carry out tasks such as netripper.'),
'T1056.004': ('FinFisher hooks processes by modifying IAT pointers to CreateWindowEx.'),
'T1056.004': ('NOKKI uses the Windows call SetWindowsHookEx and begins injecting it into every GUI process running on the victim  machine.'),
'T1056.004': ('PLATINUM is capable of using Windows hook interfaces for information gathering such as credential access.'),
'T1056.004': ('RDFSNIFFER hooks several Win32 API functions to hijack elements of the remote system management user-interface.'),
'T1056.004': 'TrickBot has the ability to capture RDP credentials by capturing the CredEnumerateA API'),
'T1056.004': ('Ursnif has hooked APIs to perform a wide variety of information theft such as monitoring traffic from browsers.'),
'T1056.004': ('Zebrocy installs an application-defined Windows hook to get notified when a network drive has been attached so it can then use the hook to call its RecordToFile file stealing method.'),
'T1056.004': ('Zeus Panda hooks processes by leveraging its own IAT hooked functions.'),
'T1056.004': ('ZxShell hooks several API functions to spawn system threads.'),
'T1546.012': ('SDBbot has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7.'),
'T1546.012': ('SUNBURST created an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe to trigger the installation of Cobalt Strike.'),
'T1546.012': 'TEMP.Veles has modified and added entries within HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionImage File Execution Options to maintain persistence.'),
'T1546.012': ('Adversaries may establish persistence and  or elevate privileges by executing malicious content triggered by Image File Execution Options (IFEO) debuggers.'),
'T1546.012': 'Threat actors can use the IFEO registry key for loading DLLs into running processes.'),
'T1546.011': ('FIN7 has used application shim databases for persistence.'),
'T1546.011': ('Pillowmint has used a malicious shim database to maintain persistence.'),
'T1546.011': ('SDBbot has the ability to use application shimming for persistence if it detects it is running as admin on Windows XP or 7 by creating a shim database to patch services.exe.'),
'T1546.011': ('ShimRat has installed shim databases in the AppPatch folder.'),
'T1546.011': ('Adversaries may establish persistence and  or elevate privileges by executing malicious content triggered by application shims.'),
'T1546.010': ('APT39 has used malware to set LoadAppInit_DLLs in the Registry key SOFTWAREMicrosoftWindows NTCurrentVersionWindows in order to establish persistence.'),
'T1546.010': ('Some variants of Cherry Picker use AppInit_DLLs to achieve persistence by creating the following Registry key: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersionWindows AppInit_DLLs=pserver32.dll'),
'T1546.010': ('Ramsay can insert itself into the address space of other applications using the AppInit DLL Registry key.'),
'T1546.010': ('If a victim meets certain criteria T9000 uses the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that is spawned will load its malicious DLL ResN32.dll. It does this by creating the following Registry keys: HKLMSoftwareMicrosoftWindows NTCurrentVersionWindowsAppInit_DLLs“ APPDATAIntelResN32.dll and HKLMSoftwareMicrosoftWindows NTCurrentVersionWindowsLoadAppInit_DLLs“ 0x1.'),
'T1546.010': ('Adversaries may establish persistence and  or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.'),
'T1546.009': ('Honeybee  service-based DLL implant can execute a downloaded file with parameters specified using CreateProcessAsUser.'),
'T1546.009': ('PUNCHBUGGY can establish using a AppCertDLLs Registry key.'),
'T1546.009': ('Adversaries may establish persistence and  or elevate privileges by executing malicious content triggered by AppCert DLLs loaded into processes.'),
'T1546.009': 'Threat actors can use AppCertDLLs which are loaded by numerous processes during their first launch to force applications to load malicious code or execute malware.'),
'T1546.009': ('Malware can use AppCert dynamic link libraries (dylibs DLLs) to force application to load dylibs of their choosing every time an application is launched.'),
'T1055.012': ('Agent Tesla has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code.'),
'T1055.012': ('Astaroth can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code.'),
'T1055.012': ('Azorult can decrypt the payload into memory create a new suspended process of itself then inject a decrypted payload to the new process and resume new process execution.'),
'T1055.012': ('BADNEWS has a command to download an .exe and use process hollowing to inject it into a new process.'),
'T1055.012': ('Bandook has been launched by starting iexplore.exe and replacing it with Bandook  payload.'),
'T1055.012': ('Bazar can inject into a target process including Svchost Explorer and cmd using process hollowing.'),
'T1055.012': ('BBSRAT has been seen loaded into msiexec.exe through process hollowing to hide its execution.'),
'T1055.012': ('Cobalt Strike can use process hollowing for execution.'),
'T1055.012': ('Denis performed process hollowing through the API calls CreateRemoteThread ResumeThread and Wow64SetThreadContext.'),
'T1055.012': ('Dtrack has used process hollowing shellcode to target a predefined list of processes from SYSTEM32.'),
'T1055.012': ('Duqu is capable of loading executable code via process hollowing.'),
'T1055.012': ('Gorgon Group malware can use process hollowing to inject one of its trojans into another process.'),
'T1055.012': ('ISMInjector hollows out a newly created process RegASM.exe and injects its payload into the hollowed process.'),
'T1055.012': ('Lokibot has used process hollowing to inject into legitimate Windows process vbc.exe.'),
'T1055.012': ('menuPass has used process hollowing in iexplore.exe to load the RedLeaves implant.'),
'T1055.012': 'The NETWIRE payload has been injected into benign Microsoft executables via process hollowing.'),
'T1055.012': ('Some Orz versions have an embedded DLL known as MockDll that uses process hollowing and Regsvr32 to execute another payload.'),
'T1055.012': ('A Patchwork payload uses process hollowing to hide the UAC bypass vulnerability exploitation inside svchost.exe.'),
'T1055.012': ('Smoke Loader spawns a new copy of c:windowssyswow64explorer.exe and then replaces the executable code in memory with malware.'),
'T1055.012': ('A Threat Group-3390 tool can spawn svchost.exe and inject the payload into that process.'),
'T1055.012': 'TrickBot injects into the svchost.exe process.'),
'T1055.012': ('Ursnif has used process hollowing to inject into child processes.'),
'T1055.011': ('Epic has overwritten the function pointer in the extra window memory of Explorer  Shell_TrayWnd in order to execute malicious code in the context of the explorer.exe process.'),
'T1055.011': ('Power Loader overwrites ExplorerShell_TrayWnd extra window memory to redirect execution to a NTDLL function that is abused to assemble and execute a return-oriented programming (ROP) chain and create a malicious thread within Explorer.exe.'),
'T1055.011': ('North Korean actors often inject arbitrary code into legitimate processes possibly through abusing the additional memory provided by EWM.'),
'T1055.011': 'The threat actor TEMP.Splinter employs the tactic of code injection via the Extra Window Memory to evade detection by security software.'),
'T1055.011': ('Chinese-nexus apt group APT27 often abuse EWM to inject code into a different process escalating the privileges of their malicious code to the privileges of the hijacked process.'),
'T1055.005': ('Ursnif has injected code into target processes via thread local storage callbacks.'),
'T1055.005': 'The MAZE ransomware can evade detection through the injection of code into different processes achieved via injecting the code into thread local storage callbacks.'),
'T1055.005': ('Diavol Ransomware can escalate it  privileges through injecting code into a process through thread local storage.'),
'T1055.005': ('FIN13 often evades detection through granting their malware the ability to inject code into processes via thread local storage callbacks.'),
'T1055.005': ('Bazar Ransomware escalates it  privileges via code injection through thread local storage.'),
'T1055.004': ('Attor performs the injection by attaching its code into the APC queue using NtQueueApcThread API.'),
'T1055.004': ('Carberp has queued an APC routine to explorer.exe by calling ZwQueueApcThread.'),
'T1055.004': ('IcedID has used ZwQueueApcThread to inject itself into remote processes.'),
'T1055.004': ('InvisiMole can inject its code into a trusted process via the APC queue.'),
'T1055.004': ('Pillowmint has used the NtQueueApcThread syscall to inject code into svchost.exe.'),
'T1055.004': 'TURNEDUP is capable of injecting code into the APC queue of a created Rundll32 process as part of an Early Bird injection.'),
'T1055.003': ('Gazer performs thread execution hijacking to inject its orchestrator into a running thread from a remote process.'),
'T1055.003': 'Trojan.Karagany can inject a suspended thread of its own process into a new process and initiate via the ResumeThread API.'),
'T1055.003': ('Waterbear can use thread injection to inject shellcode into the process of security software.'),
'T1055.003': ('A'),P'T13 often': ('mploys the technique of thread injection hijacking to execute malicious code.'),
'T1055.003': 'Through injecting its own process into another process thread malware is often able to bypass security controls.'),
'T1055.002': ('Carbanak downloads an executable and injects it directly into a new process.'),
'T1055.002': ('Gorgon Group malware can download a remote access tool ShiftyBug and inject into another process.'),
'T1055.002': ('GreyEnergy has a module to inject a PE binary into a remote process.'),
'T1055.002': ('InvisiMole can inject its backdoor as a portable executable into a target process.'),
'T1055.002': ('PowerSploit reflectively loads a Windows PE file into a process.'),
'T1055.002': ('Rocke  miner TermsHost.exe evaded defenses by injecting itself into Windows processes including Notepad.exe.'),
'T1055.002': ('Zeus Panda checks processes on the system and if they meet the necessary requirements it injects into that process.'),
'T1055.001': ('Aria-body has the ability to inject itself into another process such as rundll32.exe and dllhost.exe.'),
'T1055.001': ('BlackEnergy injects its DLL component into svchost.exe.'),
'T1055.001': ('Carberp  bootkit can inject a malicious DLL into the address space of running processes.'),
'T1055.001': ('Carbon has a command to inject code into a process.'),
'T1055.001': ('Cobalt Strike has the ability to load DLLs via reflective injection.'),
'T1055.001': ('ComRAT has injected its orchestrator DLL into explorer.exe. ComRAT has also injected its communications module into the victim  default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process.'),
'T1055.001': ('Conti has loaded an encrypted DLL into memory and then executes it.'),
'T1055.001': ('Derusbi injects itself into the secure shell (SSH) process.'),
'T1055.001': ('Duqu will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host).'),
'T1055.001': ('Dyre injects into other processes to load modules.'),
'T1055.001': ('Elise injects DLL files into iexplore.exe.'),
'T1055.001': ('Emissary injects its DLL file into a newly spawned Internet Explorer process.'),
'T1055.001': ('Emotet has been observed injecting in to Explorer.exe and other processes.'),
'T1055.001': ('FinFisher injects itself into various processes depending on whether it is low integrity or high integrity.'),
'T1055.001': ('Get2 has the ability to inject DLLs into processes.'),
'T1055.001': ('HIDEDRV injects a DLL for Downdelph into the explorer.exe process.'),
'T1055.001': ('IronNetInjector has the ability to inject a DLL into running processes including the IronNetInjector DLL into explorer.exe.'),
'T1055.001': ('If running in a Windows environment Kazuar saves a DLL to disk that is injected into the explorer.exe process to execute the payload. Kazuar can also be configured to inject and execute within specific processes.'),
'T1055.001': ('Koadic can perform process injection by using a reflective DLL.'),
'T1055.001': ('A Lazarus Group malware sample performs reflective DLL injection.'),
'T1055.001': ('Matryoshka uses reflective DLL injection to inject the malicious library and execute the RAT.'),
'T1055.001': ('Maze has injected the malware DLL into a target process.'),
'T1055.001': ('MegaCortex loads injecthelper.dll into a newly created rundll32.exe process.'),
'T1055.001': ('Metamorfo has injected a malicious DLL into the Windows Media Player process (wmplayer.exe).'),
'T1055.001': 'The Netwalker DLL has been injected reflectively into the memory of a legitimate running process.'),
'T1055.001': ('PipeMon can inject its modules into various processes using reflective DLL loading.'),
'T1055.001': ('PoisonIvy can inject a malicious DLL into a process.'),
'T1055.001': ('PowerSploit contains a collection of CodeExecution modules that inject code (DLL shellcode) into a process.'),
'T1055.001': ('Pupy can migrate into another process using reflective DLL injection.'),
'T1055.001': ('An executable dropped onto victims by Putter Panda aims to inject the specified DLL into a process that would normally be accessing the network including Outlook Express (msinm.exe) Outlook (outlook.exe) Internet Explorer (iexplore.exe) and Firefox (firefox.exe).'),
'T1055.001': ('Ramsay can use ImprovedReflectiveDLLInjection to deploy components.'),
'T1055.001': ('After decrypting itself in memory RARSTONE downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. Thisdownloaded file is actually not dropped onto the system.'),
'T1055.001': ('RATANKBA performs a reflective DLL injection using a given pid.'),
'T1055.001': ('Remsec can perform DLL injection.'),
'T1055.001': ('SDBbot has the ability to inject a downloaded DLL into a newly created rundll32.exe process.'),
'T1055.001': ('ShadowPad has injected a DLL into svchost.exe.'),
'T1055.001': ('Socksbot creates a suspended svchost process and injects its DLL into it.'),
'T1055.001': ('Sykipot injects itself into running instances of outlook.exe iexplore.exe or firefox.exe.'),
'T1055.001': 'TA505 has been seen injecting a DLL into winword.exe.'),
'T1055.001': 'TajMahal has the ability to inject DLLs for malicious plugins into running processes.'),
'T1055.001': 'Tropic Trooper has injected a DLL backdoor into dllhost.exe and svchost.exe.'),
'T1055.001': 'Turla has used Metasploit to perform reflective DLL injection in order to escalate privileges.'),
'T1055.001': ('Wizard Spider has injected malicious DLLs into memory with read write and execute permissions.'),
'T1055.001': ('ZxShell is injected into a shared SVCHOST process.'),
'T1568.002': ('APT41 has used DGAs to change their C2 servers monthly.'),
'T1568.002': ('Aria-body has the ability to use a DGA for C2 communications.'),
'T1568.002': ('Astaroth has used a DGA in C2 communications.'),
'T1568.002': ('Bazar can implement DGA using the current date as a seed variable.'),
'T1568.002': ('BONDUPDATER uses a DGA to communicate with command and control servers.'),
'T1568.002': ('CCBkdr can use a DGA for Fallback Channels if communications with the primary command and control server are lost.'),
'T1568.002': ('CHOPSTICK can use a DGA for Fallback Channels domains are generated by concatenating words from lists.'),
'T1568.002': ('Doki has used the DynDNS service and a DGA based on the Dogecoin blockchain to generate C2 domains.'),
'T1568.002': ('Ebury has used a DGA to generate a domain name for C2.'),
'T1568.002': ('Grandoreiro can use a DGA for hiding C2 addresses including use of an algorithm with a user-specific key that changes daily.'),
'T1568.002': ('MiniDuke can use DGA to generate new Twitter URLs for C2.'),
'T1568.002': ('Ngrok can provide DGA for C2 servers through the use of random URL strings that change every 12 hours.'),
'T1568.002': ('POSHSPY uses a DGA to derive command and control URLs from a word list.'),
'T1568.002': ('ShadowPad uses a DGA that is based on the day of the month for C2 servers.'),
'T1568.002': 'TA551 has used a DGA to generate URLs from executed macros.'),
'T1568.002': ('Ursnif has used a DGA to generate domain names for C2.'),
'T1546.015': ('Some variants of ADVSTORESHELL achieve persistence by registering the payload as a Shell Icon Overlay handler COM object.'),
'T1546.015': ('APT28 has used COM hijacking for persistence by replacing the legitimate MMDeviceEnumerator object with a payload.'),
'T1546.015': ('BBSRAT has been seen persisting via COM hijacking through replacement of the COM object for MruPidlList {42aedc87-2188-41fd-b9a3-0c966feabec1} or Microsoft WBEM New Event Subsystem {F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} depending on the system  CPU architecture.'),
'T1546.015': ('ComRAT samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location HKCUSoftwareClassesCLSID{42aedc87-2188-41fd-b9a3-0c966feabec1}InprocServer32.'),
'T1546.015': ('JHUHUGIT has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A}).'),
'T1546.015': ('KONNI has modified ComSysApp service to load the malicious DLL payload.'),
'T1546.015': ('Mosquito uses COM hijacking as a method of persistence.'),
'T1547.013': ('Fysbis has installed itself as an autostart entry under ~  .config  autostart  dbus-inotifier.desktop to establish persistence.'),
'T1547.013': ('NETWIRE can use XDG Autostart Entries to establish persistence.'),
'T1547.013': ('Linux environments that rely upon XDG are vulnerable to malicious code execution upon startup.'),
'T1547.013': ('REvil often maintain persistence through code executed upon boot via exploitation of XDG.'),
'T1547.013': ('XDG autostart can allow for privilege escalation if malicious binaries exploit it  autorun on boot capabilities.'),
'T1558.001': ('Empire can leverage its implementation of Mimikatz to obtain and use golden tickets.'),
'T1558.001': ('Ke3chang has used Mimikatz to generate Kerberos golden tickets.'),
'T1558.001': ('Mimikatz  kerberos module can create golden tickets.'),
'T1558.001': ('Ransomware such as DarkSide often steal KRBTGT account passwords with the intent to forge golden Kerberos keys.'),
'T1558.001': ('APT groups can authenticate all of their activity via granting them Kerberos tickets from a stolen golden one.'),
'T1601.001': ('SYNful Knock is malware that is inserted into a network device by patching the operating system image.'),
'T1601.001': ('ESPecter can patch various windows functions to attribute to it malicious functionality.'),
'T1601.001': ('KEYHOLE PANDA can modify the OS to grant persistence.'),
'T1601.001': 'Through damaging the OS via scripts APT groups can bypass security mechanisms and achieve persistence.'),
'T1601.001': ('Magecart can modify the image of it  host system to obfuscate their malicious activity.'),
'T1601.002': ('Conti ransomware can downgrade vulnerable drivers to older versions exploiting previously patched vulnerabilities.'),
'T1601.002': ('Network devices can be downgraded to previous versions through techniques implemented by APT20.'),
'T1601.002': ('DarkSide ransomware can bypass detection through installing an older version of a network device and exploiting it  now vulnerable state.'),
'T1601.002': ('ESPecter can install OS drivers of an older version rendering them vulnerable to exploitation.'),
'T1601.002': ('Care should be taken to maintain devices as if they are unprotected malware can install older versions to exploit.'),
'T1059.008': ('A'),P'T17 can a': ('se the CLI on network devices to execute arbitrary malicious code.'),
'T1059.008': ('MAZE ransomware can achieve persistence through scripts executed via a network device CLI.'),
'T1059.008': ('A'),P'T14 can a': ('uire permissions of an administrator on many network devices and abuse the privileges that come with that permission when executing their own scripts.'),
'T1059.008': ('Network devices should be secured as their CLI can access data that can be exploited by APT groups.'),
'T1059.008': ('Malware can escalate privileges through abusing network device CLI administrator credentials.'),
'T1542.005': ('Malware can abuse netbooting to achieve persistence.'),
'T1542.005': ('Pre OS boot operations may be hijacked by ransomware such as BazarLoader to obfuscate persistence mechanisms.'),
'T1542.005': ('Some variant CobaltStrike modules can abuse netbooting operations to execute malicious code.'),
'T1542.005': ('Ransomware once installed can abuse pre OS boot operations to mask their presence on a system.'),
'T1542.005': ('APT groups will abuse insecure netbooting functionality to grant their malware persistence.'),
'T1020.001': ('Maze can mirror traffic to obfuscate data exfiltration.'),
'T1020.001': 'Threat actor PROMETHIUM can hide their data exfiltration through abusing functionality of some network analysis tools to duplicate network traffic.'),
'T1020.001': ('CyberGate RAT masks it  C2 communication within mirrored traffic.'),
'T1020.001': ('RedLine Stealer will exfiltrate data hidden within legitimate traffic.'),
'T1020.001': 'The TEMP.Isotope campaign featured many instances of malware mirroring legitimate traffic to obfuscate malicious activity.'),
'T1542.004': ('DarkSide ransomware will obfuscate it  activity via code injected into ROMMON.'),
'T1542.004': ('Malware can load firmware with malicious code into ROMMON to obfuscate activity.'),
'T1542.004': ('Specific CobaltStrike modules can achieve persistence via code injection into ROMMON.'),
'T1542.004': ('Malware with ROMMONkits can maintain persistence or obfuscate malicious activity.'),
'T1542.004': ('APT24 abuses ROM monitoring functionality to obfuscate their activity.'),
'T1602.001': ('SNMP can dump configuration data that malware can abuse if it proves to be vulnerable.'),
'T1602.001': ('Conti ransomware can determine vulnerabilities within configured security mechanisms by dumping the contents of a MIB database.'),
'T1602.001': ('CobaltStrike modules can utilize SNMP to determine vulnerable configurations for later exploitation.'),
'T1602.001': ('APT22 employs the technique of dumping the MIB database to learn about the vulnerabilities and strengths of a target during the Reconnaissance phase of an attack.'),
'T1602.001': ('Caution should be taken to secure configuration management systems as they can become a single point of failure for attackers to learn about a target system.'),
'T1602.002': ('User credentials should be stored securely on network devices so that adversaries cannot claim plaintext passwords and usernames if they are compromised.'),
'T1602.002': ('A'),P'T13 can a': ('ess offline storage of network devices to enumerate user credentials.'),
'T1602.002': ('BazarLoader can dump configuration details from active memory of a network device and can then examine them for vulnerabilities.'),
'T1602.002': ('Host enumeration can occur if networks don  t secure their memory as neighbour details are stored in active memory.'),
'T1602.002': ('Malware can dump the contents of non volatile memory to identify misconfigurations to exploit.'),
'T1600.002': ('CozyBear can disable network device encryption therefore exploiting weaker software encryption.'),
'T1600.002': ('Malware often has capabilities to bypass device encryption as software encryption is often weaker and easier to exploit.'),
'T1600.002': ('Adversaries such as Magecart will often skim data that is only encrypted by software after having disabled the device encryption.'),
'T1600.002': ('Data exfiltration can be made easier if hardware device encryption is disabled as it is often more difficult to bypass than software encryption.'),
'T1600.002': ('CronRAT can exfiltrate data that was encrypted by a hardware device after disabling said encryption.'),
'T1600.001': ('APT27 employs the technique of weakening encryption strength to ease data extraction.'),
'T1600.001': ('Ransomware such as MAZE can reduce the number of cipher keys utilised in encryption aiding in data access and exfiltration.'),
'T1600.001': 'Threat actors can gain access to communications through weakening the cipher strength often through the reduction of key space.'),
'T1600.001': ('Interception of data over communication can occur if ciphers are broken or weakened.'),
'T1600.001': ('Malware can reduce key space to ease the breaking of ciphers which could grant access to data or aid in exfiltration.'),
'T1218.002': ('InvisiMole can register itself for execution and persistence via the Control Panel.'),
'T1218.002': ('Reaver drops and executes a malicious CPL file as its payload.'),
'T1218.002': ('Adversaries may abuse control.exe to proxy execution of malicious payloads.'),
'T1218.002': ('Some actors will use items in the control panel on Windows operating systems to execute malware.'),
'T1218.002': ('CPL files can be used to execute malicious code to bypass defenses.'),
'T1090.003': ('APT28 has routed traffic over Tor and VPN servers to obfuscate their activities.'),
'T1090.003': ('A backdoor used by APT29 created a Tor hidden service to forward traffic from the Tor client to local ports 3389 (RDP) 139 (Netbios) and 445 (SMB) enabling full remote access from outside the network.'),
'T1090.003': ('Attor has used Tor for C2 communication.'),
'T1090.003': ('Dok downloads and installs Tor via homebrew.'),
'T1090.003': ('FIN4 has used Tor to log in to victims email accounts.'),
'T1090.003': ('GreyEnergy has used Tor relays for Command and Control servers.'),
'T1090.003': ('Inception used chains of compromised routers to proxy C2 communications between them and cloud service providers.'),
'T1090.003': ('Keydnap uses a copy of tor2web proxy for HTTPS communications.'),
'T1090.003': ('MacSpy uses Tor for command and control.'),
'T1090.003': ('Operation Wocao has executed commands through the installed web shell via Tor exit nodes.'),
'T1090.003': ('StrongPity can use multiple layers of proxy servers to hide terminal nodes in its infrastructure.'),
'T1090.003': 'Traffic traversing the Tor network will be forwarded to multiple nodes before exiting the Tor network and continuing on to its intended destination.'),
'T1090.003': ('Ursnif has used Tor for C2.'),
'T1090.003': ('WannaCry uses Tor for command and control traffic.'),
'T1071.003': ('Agent Tesla has used SMTP for C2 communications.'),
'T1071.003': ('APT28 used SMTP as a communication channel in various implants initially using self-registered Google Mail accounts and later compromised email servers of its victims.'),
'T1071.003': ('APT32 has used email for C2 via an Office macro.'),
'T1071.003': ('BadPatch uses SMTP for C2.'),
'T1071.003': ('Cannon uses SMTP  S and POP3  S for C2 communications by sending and receiving emails.'),
'T1071.003': ('Various implementations of CHOPSTICK communicate with C2 over SMTP and POP3.'),
'T1071.003': ('ComRAT can use email attachments for command and control.'),
'T1071.003': ('CORESHELL can communicate over SMTP and POP3 for C2.'),
'T1071.003': ('Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.'),
'T1071.003': ('JPIN can send email over SMTP.'),
'T1071.003': ('Kimsuky has used e-mail to send exfiltrated data to C2 servers.'),
'T1071.003': ('LightNeuron uses SMTP for C2.'),
'T1071.003': ('NavRAT uses the email platform Naver for C2 communications leveraging SMTP.'),
'T1071.003': ('OLDBAIT can use SMTP for C2.'),
'T1071.003': ('RDAT can use email attachments for C2 communications.'),
'T1071.003': ('Remsec is capable of using SMTP for C2.'),
'T1071.003': ('SilverTerrier uses SMTP for C2 communications.'),
'T1071.003': 'Turla has used multiple backdoors which communicate with a C2 server via email attachments.'),
'T1071.003': ('Zebrocy uses SMTP and POP3 for C2.'),
'T1071.004': ('Variants of Anchor can use DNS tunneling to communicate with C2.'),
'T1071.004': ('A'),P'T18 uses ': ('S for C2 communications.'),
'T1071.004': ('APT39 has used remote access tools that leverage DNS in communications with C2.'),
'T1071.004': ('APT41 used DNS for C2 communications.'),
'T1071.004': ('BONDUPDATER can use DNS and TXT records within its DNS tunneling protocol for command and control.'),
'T1071.004': ('Chimera has used Cobalt Strike to encapsulate C2 in DNS traffic.'),
'T1071.004': ('Cobalt Group has used DNS tunneling for C2.'),
'T1071.004': ('Cobalt Strike can use a custom command and control protocol that can encapsulated in DNS. All protocols use their standard assigned ports.'),
'T1071.004': ('Cobian RAT uses DNS for C2.'),
'T1071.004': ('Denis has used DNS tunneling for C2 communications.'),
'T1071.004': ('Ebury has used DNS requests over UDP port 53 for C2.'),
'T1071.004': ('FIN7 has performed C2 using DNS via A OPT and TXT records.'),
'T1071.004': ('Goopy has the ability to communicate with its C2 over DNS.'),
'T1071.004': ('Helminth can use DNS for C2.'),
'T1071.004': ('HTTPBrowser has used DNS for command and control.'),
'T1071.004': ('InvisiMole has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies.'),
'T1071.004': ('Ke3chang malware RoyalDNS has used DNS for C2.'),
'T1071.004': ('Matryoshka uses DNS for C2.'),
'T1071.004': ('NanHaiShu uses DNS for the C2 communications.'),
'T1071.004': ('OilRig has used DNS for C2.'),
'T1071.004': ('Pisloader uses DNS as its C2 protocol.'),
'T1071.004': ('PlugX can be configured to use DNS for command and control.'),
'T1071.004': ('POWERSOURCE uses DNS TXT records for C2.'),
'T1071.004': ('POWRUNER can use DNS for C2 communications.'),
'T1071.004': ('QUADAGENT uses DNS for C2 communications.'),
'T1071.004': ('RDAT has used DNS to communicate with the C2.'),
'T1071.004': ('Remsec is capable of using DNS for C2.'),
'T1071.004': ('ShadowPad has used DNS tunneling for C2 communications.'),
'T1071.004': ('SOUNDBITE communicates via DNS for C2.'),
'T1071.004': ('SUNBURST used DNS for C2 traffic designed to mimic normal SolarWinds API communications.'),
'T1071.004': 'TEXTMATE uses DNS TXT records for C2.'),
'T1071.004': 'Tropic Trooper  backdoor has communicated to the C2 over the DNS protocol.'),
'T1071.004': ('WellMess has the ability to use DNS tunneling for C2 communications.'),
'T1599.001': ('Adversaries may bridge network boundaries by modifying a network deviceNetwork Address Translation (NAT) configuration.'),
'T1599.001': ('Malicious modifications to NAT may enable an adversary to bypass restrictions on traffic routing that otherwise separate trusted and untrusted networks.'),
'T1599.001': ('Actors may modify a target network by adding a bridge to gain access to other infrastructure that is normally protected.'),
'T1599.001': ('Malware may try to gain access to sensitive information on other systems by adding a network bridge.'),
'T1599.001': ('Cybercriminals can manipulate NATs by adding network bridges to bypass network boundaries.'),
'T1056.001': ('ADVSTORESHELL can perform keylogging.'),
'T1056.001': ('Agent Tesla can log keystrokes on the victimmachine.'),
'T1056.001': ('Ajax Security Team has used CWoolger and MPK custom-developed malware which recorded all keystrokes on an infected system.'),
'T1056.001': ('APT28 has used tools to perform keylogging.'),
'T1056.001': ('APT3 has used a keylogging tool that records keystrokes in encrypted files.'),
'T1056.001': ('APT32 has abused the PasswordChangeNotify to monitor for and capture account password changes.'),
'T1056.001': ('APT38 used a Trojan called KEYLIME to capture keystrokes from the victimmachine.'),
'T1056.001': ('APT39 has used tools for capturing keystrokes.'),
'T1056.001': ('APT41 used a keylogger called GEARSHIFT on a target system.'),
'T1056.001': ('Astaroth logs keystrokes from the victim  machine.'),
'T1056.001': ('One of Attor  plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process.'),
'T1056.001': ('BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.'),
'T1056.001': ('When it first starts BADNEWS spawns a new thread to log keystrokes.'),
'T1056.001': ('BadPatch has a keylogging capability.'),
'T1056.001': ('Bandook contains keylogging capabilities'),
'T1056.001': ('BISCUIT can capture keystrokes.'),
'T1056.001': ('BlackEnergy has run a keylogger plug-in on a victim.'),
'T1056.001': ('Cadelspy has the ability to log keystrokes on the compromised host.'),
'T1056.001': ('Carbanak logs key strokes for configured processes and sends them back to the C2 server.'),
'T1056.001': ('Cardinal RAT can log keystrokes.'),
'T1056.001': ('Catchamas collects keystrokes from the victimmachine.'),
'T1056.001': ('CHOPSTICK is capable of performing keylogging.'),
'T1056.001': ('Cobalt Strike can track key presses with a keylogger module.'),
'T1056.001': ('Cobian RAT has a feature to perform keylogging on the victimmachine.'),
'T1056.001': ('CosmicDuke uses a keylogger.'),
'T1056.001': ('DarkComet has a keylogging capability.'),
'T1056.001': ('Darkhotel has used a keylogger.'),
'T1056.001': ('Daserf can log keystrokes.'),
'T1056.001': ('Derusbi is capable of logging keystrokes.'),
'T1056.001': ('DOGCALL is capable of logging keystrokes.'),
'T1056.001': ('Dtrackdropper contains a keylogging executable.'),
'T1056.001': ('Duqu can track key presses with a keylogger module.'),
'T1056.001': ('DustySky contains a keylogger.'),
'T1056.001': ('ECCENTRICBANDWAGON can capture and store keystrokes.'),
'T1056.001': ('Empire includes keylogging capabilities for Windows Linux and macOS systems.'),
'T1056.001': ('EvilGrab has the capability to capture keystrokes.'),
'T1056.001': ('Explosive has leveraged its keylogging capabilities to gain access to administrator accounts on target servers.'),
'T1056.001': ('FakeM contains a keylogger module.'),
'T1056.001': ('FIN4 has captured credentials via fake Outlook Web App (OWA) login pages and has also used a .NET based keylogger.'),
'T1056.001': ('Fysbis can perform keylogging.'),
'T1056.001': ('gh0st RAT has a keylogger.'),
'T1056.001': ('Grandoreiro can log keystrokes on the victim  machine.'),
'T1056.001': ('GreyEnergy has a module to harvest pressed keystrokes.'),
'T1056.001': ('Malware used by Group5 is capable of capturing keystrokes.'),
'T1056.001': 'The executable version of Helminth has a module to log keystrokes.'),
'T1056.001': ('HTTPBrowser is capable of capturing keystrokes on victims.'),
'T1056.001': ('Imminent Monitor has a keylogging module.'),
'T1056.001': ('InvisiMole can capture keystrokes on a compromised host.'),
'T1056.001': ('JPIN contains a custom keylogger.'),
'T1056.001': ('jRAT has the capability to log keystrokes from the victimmachine both offline and online.'),
'T1056.001': ('Kasidet has the ability to initiate keylogging.'),
'T1056.001': ('Ke3chang has used keyloggers.'),
'T1056.001': ('KeyBoy installs a keylogger for intercepting credentials and keystrokes.'),
'T1056.001': ('KGH_SPY can perform keylogging by polling the GetAsyncKeyState() function.'),
'T1056.001': ('Kimsuky has used a PowerShell-based keylogger.'),
'T1056.001': ('Kivars has the ability to initiate keylogging on the infected host.'),
'T1056.001': ('KONNI has the capability to perform keylogging.'),
'T1056.001': ('Lazarus Group malware KiloAlfa contains keylogging functionality.'),
'T1056.001': ('Lokibot has the ability to capture input on the compromised host via keylogging.'),
'T1056.001': ('Machete logs keystrokes from the victimmachine.'),
'T1056.001': ('MacSpy captures keystrokes.'),
'T1056.001': ('Magic Hound malware is capable of keylogging.'),
'T1056.001': ('Matryoshka is capable of keylogging.'),
'T1056.001': ('menuPass has used key loggers to steal usernames and passwords.'),
'T1056.001': ('Metamorfo has a command to launch a keylogger on the victimmachine.'),
'T1056.001': ('Micropsia has keylogging capabilities.'),
'T1056.001': ('MoonWind has a keylogger.'),
'T1056.001': ('NanoCore can perform keylogging on the victimmachine.'),
'T1056.001': ('NavRAT logs the keystrokes on the targeted system.'),
'T1056.001': ('NetTraveler contains a keylogger.'),
'T1056.001': ('NETWIRE can perform keylogging.'),
'T1056.001': ('njRAT is capable of logging keystrokes.'),
'T1056.001': ('OilRig has used keylogging tools called KEYPUNCH and LONGWATCH.'),
'T1056.001': ('Okrum was seen using a keylogger tool to capture keystrokes.'),
'T1056.001': ('Operation Wocao has obtained the password for the victim  password manager via a custom keylogger.'),
'T1056.001': ('OwaAuth captures and DES-encrypts credentials before writing the username and password to a log file C:log.txt.'),
'T1056.001': ('PLATINUM has used several different keyloggers.'),
'T1056.001': ('PlugX has a module for capturing keystrokes per process including window titles.'),
'T1056.001': ('PoetRAT has used a Python tool named klog.exe for keylogging.'),
'T1056.001': ('PoisonIvy contains a keylogger.'),
'T1056.001': ('PoshC2 has modules for keystroke logging and capturing credentials from spoofed Outlook authentication messages.'),
'T1056.001': ('PowerSploit  Get-Keystrokes Exfiltration module can log keystrokes.'),
'T1056.001': ('Prikormka contains a keylogger module that collects keystrokes and the titles of foreground windows.'),
'T1056.001': ('Proton uses a keylogger to capture keystrokes.'),
'T1056.001': ('Pupy uses a keylogger to capture keystrokes it then sends back to the server after it is stopped.'),
'T1056.001': ('QuasarRAT has a built-in keylogger.'),
'T1056.001': ('Regin contains a keylogger.'),
'T1056.001': ('Remcos has a command for keylogging.'),
'T1056.001': ('Remexi gathers and exfiltrates keystrokes from the machine.'),
'T1056.001': ('Remsec contains a keylogger component.'),
'T1056.001': ('Revenge RAT has a plugin for keylogging.'),
'T1056.001': ('ROKRAT uses a keylogger to capture keystrokes and location of where the user is typing.'),
'T1056.001': ('Rover has keylogging functionality.'),
'T1056.001': ('RTM can record keystrokes from both the keyboard and virtual keyboard.'),
'T1056.001': ('RunningRAT captures keystrokes and sends them back to the C2 server.'),
'T1056.001': ('Sandworm Team has used a keylogger to capture keystrokes by using the SetWindowsHookEx function.'),
'T1056.001': ('SLOTHFULMEDIA has a keylogging capability.'),
'T1056.001': ('Sowbug has used keylogging tools.'),
'T1056.001': ('SslMM creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators.'),
'T1056.001': ('Stolen Pencil has a tool to log keystrokes to userprofileappdataroamingapach.{txt log}.'),
'T1056.001': ('Sykipot contains keylogging functionality to steal passwords.'),
'T1056.001': 'TajMahal has the ability to capture keystrokes on an infected host.'),
'T1056.001': 'ThiefQuest uses the CGEventTap functions to perform keylogging.'),
'T1056.001': 'Threat Group-3390 actors installed a credential logger on Microsoft Exchange servers. Threat Group-3390 also leveraged the reconnaissance framework ScanBox to capture keystrokes.'),
'T1056.001': 'TinyZBot contains keylogger functionality.'),
'T1056.001': 'Trojan.Karagany can capture keystrokes on a compromised host.'),
'T1056.001': ('Unknown Logger is capable of recording keystrokes.'),
'T1056.001': ('VERMIN collects keystrokes from the victim machine.'),
'T1056.001': ('XAgentOSX contains keylogging functionality that will monitor for active application windows and write them to the log it can handle special characters and it will buffer by default 50 characters before sending them out over the C2 infrastructure.'),
'T1056.001': ('yty uses a keylogger plugin to gather keystrokes.'),
'T1056.001': ('Zeus Panda can perform keylogging on the victimmachine by hooking the functions TranslateMessage and WM_KEYDOWN.'),
'T1056.001': ('ZxShell has a feature to capture a remote computer  keystrokes using a keylogger.'),
'T1205.001': ('PROMETHIUM has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports.'),
'T1205.001': 'Threat actor TEMP.Veles abuses port knocking for C2 communication and data exfiltration.'),
'T1205.001': ('Port knocking can obfuscate malicious activity and assist in evasion from defence mechanisms a common technique of APT28.'),
'T1205.001': 'The Cryptcat backdoor utilises port knocking to hide it  C2 communications.'),
'T1205.001': ('Ryuk ransomware utilises a series of obscure connections to indicate when a C2 channel should be opened.'),
'T1558.004': ('A'),P'T13 devot': (' malware to cracking kerberos accounts who have disabled authentication to bypass authentication.'),
'T1558.004': ('Kerberos accounts should always maintain strong password protection as these accounts can be used by adversaries to bypass authentication if they are compromised.'),
'T1558.004': ('Conti ransomware attacks weak kerberos accounts spraying passwords until it obtains access.'),
'T1558.004': ('Some CobaltStrike beacons can attack weak passwords allowing access to full kerberos authentication if the password is not secure.'),
'T1558.004': ('Pioneer Kitten often exploit kerberos for tickets after compromising a weak account and utilising it  privileges and access.'),
'T1558.003': ('APT29 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.'),
'T1558.003': ('Empire uses PowerSploit  Invoke-Kerberoast to request service tickets and return crackable ticket hashes.'),
'T1558.003': ('Impacket modules like GetUserSPNs can be used to get Service Principal Names (SPNs) for user accounts. The output is formatted to be compatible with cracking tools like John the Ripper and Hashcat.'),
'T1558.003': ('Operation Wocao has used PowerSploit  Invoke-Kerberoast module to request encrypted service tickets and bruteforce the passwords of Windows service accounts offline.'),
'T1558.003': ('PowerSploit  Invoke-Kerberoast module can request service tickets and return crackable ticket hashes.'),
'T1558.003': ('UNC2452 obtained Ticket Granting Service (TGS) tickets for Active Directory Service Principle Names to crack offline.'),
'T1558.003': ('Wizard Spider has used Rubeus MimiKatz Kerberos module and the Invoke-Kerberoast cmdlet to steal AES hashes.'),
'T1566.003': ('Ajax Security Team has used various social media channels to spearphish victims.'),
'T1566.003': ('Dark Caracal spearphished victims via Facebook and Whatsapp.'),
'T1566.003': ('FIN6 has used fake job advertisements sent via LinkedIn to spearphish targets.'),
'T1566.003': ('Lazarus Group has used fake job advertisements sent via LinkedIn to spearphish victims.'),
'T1566.003': ('Magic Hound used various social media channels to spearphish victims.'),
'T1566.003': ('OilRig has used LinkedIn to send spearphishing links.'),
'T1566.003': ('Windshift has used fake personas on social media to engage and target victims.'),
'T1070.003': ('APT41 attempted to remove evidence of some of its activity by deleting Bash histories.'),
'T1070.003': ('Hildegard has used history -c to clear script shell logs.'),
'T1070.003': ('WastedLocker ransomware possesses functionality to delete CLI command history with the aim to avoid detection for as long a time as possible.'),
'T1070.003': ('FIN11 will remove indicators of their intrusion on machines such as deleting the command line history.'),
'T1070.003': ('Lazarus group often delete their command history to prolong the duration of their unobserved activity.'),
'T1053.006': 'Threat actors such as Golden Chickens schedule malicious activity to reoccur on target machines often through the use of systemd timers.'),
'T1053.006': ('Cryptocurrency miners will abuse the systemd timers to regularly schedule the activation of the clipper.'),
'T1053.006': ('Middle Eastern threat actors embed malicious macros within Office 356 documents that can exploit systemd for repeated execution.'),
'T1053.006': ('CobaltStrike possesses the ability to communicate via ssh with the systemctl to schedule repeated tasks.'),
'T1053.006': ('FIN6 often abuses systemd to exfiltrate data at a specific time each day.'),
'T1547.012': 'The PipeMon installer has modified the Registry key HKLMSYSTEMCurrentControlSetControlPrintEnvironmentsWindows x64Print Processors to install PipeMon as a Print Processor.'),
'T1547.012': 'The Ghostwriter campaign featured malware that could modify the kernel to initiate malicious code execution on boot.'),
'T1547.012': ('Warzone RAT often injects LKM that auto executes code upon startup.'),
'T1547.012': ('Malware such as POWERHOSE can repeatedly execute arbitrary code upon boot via kernel modification.'),
'T1547.012': ('CozyBear will often modify a machine  kernel to allow for automatic code execution upon startup.'),
'T1543.002': ('Exaramel for Linux has a hardcoded location under systemd that it uses to achieve persistence if it is running as root.'),
'T1543.002': ('Fysbis has established persistence using a systemd service.'),
'T1543.002': ('Hildegard has started a monero service.'),
'T1543.002': ('Pupy can be used to establish persistence using a systemd service.'),
'T1543.002': ('Rocke has installed a systemd service script to maintain persistence.'),
'T1564.007': ('WastedLocker ransomware can inject malicious VBA scripts into MS Office documents for obfuscation.'),
'T1564.007': ('ChamelGang utilizes VBA stomping to hide malicious payloads.'),
'T1564.007': ('CozyBear often employs the tactic of obscuring VBA payloads within benign data.'),
'T1564.007': ('MS Office can be used to hide malicious VBA code by replacing source code with legitimate data.'),
'T1564.007': ('UNC215 will obfuscate their malicious payloads within MS Office documents.'),
'T1542.003': ('e  APT28 has deployed a bootkit along with Downdelph to ensure its persistence on the victim. The bootkit shares code with some variants of BlackEnergy.'),
'T1542.003': ('APT41 deployed Master Boot Record bootkits on Windows systems to hide their malware and maintain persistence on victim systems.'),
'T1542.003': ('BOOTRASH is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence.'),
'T1542.003': ('Carberp has installed a bootkit on the system to maintain persistence.'),
'T1542.003': ('Some FinFisher variants incorporate an MBR rootkit.'),
'T1542.003': ('Lazarus Group malware WhiskeyAlfa-Three modifies sector 0 of the Master Boot Record (MBR) to ensure that the malware will persist even if a victim machine shuts down.'),
'T1542.003': ('ROCKBOOT is a Master Boot Record (MBR) bootkit that uses the MBR to establish persistence.'),
'T1542.003': 'TrickBot can implant malicious code into a compromised device  firmware.'),
'T1574.009': ('Empire contains modules that can discover and exploit unquoted path vulnerabilities.'),
'T1574.009': ('PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit unquoted path vulnerabilities.'),
'T1574.009': ('UNC2215 abuse path calls that are unquoted to execute their malware at a higher level in the file path than the legitimate one.'),
'T1574.009': ('REvil ransomware will execute it  payloads through placing them high up the file path of unprotected file calls from programs.'),
'T1574.009': ('Care should be taken to always place quotation marks around file path calls to prevent malware from abusing it  lack of security to execute malicious code.'),
'T1574.008': ('Empire contains modules that can discover and exploit search order hijacking vulnerabilities.'),
'T1574.008': ('PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit search order hijacking vulnerabilities.'),
'T1574.008': ('Pakdoor can replace legitimate file paths with it  own malicious file paths.'),
'T1574.008': ('ChamelGang will often install malware and then execute it by hijacking other programs filepath searches.'),
'T1574.008': ('Earth Centaur can escalate the privileges of their malware via the hijacking of the path calls of other higher privileged programs.'),
'T1027.001': ('APT32 includes garbage code to mislead anti-malware software and researchers.'),
'T1027.001': ('BRONZE BUTLER downloader code has included 0 characters at the end of the file to inflate the file size in a likely attempt to evade anti-virus detection.'),
'T1027.001': ('Comnie appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk.'),
'T1027.001': ('CORESHELL contains unused machine instructions in a likely attempt to hinder analysis.'),
'T1027.001': ('A variant of Emissary appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan.'),
'T1027.001': ('FatDuke has been packed with junk code and strings.'),
'T1027.001': ('FinFisher contains junk code in its functions in an effort to confuse disassembly programs.'),
'T1027.001': ('Gamaredon Group has obfuscated .NET executables by inserting junk code.'),
'T1027.001': ('Goopy has had null characters padded in its malicious DLL payload.'),
'T1027.001': ('Grandoreiro has added BMP images to the resources section of its Portable Executable (PE) file increasing each binary to at least 300MB in size.'),
'T1027.001': ('Higaisa performed padding with null bytes before calculating its hash.'),
'T1027.001': ('Javali can use large obfuscated libraries to hinder detection and analysis.'),
'T1027.001': ('Before writing to disk Kwampirs inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections.'),
'T1027.001': ('Leviathan has inserted garbage characters into code presumably to avoid anti-virus detection.'),
'T1027.001': ('Maze has inserted large blocks of junk code including some components to decrypt strings and other important information for later in the encryption process.'),
'T1027.001': ('Moafee has been known to employ binary padding.'),
'T1027.001': ('Mustang Panda has used junk code within their DLL files to hinder analysis.'),
'T1027.001': ('Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.'),
'T1027.001': ('POWERSTATS has used useless code blocks to counter analysis.'),
'T1027.001': ('Rifdoor has added four additional bytes of data upon launching then saved the changed version as C:ProgramDataInitechInitech.exe.'),
'T1027.001': ('SamSam has used garbage code to pad some of its malware components.'),
'T1027.001': 'TAINTEDSCRIBE can execute FileRecvWriteRand to append random bytes to the end of a file received from C2.'),
'T1027.001': ('A version of XTunnel introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products.'),
'T1027.001': ('yty contains junk code in its binary likely to confuse malware analysts.'),
'T1027.001': ('ZeroT has obfuscated DLLs and functions using dummy API calls inserted between real instructions.'),
'T1078.002': ('APT29 has used valid accounts including administrator accounts to help facilitate lateral movement on compromised networks.'),
'T1078.002': ('APT3 leverages valid accounts after gaining credentials for use within the victim domain.'),
'T1078.002': ('Chimera has used compromised domain accounts to gain access to the target environment.'),
'T1078.002': ('Cobalt Strike can use known credentials to run commands and spawn processes as a domain user account.'),
'T1078.002': ('Indrik Spider has collected credentials from infected systems including domain accounts.'),
'T1078.002': ('Operation Wocao has used domain credentials including domain admin for lateral movement and privilege escalation.'),
'T1078.002': ('Ryuk can use stolen domain admin accounts to move laterally within a victim domain.'),
'T1078.002': ('Sandworm Team has used stolen credentials to access administrative accounts within the domain.'),
'T1078.002': ('If Shamoon cannot access shares using current privileges it attempts access using hard coded domain-specific credentials gathered earlier in the intrusion.'),
'T1078.002': 'TA505 has used stolen domain admin accounts to compromise additional hosts.'),
'T1078.002': 'Threat Group-1314 actors used compromised domain credentials for the victim  endpoint management platform Altiris to move laterally.'),
'T1078.002': ('Wizard Spider has used administrative accounts including Domain Admin to move laterally within a victim network.'),
'T1505.003': ('APT32 has used Web shells to maintain access to victim websites.'),
'T1505.003': ('APT39 has installed ANTAK and ASPXSPY web shells.'),
'T1505.003': ('ASPXSpy is a Web shell. The ASPXTool version used by Threat Group-3390 has been deployed to accessible servers running Internet Information Services (IIS).'),
'T1505.003': ('China Chopper  server component is a Web Shell payload.'),
'T1505.003': ('Deep Panda uses Web shells on publicly accessible Web servers to access victim networks.'),
'T1505.003': ('Dragonfly 2.0 commonly created Web shells on victims publicly accessible email and web servers which they used to maintain access to a victim network and download additional malicious files.'),
'T1505.003': ('Fox Kitten has installed web shells on compromised hosts to maintain access.'),
'T1505.003': ('GALLIUM used Web shells to persist in victim environments and assist in execution and exfiltration.'),
'T1505.003': ('HAFNIUM has deployed multiple web shells on compromised servers including SIMPLESEESHARP SPORTSBALL China Chopper and ASPXSpy.'),
'T1505.003': ('Kimsuky has used modified versions of open source PHP web shells to maintain access often adding Dinosaur references within the code.'),
'T1505.003': ('Leviathan relies on web shells for an initial foothold as well as persistence into the victim  systems.'),
'T1505.003': ('OilRig has used web shells often to maintain access to a victim network.'),
'T1505.003': ('Operation Wocao has used their own web shells as well as those previously placed on target systems by other threat actors for reconnaissance and lateral movement.'),
'T1505.003': ('OwaAuth is a Web shell that appears to be exclusively used by Threat Group-3390. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the China Chopper Web shell.'),
'T1505.003': ('P.A.S. Webshell can gain remote access and execution on target web servers.'),
'T1505.003': ('Sandworm Team has used webshells including P.A.S. Webshell to maintain access to victim networks.'),
'T1505.003': ('SEASHARPEE is a Web shell.'),
'T1505.003': ('SUPERNOVA is a Web shell.'),
'T1505.003': 'TEMP.Veles has planted Web shells on Outlook Exchange servers.'),
'T1505.003': 'Threat Group-3390 has used a variety of Web shells.'),
'T1505.003': 'Tropic Trooper has started a web service in the target host and wait for the adversary to connect acting as a web shell.'),
'T1505.003': ('Volatile Cedar can inject web shell code into a server. '),
'T1090.004': ('APT29 has used the meek domain fronting plugin for Tor to hide the destination of C2 traffic.'),
'T1090.004': ('meek uses Domain Fronting to disguise the destination of network traffic as another server that is hosted in the same Content Delivery Network (CDN) as the intended destination.'),
'T1090.004': 'The Prometei botnet will utilise domain fronting to hide it  C2 infrastructure and it  compromised bots.'),
'T1090.004': ('ATP29 often inserts multiple domains from the same CDN inside the SNI field to obfuscate the real C2 domain.'),
'T1090.004': ('Evilnum utilises scripts that facilitate a proxy connection sometimes involving domain fronting.'),
'T1027.003': ('ABK can extract a malicious Portable Executable (PE) from a photo.'),
'T1027.003': ('APT37 uses steganography to send images to users that are embedded with shellcode.'),
'T1027.003': ('Avenger can extract backdoor malware from downloaded images.'),
'T1027.003': ('BBK can extract a malicious Portable Executable (PE) from a photo.'),
'T1027.003': ('BRONZE BUTLER has used steganography in multiple operations to conceal malicious payloads.'),
'T1027.003': ('build_downer can extract malware from a downloaded JPEG.'),
'T1027.003': ('IcedID has embedded binaries within RC4 encrypted .png files.'),
'T1027.003': ('MuddyWater has stored obfuscated JavaScript code in an image file named temp.jpg.'),
'T1027.003': ('Okrum  payload is encrypted and embedded within its loader or within a legitimate PNG file.'),
'T1027.003': ('PolyglotDuke can use steganography to hide C2 information in images.'),
'T1027.003': ('PowerDuke uses steganography to hide backdoors in PNG files which are also encrypted using the Tiny Encryption Algorithm (TEA).'),
'T1027.003': ('Raindrop used steganography to locate the start of its encoded payload within legitimate 7-Zip code.'),
'T1027.003': ('Ramsay has PE data embedded within JPEG files contained within Word documents.'),
'T1027.003': ('RDAT can also embed data within a BMP image prior to exfiltration.'),
'T1027.003': ('RegDuke can hide data in images including use of the Least Significant Bit (LSB).'),
'T1027.003': 'TA551 has hidden encoded data for malware DLLs in a PNG.'),
'T1027.003': 'Tropic Trooper has used JPG files with encrypted payloads to mask their backdoor routines and evade detection.'),
'T1574.010': ('One variant of BlackEnergy locates existing driver services that have been disabled and drops its driver component into one of those service  paths replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence.'),
'T1574.010': 'Threat actors will often hijack execution for malicious code execution through exploiting weakly protected service binaries.'),
'T1574.010': 'The Sidewalk backdoor can escalate it  privileges by hijacking the execution flow or services that possess privileges above it.'),
'T1574.010': ('Hive ransomware can abuse improperly set permissions of some services to perform privilege execution.'),
'T1574.010': ('UNC215 will exploit poorly protected service binaries to execute their installed malware.'),
'T1574.011': ('APT31 executes their own malicious payloads through hijacking registry services that have misconfigured permissions.'),
'T1574.011': ('REvil abuse powershell to modify HKLMSYSTEMCurrentControlSetServices to allow for the execution of their own malicious payloads.'),
'T1574.011': ('APT31 abuses registry keys related to services to point to and execute malicious scripts installed on a machine.'),
'T1574.011': ('UNC215 abuses registry related services to redirect the service  desired executable to a malicious one.'),
'T1574.011': ('Dridex will modify a windows registry to allow associated services to execute malware.'),
'T1574.007': ('Empire contains modules that can discover and exploit path interception opportunities in the PATH environment variable.'),
'T1574.007': ('PowerSploit contains a collection of Privesc-PowerUp modules that can discover and exploit path interception opportunities in the PATH environment variable.'),
'T1574.007': ('Grief ransomware utilises malware that inserts malicious payloads to be executed with the environmental variable PATH  list of directories.'),
'T1574.007': ('Certain CobaltStrike payloads will abuse the PATH variable to allow for malicious execution of files.'),
'T1574.007': 'The APT Naikon will abuse the Windows PATH variable to sequentially execute inserted malware.'),
'T1499.001': 'The Lucifer cryptojacker can overwhelm the self imposed limits of resources of an OS when mining for cryptocurrency.'),
'T1499.001': ('Quantum Stresser could perform DDoS as a service through the targets of an OS resources forcing the machine to slow down and lock up.'),
'T1499.001': ('BlackNurse would target OS of victim machines and overwhelm their capacity to handle the demands placed upon it.'),
'T1499.001': ('GoBotKR can initiate a variety of DDoS attacks including ones that target the finite resources of a system.'),
'T1499.001': ('Ransomware will often begin to damage the OS ability to manage resources to coerce victims into paying the ransom.'),
'T1543.003': ('Anchor can establish persistence by creating a service.'),
'T1543.003': ('AppleJeus can install itself as a service.'),
'T1543.003': ('An A'),P'T19 Port ': (' malware variant registers itself as a service.'),
'T1543.003': ('APT3 has a tool that creates a new service for persistence.'),
'T1543.003': ('APT32 modified Windows Services to ensure PowerShell scripts were loaded on the system. APT32 also creates a Windows service to establish persistence.'),
'T1543.003': ('APT41 modified legitimate Windows services to install malware backdoors. APT41 created the StorSyncSvc service to provide persistence for Cobalt Strike.'),
'T1543.003': ('Attor  dispatcher can establish persistence by registering a new service.'),
'T1543.003': ('AuditCred is installed as a new service on the system.'),
'T1543.003': ('Bankshot can terminate a specific process by its process id.'),
'T1543.003': ('BBSRAT can modify service configurations.'),
'T1543.003': ('BitPaymer has attempted to install itself as a service to maintain persistence.'),
'T1543.003': ('One variant of BlackEnergy creates a new service using either a hard-coded or randomly generated name.'),
'T1543.003': ('Blue Mockingbird has made their XMRIG payloads persistent as a Windows Service.'),
'T1543.003': ('Briba installs a service pointing to a malicious DLL dropped to disk.'),
'T1543.003': ('Carbanak malware installs itself as a service to provide persistence and SYSTEM privileges.'),
'T1543.003': ('Carbon establishes persistence by creating a service and naming it based off the operating system version running on the current machine.'),
'T1543.003': ('Catchamas adds a new service named NetAdapter to establish persistence.'),
'T1543.003': ('Cobalt Group has created new services to establish persistence.'),
'T1543.003': ('Cobalt Strike can install a new service.'),
'T1543.003': ('CosmicDuke uses Windows services typically named javamtsup for persistence.'),
'T1543.003': ('One persistence mechanism used by CozyCar is to register itself as a Windows service.'),
'T1543.003': ('DarkVishnya created new services for shellcode loaders distribution.'),
'T1543.003': ('Dtrack can add a service called WBService to establish persistence.'),
'T1543.003': ('Duqu creates a new service that loads a malicious driver when the system starts. When Duqu is active the operating system believes that the driver is legitimate as it has been signed with a valid private key.'),
'T1543.003': ('Dyre registers itself as a service by adding several Registry keys.'),
'T1543.003': ('Elise configures itself as a service.'),
'T1543.003': ('Emissary is capable of configuring itself as a service.'),
'T1543.003': ('Emotet has been observed creating new services to maintain persistence.'),
'T1543.003': ('Empire can utilize built-in modules to modify service binaries and restore them to their original state.'),
'T1543.003': 'The Exaramel for Windows dropper creates and starts a Windows service named wsmprovav with the descriptionWindows Check AV.'),
'T1543.003': ('FALLCHILL has been installed as a Windows service.'),
'T1543.003': ('FIN7 created new Windows services and added them to the startup directories for persistence.'),
'T1543.003': ('FinFisher creates a new Windows service with the malicious executable for persistence.'),
'T1543.003': ('gh0st RAT can create a new service to establish persistence.'),
'T1543.003': ('GoldenSpy has established persistence by running in the background as an autostart service.'),
'T1543.003': ('GreyEnergy chooses a service drops a DLL file and writes it to that serviceDLL Registry key.'),
'T1543.003': ('hcdLoader installs itself as a service for persistence.'),
'T1543.003': ('Honeybee has batch files that modify the system service COMSysApp to load a malicious DLL.'),
'T1543.003': ('Hydraq creates new services to establish persistence.'),
'T1543.003': ('Some InnaputRAT variants create a new Windows service to establish persistence.'),
'T1543.003': ('InvisiMole can register a Windows service named CsPower as part of its execution chain and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence.'),
'T1543.003': ('JHUHUGIT has registered itself as a service to establish persistence.'),
'T1543.003': ('Kazuar can install itself as a new service.'),
'T1543.003': ('Ke3chang backdoor RoyalDNS established persistence through adding a service called Nwsapagent.'),
'T1543.003': ('KeyBoy installs a service pointing to a malicious DLL dropped to disk.'),
'T1543.003': ('Kimsuky has created new services for persistence.'),
'T1543.003': ('Kwampirs creates a new service named WmiApSrvEx to establish persistence.'),
'T1543.003': ('Several Lazarus Group malware families install themselves as new services on victims.'),
'T1543.003': ('LoudMiner can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file.'),
'T1543.003': ('MoonWind installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not it will spawn a new instance.'),
'T1543.003': ('Naid creates a new service to establish.'),
'T1543.003': ('Nerex creates a Registry subkey that registers a new service.'),
'T1543.003': ('Nidiran can create a new service named msamger (Microsoft Security Accounts Manager).'),
'T1543.003': 'To establish persistence Okrum can install itself as a new service named NtmSsvc.'),
'T1543.003': ('PipeMon can establish persistence by registering a malicious DLL as an alternative Print Processor which is loaded when the print spooler service starts.'),
'T1543.003': ('PlugX can be added as a service to establish persistence. PlugX also has a module to change service configurations as well as start control and delete services.'),
'T1543.003': ('PoisonIvy creates a Registry subkey that registers a new service. PoisonIvy also creates a Registry entry modifying the Logical Disk Manager service to point to a malicious DLL dropped to disk.'),
'T1543.003': ('PowerSploit contains a collection of Privesc-PowerUp modules that can discover and replace  modify service binaries paths and configs.'),
'T1543.003': ('PROMETHIUM has created new services and modified existing services for persistence.'),
'T1543.003': ('Ragnar Locker has used sc.exe to create a new service for the VirtualBox driver.'),
'T1543.003': ('RawPOS installs itself as a service to maintain persistence.'),
'T1543.003': ('RDAT has created a service when it is installed on the victim machine.'),
'T1543.003': ('Reaver installs itself as a new service.'),
'T1543.003': ('Some Sakula samples install themselves as services for persistence by calling WinExec with the net start argument.'),
'T1543.003': ('Seasalt is capable of installing itself as a service.'),
'T1543.003': ('Shamoon creates a new service namedntssrv to execute the payload. Newer versions create the MaintenaceSrv and hdv_725x services.'),
'T1543.003': ('ShimRat has installed a Windows service to maintain persistence on victim machines.'),
'T1543.003': ('SLOTHFULMEDIA has created a service on victim machines named TaskFrame to establish persistence.'),
'T1543.003': ('StreamEx establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start.'),
'T1543.003': ('StrongPity has created new services and modified existing services for persistence.'),
'T1543.003': ('If running as administrator TDTESS installs itself as a new service named bmwappushservice to establish persistence.'),
'T1543.003': 'TEARDROP ran as a Windows service from the c:windowssyswow64 folder.'),
'T1543.003': ('A Threat Group-3390 tool can create a new service naming it after the config information to gain persistence.'),
'T1543.003': 'TinyZBot can install as a Windows service for persistence.'),
'T1543.003': 'TrickBot establishes persistence by creating an autostart service that allows it to run whenever the machine boots.'),
'T1543.003': 'Tropic Trooper has installed a service pointing to a malicious DLL dropped to disk.'),
'T1543.003': 'TYPEFRAME variants can add malicious DLL modules as new services.TYPEFRAME can also delete services from the victimmachine.'),
'T1543.003': ('Ursnif has registered itself as a system service in the Registry for automatic execution at system startup.'),
'T1543.003': ('Volgmer installs a copy of itself in a randomly selected service then overwrites the ServiceDLL entry in the service  Registry entry. Some Volgmer variants also install .dll files as services with names generated by a list of hard-coded strings.'),
'T1543.003': ('WannaCry creates the service mssecsvc2.0 with the display name Microsoft Security Center (2.0) Service.'),
'T1543.003': ('Wiarp creates a backdoor through which remote attackers can create a service.'),
'T1543.003': ('Wingbird uses services.exe to register a new autostart service named Audit Service using a copy of the local lsass.exe file.'),
'T1543.003': ('Winnti for Windows sets its DLL file as a new service in the Registry to establish persistence.'),
'T1543.003': ('Wizard Spider has installed TrickBot as a service named ControlServiceA in order to establish persistence.'),
'T1543.003': ('ZeroT can add a new service to ensure PlugX persists on the system when delivered as another payload onto the system.'),
'T1543.003': ('ZLib creates Registry keys to allow itself to run as various services.'),
'T1543.003': ('zwShell has established persistence by adding itself as a new service.'),
'T1543.003': ('ZxShell can create a new service using the service parser function ProcessScCommand. '),
'T1543.004': ('AppleJeus has placed a plist file within the LaunchDaemons folder and launched it manually.'),
'T1543.004': ('Bundlore can persist via a LaunchDaemon.'),
'T1543.004': ('Dacls can establish persistence via a Launch Daemon.'),
'T1543.004': ('LoudMiner added plist files in Library  LaunchDaemons with RunAtLoad set to true.'),
'T1543.004': ('OSX_OCEANLOTUS.D can create a persistence file in the folder Library  LaunchDaemons.'),
'T1543.004': ('When running with root privileges after a Launch Agent is installed ThiefQuest installs a plist file to the Library  LaunchDaemons folder with the RunAtLoad key set to true establishing persistence as a Launch Daemon.'),
'T1110.002': ('APT3 has been known to brute force password hashes to be able to leverage plain text credentials.'),
'T1110.002': ('APT41 performed password brute-force attacks on the local admin account.'),
'T1110.002': ('Dragonfly 2.0 dropped and executed tools used for password cracking including Hydra and CrackMapExec.'),
'T1110.002': ('FIN6 has extracted password hashes from ntds.dit to crack offline.'),
'T1110.002': ('Net Crawler uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network.'),
'T1222.001': ('BitPaymer can use icacls reset and takeown F to reset a targeted executable  permissions and then take ownership.'),
'T1222.001': ('Grandoreiro can modify the binary ACL to prevent security tools from running.'),
'T1222.001': ('JPIN can use the command-line utility cacls.exe to change file permissions.'),
'T1222.001': ('Ryuk can launch icacls grant Everyone:F T C Q to delete every access-based restrictions on files and directories.'),
'T1222.001': ('WannaCry uses attrib +h and icacls . grant Everyone:F T C Q to make some of its files hidden and grant all users full access controls.'),
'T1222.001': ('Wizard Spider has used the icacls command to modify access control to backup servers providing them with full control of all the system folders.'),
'T1071.002': ('APT41 used exploit payloads that initiate download via FTP.'),
'T1071.002': ('Attor has used FTP protocol for C2 communication.'),
'T1071.002': ('CARROTBALL has the ability to use FTP in C2 communications.'),
'T1071.002': ('Honeybee uses FTP for command and control.'),
'T1071.002': ('JPIN can communicate over FTP.'),
'T1071.002': ('Kazuar uses FTP and FTPS to communicate with the C2 server.'),
'T1071.002': ('Kimsuky has used FTP to download additional malware to the target machine.'),
'T1071.002': ('Machete uses FTP for Command & Control.'),
'T1071.002': ('NOKKI has used FTP for C2 communications.'),
'T1071.002': ('PoetRAT has used FTP for C2 communications.'),
'T1071.002': ('ShadowPad has used FTP for C2 communications.'),
'T1071.002': ('SilverTerrier uses FTP for C2 communications.'),
'T1071.002': ('SYSCON has the ability to use FTP in C2 communications.'),
'T1071.002': ('XAgentOSX contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system.'),
'T1071.002': ('ZxShell has used FTP for C2 connections.'),
'T1218.012': ('Hancitor has used verclsid.exe to download and execute a malicious script.'),
'T1218.012': ('Adversaries may abuse verclsid.exe to execute malicious COM payloads'),
'T1218.012': ('Using verclsid.exe attacker bypassed application control policies to execute malicious payload.'),
'T1218.012': ('Malware loads malicious COM payload inside Internet Explorer using verclsid.exe'),
'T1218.012': ('Using verclsid.exe to register malicious extension inside cmd.exe'),
'T1059.005': ('APT-C-36 has embedded a VBScript within a malicious Word document which is executed upon the document opening.'),
'T1059.005': ('APT32 has used macros COM scriptlets and VBS scripts.'),
'T1059.005': ('APT33 has used VBScript to initiate the delivery of payloads.'),
'T1059.005': ('APT37 executes shellcode and a VBA script to decode Base64 strings.'),
'T1059.005': ('APT39 has utilized malicious VBS scripts in malware.'),
'T1059.005': ('Astaroth has used malicious VBS e-mail attachments for execution.'),
'T1059.005': ('BackConfig has used VBS to install its downloader component and malicious documents with VBA macro code.'),
'T1059.005': ('Bisonal  dropper creates VBS scripts on the victimmachine.'),
'T1059.005': ('BRONZE BUTLER has used VBS and VBE scripts for execution.'),
'T1059.005': ('Cobalt Group has sent Word OLE compound documents with malicious obfuscated VBA macros that will run upon user execution.'),
'T1059.005': ('Cobalt Strike can use VBA to perform execution.'),
'T1059.005': ('Comnie executes VBS scripts.'),
'T1059.005': ('Emotet has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads.'),
'T1059.005': ('Exaramel for Windows has a command to execute VBS scripts on the victimmachine.'),
'T1059.005': ('FIN4 has used VBA macros to display a dialog box and collect victim credentials.'),
'T1059.005': ('FIN7 used VBS scripts to help perform tasks on the victim  machine.'),
'T1059.005': ('Frankenstein has used Word documents that prompts the victim to enable macros and run a Visual Basic script.'),
'T1059.005': ('Gamaredon Group has embedded malicious macros in document templates which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.'),
'T1059.005': ('Goopy has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2.'),
'T1059.005': ('Gorgon Group has used macros in Spearphishing Attachments as well as executed VBScripts on victim machines.'),
'T1059.005': ('Grandoreiro can use VBScript to execute malicious code.'),
'T1059.005': ('One version of Helminth consists of VBScript scripts.'),
'T1059.005': ('Higaisa has used VBScript code on the victim  machine.'),
'T1059.005': ('Honeybee embeds a Visual Basic script within a malicious Word document as part of initial access; the script is executed when the Word document is opened.'),
'T1059.005': ('IcedID has used obfuscated VBA string expressions.'),
'T1059.005': ('Inception has used VBScript to execute malicious commands and payloads.'),
'T1059.005': ('Javali has used embedded VBScript to download malicious payloads from C2.'),
'T1059.005': ('JCry has used VBS scripts.'),
'T1059.005': ('jRAT has been distributed as HTA files with VBScript.'),
'T1059.005': ('KeyBoy uses VBS scripts for installing files and performing execution.'),
'T1059.005': ('Kimsuky has used Visual Basic to download malicious payloads.'),
'T1059.005': ('Koadic performs most of its operations using Windows Script Host (VBScript) and runs arbitrary shellcode .'),
'T1059.005': ('Lazarus Group has used VBScript to gather information about a victim machine.'),
'T1059.005': ('Leviathan has used VBScript.'),
'T1059.005': ('LookBack has used VBA macros in Microsoft Word attachments to drop additional files to the host.'),
'T1059.005': ('Machete has embedded malicious macros within spearphishing attachments to download additional files.'),
'T1059.005': ('Magic Hound malware has used VBS scripts for execution.'),
'T1059.005': ('Melcoz can use VBS scripts to execute malicious DLLs.'),
'T1059.005': ('Metamorfo has used VBS code on victims systems.'),
'T1059.005': ('Molerats used various implants including those built with VBScript on target machines.'),
'T1059.005': ('MuddyWater has used VBScript files to execute its POWERSTATS payload as well as macros.'),
'T1059.005': ('Mustang Panda has embedded VBScript components in LNK files to download additional files and automate collection.'),
'T1059.005': ('NanHaiShu executes additional VBScript code on the victim  machine.'),
'T1059.005': ('NanoCore uses VBS files.'),
'T1059.005': ('NETWIRE has been executed through use of VBScripts.'),
'T1059.005': ('OopsIE creates and uses a VBScript as part of its persistent execution.'),
'T1059.005': ('Operation Wocao has used a VBScript to conduct reconnaissance on targeted systems.'),
'T1059.005': ('OSX_OCEANLOTUS.D uses Word macros for execution.'),
'T1059.005': ('Patchwork used Visual Basic Scripts (VBS) on victim machines.'),
'T1059.005': ('PoetRAT has used Word documents with VBScripts to execute malicious activities.'),
'T1059.005': ('PowerShower has the ability to save and execute VBScript.'),
'T1059.005': ('POWERSTATS can use VBScript (VBE) code for execution.'),
'T1059.005': ('QUADAGENT uses VBScripts.'),
'T1059.005': ('Ramsay has included embedded Visual Basic scripts in malicious documents.'),
'T1059.005': ('Rancor has used VBS scripts as well as embedded macros for execution.'),
'T1059.005': ('Remexi uses AutoIt and VBS scripts throughout its execution process.'),
'T1059.005': ('REvil has used obfuscated VBA macros for execution.'),
'T1059.005': ('Sandworm Team has created VBScripts to run an SSH server.'),
'T1059.005': ('Sharpshooter  first-stage downloader was a VBA macro.'),
'T1059.005': ('Sibot executes commands using VBScript.'),
'T1059.005': ('Sidewinder has used VBScript to drop and execute malware loaders.'),
'T1059.005': ('Silence has used VBS scripts.'),
'T1059.005': ('Smoke Loader adds a Visual Basic script in the Startup folder to deploy the payload.'),
'T1059.005': ('StoneDrill has several VBS scripts used throughout the malware  lifecycle.'),
'T1059.005': ('SUNBURST used VBScripts to initiate the execution of payloads.'),
'T1059.005': 'TA459 has a VBScript for execution.'),
'T1059.005': 'TA505 has used VBS for code execution.'),
'T1059.005': 'Turla has used VBS scripts throughout its operations.'),
'T1059.005': 'TYPEFRAME has used a malicious Word document for delivery with VBA macros for execution.'),
'T1059.005': ('Ursnif droppers have used VBA macros to download and execute the malware  full executable payload.'),
'T1059.005': ('VBShower has the ability to execute VBScript files.'),
'T1059.005': ('Windshift has used Visual Basic 6 (VB6) payloads.'),
'T1059.005': ('WIRTE has used VBS scripts throughout its operation.'),
'T1059.005': ('Xbash can execute malicious VBScript payloads on the victimmachine.'),
'T1059.005': ('archive contains malicious BornSlippy VBScript (VBS) files that attempt to write a DLL file to disk and execute it using rundll32.exe'),
'T1059.005': ('WMIEXEC is a lightweight backdoor written in VBScript that uses WMI to execute shell commands or create a reverse shell on a remote system'),
'T1059.005': ('RATDispenser malware decodes itself and launches a stand-alone VBScript which then installs a remote access Trojan on the infected device'),
'T1059.002': ('Bundlore can use AppleScript to inject malicious JavaScript into a browser.'),
'T1059.002': ('Dok uses AppleScript to create a login item for persistence.'),
'T1059.002': 'ThiefQuest uses AppleScript  osascript -e command to launch ThiefQuest  persistence via Launch Agent and Launch Daemon.'),
'T1059.002': ('Malware used AppleScript to run unauthorised commands into an open SSH connection'),
'T1059.002': ('AppleScript is used by APT-1 to open fake login prompt to trick user into entering password.'),
'T1059.002': ('Attackers run malicious AppleScript via Automator workflows to gather system information'),
'T1564.002': ('Adversaries may use hidden users to mask the presence of user accounts they create'),
'T1564.002': 'The software contains a hidden user account'),
'T1564.002': ('Adding a hidden user to the victim computer'),
'T1564.002': ('Attacker conceal user accounts to not let them appear on log screen'),
'T1564.002': ('Backdoor creates hidden user account to enable remote access without getting immidiately noticed by user'),
'T1564.002': (''),
'T1548.002': ('AppleJeus has presented the user with a UAC prompt to elevate privileges while installing.'),
'T1548.002': ('APT29 has bypassed UAC.'),
'T1548.002': ('APT37 has a function in the initial dropper to bypass Windows UAC in order to execute the next payload with higher privileges.'),
'T1548.002': ('AutoIt backdoor attempts to escalate privileges by bypassing User Access Control.'),
'T1548.002': ('BitPaymer can suppress UAC prompts by setting the HKCUSoftwareClassesms-settingsshellopencommand registry key on Windows 10 or HKCUSoftwareClassesmscfileshellopencommand on Windows 7 and launching the eventvwr.msc process which launches BitPaymer with elevated privileges.'),
'T1548.002': ('BlackEnergy attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later.'),
'T1548.002': ('BRONZE BUTLER has used a Windows 10 specific tool and xxmm to bypass UAC for privilege escalation.'),
'T1548.002': ('Cobalt Group has bypassed UAC.'),
'T1548.002': ('Cobalt Strike can use a number of known techniques to bypass Windows UAC.'),
'T1548.002': ('CSPY Downloader can bypass UAC using the SilentCleanup task to execute the binary with elevated privileges.'),
'T1548.002': ('Downdelph bypasses UAC to escalate privileges by using a customRedirectEXE shim database.'),
'T1548.002': ('Empire includes various modules to attempt to bypass UAC for escalation of privileges.'),
'T1548.002': ('Evilnum has used PowerShell to bypass UAC.'),
'T1548.002': ('FinFisher performs UAC bypass.'),
'T1548.002': ('Grandoreiro can bypass UAC by registering as the default handler for .MSC files.'),
'T1548.002': ('H1N1 bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe).'),
'T1548.002': ('Honeybee uses a combination of NTWDBLIB.dll and cliconfg.exe to bypass UAC protections using DLL hijacking.'),
'T1548.002': ('InvisiMole can use fileless UAC bypass and create an elevated COM object to escalate privileges.'),
'T1548.002': ('Koadic has 2 methods for elevating integrity. It can bypass UAC through eventvwr.exe and sdclt.exe.'),
'T1548.002': ('KONNI bypassed UAC with theAlwaysNotify settings.'),
'T1548.002': ('MuddyWater uses various techniques to bypass UAC.'),
'T1548.002': ('Patchwork bypassed User Access Control (UAC).'),
'T1548.002': ('PipeMon installer can use UAC bypass techniques to install the payload.'),
'T1548.002': ('An older variant of PLAINTEE performs UAC bypass.'),
'T1548.002': ('PoshC2 can utilize multiple methods to bypass UAC.'),
'T1548.002': ('Pupy can bypass Windows UAC through either DLL hijacking eventvwr or appPaths.'),
'T1548.002': ('Ramsay can use UACMe for privilege escalation.'),
'T1548.002': ('Remcos has a command for UAC bypassing.'),
'T1548.002': ('RTM can attempt to run the program as admin then show a fake error message and a legitimate UAC bypass prompt to the user in an attempt to socially engineer the user into escalating privileges.'),
'T1548.002': ('Sakula contains UAC bypass code for both 32- and 64-bit systems.'),
'T1548.002': ('Shamoon attempts to disable UAC remote restrictions by modifying the Registry.'),
'T1548.002': ('ShimRat has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing.'),
'T1548.002': ('A Threat Group-3390 tool can use a public UAC bypass method to elevate privileges.'),
'T1548.002': ('UACMe contains many methods for bypassing Windows User Account Control on multiple versions of the operating system.'),
'T1548.002': ('Many ZeroT samples can perform UAC bypass by using eventvwr.exe to execute a malicious file.'),
'T1564.006': ('LoudMiner has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine which runs XMRig and makes connections to the C2 server for updates.'),
'T1564.006': ('Maze operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine  configuration file mapped the shared network drives of the target company presumably so Maze can encrypt files on the shared drives as well as the local machine.'),
'T1564.006': ('Ragnar Locker has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables Ragnar Locker to encrypt files on the host operating system including files on any mapped drives.'),
'T1564.006': ('Malware connects to C2 server via VirtulBox machine to avoid detection by IPS'),
'T1564.006': ('Data is exfilterated through a shared folder on QEMU linux machine to evade DLP solution'),
'T1497.002': ('Darkhotel has used malware that repeatedly checks the mouse cursor position to determine if a real user is on the system.'),
'T1497.002': ('FIN7 used images embedded into document lures that only activate the payload when a user double clicks to avoid sandboxes.'),
'T1497.002': ('Okrum loader only executes the payload after the left mouse button has been pressed at least three times in order to avoid being executed within virtualized or emulated environments.'),
'T1497.002': ('Spark has used a splash screen to check whether an user actively clicks on the screen before running malicious code.'),
'T1497.002': ('Wanacry looks for minimum system drive size to check if it is getting run inside sandbox'),
'T1497.002': ('If malware finds a very limited and old browser history then it exits immidiately'),
'T1497.002': ('Malware checks number of files in downloads folder to determine if it is a real user system'),
'T1564.005': ('BOOTRASH has used unallocated disk space between partitions for a hidden file system that stores components of the Nemesis bootkit.'),
'T1564.005': ('ComRAT has used a portable F'),A'T16 parti': ('on image placed in TEMP as a hidden file system.'),
'T1564.005': ('Equation has used an encrypted virtual file system stored in the Windows Registry.'),
'T1564.005': ('Regin has used a hidden file system to store some of its components.'),
'T1564.005': ('Strider has used a hidden file system that is stored as a file on disk.'),
'T1574.012': ('Blue Mockingbird has used wmic.exe and Windows Registry modifications to set the COR_PROFILER environment variable to execute a malicious DLL whenever a process loads the .NET CLR.'),
'T1574.012': ('Actors exploring all things .NET including COR_PROFILER unmanaged code loading for defense evasion  UAC bypass and the Ghost Loader AppDomainManager injection technique'),
'T1574.012': 'The most novel technique was the use of a COR_PROFILER COM hijack to execute a malicious DLL and restore items removed by defenders'),
'T1574.012': 'To use COR_PROFILER malware used wmic.exe and Windows Registry modifications to set environment variables and specify a DLL payload'),
'T1574.012': ('COR_PROFILER environment variable is set to execute malicious DLL when .NET application is run'),
'T1137.001': ('BackConfig has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros.'),
'T1137.001': ('Cobalt Strike has the ability to use an Excel Workbook to execute additional code by enabling Office to trust macros and execute code without user permission.'),
'T1137.001': ('MuddyWater has used a Word Template Normal.dotm for persistence.'),
'T1137.001': ('Malware leveraged search order hijacking to load malicious Normal.dotm template'),
'T1137.001': ('Adversaries register a the template as trusted document to execute malicious macros without explicit user permissioin'),
'T1098.004': ('Bundlore creates a new key pair with ssh-keygen and drops the newly created user key in authorized_keys to enable remote login.'),
'T1098.004': ('Skidmap has the ability to add the public key of its handlers to the authorized_keys file to maintain persistence on an infected host.'),
'T1098.004': 'TeamTNTpublic key is appended to root  .ssh  authorized_keys so that the threat actors can now login using the generated public-private key pair'),
'T1098.004': ('the server can manipulate subdirectories as well (for example overwrite .ssh  authorized_keys)'),
'T1098.004': ('By creating a privileged container that mounts the host filesystem and overwrites rootSSH authorized_keys the attacker can then connect through SSH from the container to the host and execute anything they want'),
'T1059.001': ('A'),P'T19 used ': ('werShell commands to execute payloads.'),
'T1059.001': ('APT28 downloads and executes PowerShell scripts and performs PowerShell commands.'),
'T1059.001': ('APT29 has used encoded PowerShell scripts uploaded to CozyCar installations to download and install SeaDuke. APT29 also used PowerShell to create new tasks on remote machines identify configuration settings evade defenses exfiltrate data and to execute other commands..'),
'T1059.001': ('APT3 has used PowerShell on victim systems to download and run payloads after exploitation.'),
'T1059.001': ('APT32 has used PowerShell-based tools PowerShell one-liners and shellcode loaders for execution.'),
'T1059.001': ('APT33 has utilized PowerShell to download files from the C2 server and run various scripts.'),
'T1059.001': ('APT39 has used PowerShell to execute malicious code.'),
'T1059.001': ('APT41 leveraged PowerShell to deploy malware families in victims environments.'),
'T1059.001': ('AutoIt backdoor downloads a PowerShell script that decodes to a typical shellcode loader.'),
'T1059.001': ('Bazar can execute a PowerShell script received from C2.'),
'T1059.001': ('BloodHound can use PowerShell to pull Active Directory information from the target environment.'),
'T1059.001': ('Blue Mockingbird has used PowerShell reverse TCP shells to issue interactive commands over a network connection.'),
'T1059.001': ('BONDUPDATER is written in PowerShell.'),
'T1059.001': ('BRONZE BUTLER has used PowerShell for execution.'),
'T1059.001': ('Chimera has used PowerShell scripts to execute malicious payloads and the DSInternals PowerShell module to make use of Active Directory features.'),
'T1059.001': ('Cobalt Group has used powershell.exe to download and execute scripts.'),
'T1059.001': ('Cobalt Strike can execute a payload on a remote host with PowerShell. This technique does not write any data to disk. Cobalt Strike can also use PowerSploit and other scripting frameworks to perform execution.'),
'T1059.001': ('ComRAT has used PowerShell to load itself every time a user logs in to the system. ComRAT can execute PowerShell scripts loaded into memory or from the file system.'),
'T1059.001': ('ConnectWise can be used to execute PowerShell commands on target machines.'),
'T1059.001': ('CopyKittens has used PowerShell Empire.'),
'T1059.001': ('CrackMapExec can execute PowerShell commands via WMI.'),
'T1059.001': ('DarkHydrus leveraged PowerShell to download and execute additional scripts for execution.'),
'T1059.001': ('DarkVishnya used PowerShell to create shellcode loaders.'),
'T1059.001': ('Deep Panda has used PowerShell scripts to download and execute programs in memory without writing to disk.'),
'T1059.001': ('Denis has a version written in PowerShell.'),
'T1059.001': ('DownPaper uses PowerShell for execution.'),
'T1059.001': ('Dragonfly 2.0 used PowerShell scripts for execution.'),
'T1059.001': ('Egregor has used an encoded PowerShell command by a service created by Cobalt Strike for lateral movement.'),
'T1059.001': ('Emotet has used Powershell to retrieve the malicious payload and download additional resources like Mimikatz.'),
'T1059.001': ('Empire leverages PowerShell for the majority of its client-side agent tasks. Empire also contains the ability to conduct PowerShell remoting with the Invoke-PSRemoting module.'),
'T1059.001': ('FatDuke has the ability to execute PowerShell scripts.'),
'T1059.001': ('FIN10 uses PowerShell for execution as well as PowerShell Empire to establish persistence.'),
'T1059.001': ('FIN6 has used PowerShell to gain access to merchant  networks and a Metasploit PowerShell module to download and execute shellcode and to set up a local listener.'),
'T1059.001': ('FIN7 used a PowerShell script to launch shellcode that retrieved an additional payload.'),
'T1059.001': ('FIN8  malicious spearphishing payloads are executed as PowerShell. FIN8 has also used PowerShell during Lateral Movement and Credential Access.'),
'T1059.001': ('Fox Kitten has used PowerShell scripts to access credential data.'),
'T1059.001': ('Frankenstein has used PowerShell to run a series of base64-encoded commands that acted as a stager and enumerated hosts.'),
'T1059.001': ('GALLIUM used PowerShell for execution to assist in lateral movement as well as for dumping credentials stored on compromised machines.'),
'T1059.001': ('Gallmaker used PowerShell to download additional payloads and for execution.'),
'T1059.001': ('GOLD SOUTHFIELD has staged and executed PowerShell scripts on compromised hosts.'),
'T1059.001': ('Gorgon Group malware can use PowerShell commands to download and execute a payload and open a decoy document on the victimmachine.'),
'T1059.001': ('GRIFFON has used PowerShell to execute the Meterpreter downloader TinyMet.'),
'T1059.001': ('HAFNIUM has used the Exchange Power Shell module Set-OabVirtualDirectoryPowerShell to export mailbox data.'),
'T1059.001': ('HALFBAKED can execute PowerShell scripts.'),
'T1059.001': ('HAMMERTOSS is known to use PowerShell.'),
'T1059.001': ('Hancitor has used PowerShell to execute commands.'),
'T1059.001': ('One version of Helminth uses a PowerShell script.'),
'T1059.001': ('Inception has used PowerShell to execute malicious commands and payloads.'),
'T1059.001': ('Indrik Spider has used PowerShell Empire for execution of malware.'),
'T1059.001': ('JCry has used PowerShell to execute payloads.'),
'T1059.001': ('KeyBoy uses PowerShell commands to download and execute payloads.'),
'T1059.001': ('KGH_SPY can execute PowerShell commands on the victim  machine.'),
'T1059.001': ('Kimsuky has executed a variety of PowerShell scripts.'),
'T1059.001': ('KONNI used PowerShell to download and execute a specific 64-bit version of the malware.'),
'T1059.001': ('Lazarus Group has used Powershell to download malicious payloads.'),
'T1059.001': ('Leviathan has used PowerShell for execution.'),
'T1059.001': ('Magic Hound has used PowerShell for execution and privilege escalation.'),
'T1059.001': ('menuPass uses PowerSploit to inject shellcode into PowerShell.'),
'T1059.001': ('MoleNet can use PowerShell to set persistence.'),
'T1059.001': ('Molerats used PowerShell implants on target machines.'),
'T1059.001': ('Mosquito can launch PowerShell Scripts.'),
'T1059.001': ('MuddyWater has used PowerShell for execution.'),
'T1059.001': ('Mustang Panda has used malicious PowerShell scripts to enable execution.'),
'T1059.001': ('Netwalker has been written in PowerShell and executed directly in memory avoiding detection.'),
'T1059.001': 'The NETWIRE binary has been executed via PowerShell script.'),
'T1059.001': ('njRAT has executed PowerShell commands via auto-run registry key persistence.'),
'T1059.001': ('OilRig has used PowerShell scripts for execution including use of a macro to run a PowerShell command to decode file contents.'),
'T1059.001': ('Operation Wocao has used PowerShell on compromised systems.'),
'T1059.001': ('OSX_OCEANLOTUS.D uses PowerShell scripts.'),
'T1059.001': ('Patchwork used PowerSploit to download payloads run a reverse shell and execute malware on the victim  machine.'),
'T1059.001': ('Pillowmint has used a PowerShell script to install a shim database.'),
'T1059.001': 'The Poseidon Group  Information Gathering Tool (IGT) includes PowerShell components.'),
'T1059.001': ('POSHSPY uses PowerShell to execute various commands one to execute its payload.'),
'T1059.001': ('PowerShower is a backdoor written in PowerShell.'),
'T1059.001': ('POWERSOURCE is a PowerShell backdoor.'),
'T1059.001': ('PowerSploit modules are written in and executed via PowerShell.'),
'T1059.001': ('PowerStallion uses PowerShell loops to iteratively check for available commands in its OneDrive C2 server.'),
'T1059.001': ('POWERSTATS uses PowerShell for obfuscation and execution.'),
'T1059.001': ('POWERTON is written in PowerShell.'),
'T1059.001': ('POWRUNER is written in PowerShell.'),
'T1059.001': ('PUNCHBUGGY has used PowerShell scripts.'),
'T1059.001': ('Pupy has a module for loading and executing PowerShell scripts.'),
'T1059.001': ('Pysa has used Powershell scripts to deploy its ransomware.'),
'T1059.001': ('QUADAGENT uses PowerShell scripts for execution.'),
'T1059.001': 'There is a variant of RATANKBA that uses a PowerShell script instead of the traditional PE form.'),
'T1059.001': ('RegDuke can extract and execute PowerShell scripts from C2 communications.'),
'T1059.001': ('Revenge RAT uses the PowerShell command Reflection.Assembly to load itself into memory to aid in execution.'),
'T1059.001': ('REvil has used PowerShell to delete volume shadow copies and download files.'),
'T1059.001': ('RogueRobin uses a command prompt to run a PowerShell script from Excel. To assist in establishing persistence RogueRobin creates APPDATAOneDrive.bat and saves the following string to it:powershell.exe -WindowStyle Hidden -exec bypass -FileAPPDATAOneDrive.ps1.'),
'T1059.001': ('Sandworm Team has used PowerShell scripts to run a credential harvesting tool in memory to evade defenses.'),
'T1059.001': ('SeaDuke uses a module to execute Mimikatz with PowerShell to perform Pass the Ticket.'),
'T1059.001': ('ServHelper has the ability to execute a PowerShell script to get information from the infected host.'),
'T1059.001': ('SharpStage can execute arbitrary commands with PowerShell.'),
'T1059.001': ('SHARPSTATS has the ability to employ a custom PowerShell script.'),
'T1059.001': ('Sidewinder has used PowerShell to drop and execute malware loaders.'),
'T1059.001': ('Silence has used PowerShell to download and execute payloads.'),
'T1059.001': ('Socksbot can write and execute PowerShell scripts.'),
'T1059.001': ('SQLRat has used PowerShell to create a Meterpreter session.'),
'T1059.001': ('Stealth Falcon malware uses PowerShell commands to perform various functions including gathering system information via WMI and executing commands from its C2 server.'),
'T1059.001': ('StrongPity can use PowerShell to add files to the Windows Defender exclusions list.'),
'T1059.001': 'TA459 has used PowerShell for execution of a payload.'),
'T1059.001': 'TA505 has used PowerShell to download and execute malware and reconnaissance scripts.'),
'T1059.001': 'TEMP.Veles has used a publicly-available PowerShell-based tool WMImplant. The group has also used PowerShell to perform Timestomping.'),
'T1059.001': 'Threat Group-3390 has used PowerShell for execution.'),
'T1059.001': 'Thrip leveraged PowerShell to run commands to download payloads traverse the compromised networks and carry out reconnaissance.'),
'T1059.001': 'Turla has used PowerShell to execute commands  scripts in some cases via a custom executable or code from Empire  PSInject. Turla has also used PowerShell scripts to load and execute malware in memory.'),
'T1059.001': ('UNC2452 used PowerShell to create new tasks on remote machines identify configuration settings exfiltrate data and to execute other commands.'),
'T1059.001': ('Ursnif droppers have used PowerShell in download cradles to download and execute the malware  full executable payload.'),
'T1059.001': ('Valak has used PowerShell to download additional modules.'),
'T1059.001': ('WellMess can execute PowerShell scripts received from C2.'),
'T1059.001': ('WIRTE has used PowerShell for script execution.'),
'T1059.001': ('Wizard Spider has used macros to execute PowerShell scripts to download malware on victim  machines. It has also used PowerShell to execute commands and move laterally through a victim network.'),
'T1059.001': ('Xbash can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution.'),
'T1059.006': ('APT29 has developed malware variants written in Python.'),
'T1059.006': ('APT39 has used a command line utility and a network scanner written in python.'),
'T1059.006': ('BRONZE BUTLER has made use of Python-based remote access tools.'),
'T1059.006': ('Bundlore has used Python scripts to execute payloads.'),
'T1059.006': ('Cobalt Strike can use Python to perform execution.'),
'T1059.006': ('CoinTicker executes a Python script to download its second stage.'),
'T1059.006': ('CookieMiner has used python scripts on the usersystem as well as the Python variant of the Empire agent EmPyre.'),
'T1059.006': ('Dragonfly 2.0 used various types of scripting to perform operations including Python scripts. The group was observed installing Python 2.7 on a victim.'),
'T1059.006': ('DropBook is a Python-based backdoor compiled with PyInstaller.'),
'T1059.006': ('Ebury has used Python to implement its DGA.'),
'T1059.006': ('IronNetInjector can use IronPython scripts to load payloads with the help of a .NET injector.'),
'T1059.006': ('KeyBoy uses Python scripts for installing files and performing execution.'),
'T1059.006': ('Keydnap uses Python for scripting to execute additional commands.'),
'T1059.006': ('Kimsuky has used a Mac OS Python implant to gather data.'),
'T1059.006': ('Machete used multiple compiled Python scripts on the victimsystem. Machete  main backdoor Machete is also written in Python.'),
'T1059.006': ('Machete is written in Python and is used in conjunction with additional Python scripts.'),
'T1059.006': ('MechaFlounder uses a python-based payload.'),
'T1059.006': ('MuddyWater has used developed tools in Python including Out1.'),
'T1059.006': ('Operation Wocao  backdoors have been written in Python and compiled with py2exe.'),
'T1059.006': ('PoetRAT was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools.'),
'T1059.006': ('PUNCHBUGGY has used python scripts.'),
'T1059.006': ('Pupy can use an add on feature when creating payloads that allows you to create custom Python scripts (scriptlets) to perform tasks offline (without requiring a session) such as sandbox detection adding persistence etc.'),
'T1059.006': ('Pysa has used Python scripts to deploy ransomware.'),
'T1059.006': ('Remcos uses Python scripts.'),
'T1059.006': ('Rocke has used Python-based malware to install and spread their coinminer.'),
'T1059.006': ('SpeakUp uses Python scripts.'),
'T1059.006': 'Turla has used IronPython scripts as part of the IronNetInjector toolchain to drop payloads.'),
'T1059.006': ('ZIRCONIUM has used Python-based implants to interact with compromised hosts.'),
'T1553.001': ('CoinTicker downloads the EggShell mach-o binary using curl which does not set the quarantine flag.'),
'T1553.001': ('OSX_OCEANLOTUS.D can delete the file quarantine attribute.'),
'T1553.001': ('MacOS exploit allows execution of untrusted binaries using Gatekeeper Bypass'),
'T1553.001': ('Command xattr when run as root can disable quarantine flag flag to enable execution of downloaded binary without user prompt.'),
'T1553.001': ('Administrator should flag removal of com.apple.quarantine flag by user as suspicious activity'),
'T1218.008': ('Cobalt Group has used odbcconf to proxy the execution of malicious DLL files.'),
'T1218.008': ('Actors can use REGSVR flag from odbcconf.exe to execute malicious DLLs'),
'T1218.008': ('A Microsoft Signed database utility odbcconf can be misused to run malicious payload bypassing application control solutions'),
'T1218.008': ('Similar to Regsvr32 odbcconf.exe can also be used to proxy execution of malicious code'),
'T1218.008': ('APT-21 actors attempt to bypass application control policies via proxy execution through odbcconf'),
'T1218.010': ('A'),P'T19 used ': ('gsvr32 to bypass application control techniques.'),
'T1218.010': ('APT32 created a Scheduled Task  Job that used regsvr32.exe to execute a COM scriptlet that dynamically downloaded a backdoor and injected it into memory. The group has also used regsvr32 to run their backdoor.'),
'T1218.010': ('Astaroth can be loaded through regsvr32.exe.'),
'T1218.010': ('Blue Mockingbird has executed custom-compiled XMRIG miner DLLs using regsvr32.exe.'),
'T1218.010': ('Cobalt Group has used regsvr32.exe to execute scripts.'),
'T1218.010': ('Deep Panda has used regsvr32.exe to execute a server variant of Derusbi in victim networks.'),
'T1218.010': ('Derusbi variants have been seen that use Registry persistence to proxy execution through regsvr32.exe.'),
'T1218.010': ('Egregor has used regsvr32.exe to execute malicious DLLs.'),
'T1218.010': ('EVILNUM can run a remote scriptlet that drops a file and executes it via regsvr32.exe.'),
'T1218.010': ('Hi-Zor executes using regsvr32.exe called from the Registry Run Keys  Startup Folder persistence mechanism.'),
'T1218.010': ('Inception has ensured persistence at system boot by setting the value regsvr32 pathctfmonrn.dll s.'),
'T1218.010': ('Koadic can use Regsvr32 to execute additional payloads.'),
'T1218.010': ('Leviathan has used regsvr32 for execution.'),
'T1218.010': ('More_eggs has used regsvr32.exe to execute the malicious DLL.'),
'T1218.010': ('Some Orz versions have an embedded DLL known as MockDll that uses Process Hollowing and regsvr32 to execute another payload.'),
'T1218.010': ('Ragnar Locker has used regsvr32.exe to execute components of VirtualBox.'),
'T1218.010': ('RogueRobin uses regsvr32.exe to run a .sct file for execution.'),
'T1218.010': 'TA551 has used regsvr32.exe to load malicious DLLs.'),
'T1218.010': ('Valak has used regsvr32.exe to launch malicious DLLs.'),
'T1218.010': ('WIRTE has used Regsvr32.exe to trigger the execution of a malicious script.'),
'T1218.010': ('Xbash can use regsvr32 for executing scripts.'),
'T1218.009': ('Agent Tesla has dropped RegAsm.exe onto systems for performing malicious activity.'),
'T1218.009': ('Malware then drops Regscvs.exe to perform malicious activity'),
'T1218.009': ('A windows command-line utility Regasm.exe to run malicious code before COM object registration'),
'T1218.009': ('Actors download Regscvs on the system to perform proxy execution of malicious code'),
'T1218.009': ('Microsoft signed binaries regscvs.exe and regasm.exe are used to execute malicious code onto infected system'),
'T1218.004': ('menuPass has used InstallUtil.exe to execute malicious software.'),
'T1218.004': ('Mustang Panda has used InstallUtil.exe to execute a malicious Beacon stager.'),
'T1218.004': ('InstallUtil.exe is used to execute malicious installer components in .Net binaries'),
'T1218.004': ('Actors use microsoft signed InstallUtil.exe for performing proxy execution of malicious .Net code'),
'T1218.004': ('Malware performs proxy execution via InstallUtil to evade application control solutions'),
'T1218.003': ('Cobalt Group has used the command cmstp.exe s ns C:UsersADMINI~WAppDataLocalTempXKNqbpzl.txt to bypass AppLocker and launch a malicious script.'),
'T1218.003': ('MuddyWater has used CMSTP.exe and a malicious INF to execute its POWERSTATS payload.'),
'T1218.003': ('obfuscated service profile file is written to APPDATAMicrosoftRANDOMRANDOM.txt that is executed using cmstp.exe to download and execute a first-stage scriptlet'),
'T1218.003': 'That batch file writes a malicious INF file and supplies it as a parameter to the Microsoft utility cmstp.exe which executes a remote scriptlet specified in the INF file.'),
'T1218.003': 'The LNK file runs cmd.exe to create APPDATAMicrosoft.txt. This txt file will be further run by the cmstp.exe utility'),
'T1218.001': ('APT41 used compiled HTML (.chm) files for targeting.'),
'T1218.001': ('Astaroth uses ActiveX objects for file execution and manipulation.'),
'T1218.001': ('Dark Caracal leveraged a compiled HTML file that contained a command to download and run an executable.'),
'T1218.001': ('Lazarus Group has used CHM files to move concealed payloads.'),
'T1218.001': ('OilRig has used a CHM payload to load and execute another malicious file once delivered to a victim.'),
'T1218.001': ('Silence has weaponized CHM files in their phishing campaigns.'),
'T1055.014': ('By writing shellcode in vDSO and hijacking the invocation process of a normal function an attacker that successfully exploits this vulnerability could obtain reverse shell on a host to escape the container.'),
'T1055.014': ('Malware performs VDSO hijacking by redirecting calls to dynamically linked shared libraries to run malicious code'),
'T1055.014': ('adversary may hijack the syscall interface code stubs mapped into a process from the vdso shared object to execute syscalls to open and map a malicious shared object'),
'T1055.014': ('Execution via VDSO hijacking may also evade detection from security products since the execution is masked under a legitimate process'),
'T1055.014': ('Rootkits inject malicious code into processes via VDSO hijacking in order to evade process-based defenses as well as possibly elevate privileges'),
'T1055.009': ('Attacker uses Proc memory injection to execute malicious code in the address space of a legitimate process'),
'T1055.009': ('Malware overwrites the target processes stack using memory mappings provided by the proc filesystem'),
'T1055.009': ('Malware enumerates the memory of a process via the proc filesystem (  proc  pid) then crafting ROP payload to run malicious instructions.'),
'T1055.009': ('Attackers use proc filesystem to overwrite memory of legitimate process to perform malicious activity'),
'T1055.009': ('Malicious code is run without detection using proc filesystem together with ROP payloads'),
'T1055.008': ('Malware inject malicious code into processes via ptrace system calls to elevate privilages and evade process-based defenses'),
'T1055.008': ('Using proces injection via ptrace attackers get access to the process  memory system  network resources and possibly elevated privileges'),
'T1055.008': ('Campaign uses Ptrace system call injection for executing malicious code in the address space of a trusted process.'),
'T1055.008': ('Malware then used ptrace to elevate privilage to modify hosts file.'),
'T1055.008': ('Infostealer used ptrace to dump authentication token from process memory.'),
'T1552.006': ('APT33 has used a variety of publicly available tools like Gpppassword to gather credentials.'),
'T1552.006': ('PowerSploit contains a collection of Exfiltration modules that can harvest credentials from Group Policy Preferences.'),
'T1552.006': ('Attackers try to find unsecured credentials in Group Policy Preferences (GPP) using Metasploit module'),
'T1552.006': ('APT campaign uses Gpppassword tool to extract credentials from GPP'),
'T1552.006': ('Attackers use opensource tools to gather and decrypt the password file from Group Policy Preference XML files'),
'T1059.004': ('Anchor can execute payloads via shell scripting.'),
'T1059.004': ('AppleJeus has used shell scripts to execute commands after installation and set persistence mechanisms.'),
'T1059.004': ('APT41 executed file bin  pwd in activity exploiting CVE-2019-19781 against Citrix devices.'),
'T1059.004': ('Bundlore has leveraged bin  sh and bin  bash to execute commands on the victim machine.'),
'T1059.004': ('CallMe has the capability to create a reverse shell on victims.'),
'T1059.004': ('Chaos provides a reverse shell connection on 8338  TCP encrypted via AES.'),
'T1059.004': ('CoinTicker executes a bash script to establish a reverse shell.'),
'T1059.004': ('CookieMiner has used a Unix shell script to run a series of commands targeting macOS.'),
'T1059.004': ('Derusbi is capable of creating a remote Bash shell and executing commands.'),
'T1059.004': ('Doki has executed shell scripts with bin  sh.'),
'T1059.004': ('Drovorub can execute arbitrary commands as root on a compromised system.'),
'T1059.004': ('Exaramel for Linux has a command to execute a shell command on the system.'),
'T1059.004': ('Fysbis has the ability to create and execute commands in a remote shell for CLI.'),
'T1059.004': ('Hildegard has used shell scripts for execution.'),
'T1059.004': ('Kazuar uses bin  bash to execute commands on the victimmachine.'),
'T1059.004': ('Kinsing has used Unix shell scripts to execute commands in the victim environment.'),
'T1059.004': ('LoudMiner used shell scripts to launch various services and to start  stop the QEMU virtualization.'),
'T1059.004': ('NETWIRE has the ability to use bin  bash and bin  sh to execute commands.'),
'T1059.004': ('OSX  Shlayer can use bash scripts to check the macOS version and download payloads.'),
'T1059.004': ('OSX_OCEANLOTUS.D can use shell script to execute malicious code.'),
'T1059.004': ('Penquin can execute remote commands using bash scripts.'),
'T1059.004': ('Proton uses macOS .command file type to script actions.'),
'T1059.004': ('Rocke used shell scripts to run commands which would obtain persistence and execute the cryptocurrency mining malware.'),
'T1059.004': ('Skidmap has used pm.sh to download and install its main payload.'),
'T1059.004': ('WindTail can use the open command to execute an application.'),
'T1003.001': ('A'),P'T1 has be': (' known to use credential dumping using Mimikatz.'),
'T1003.001': ('APT28 regularly deploys both publicly available (ex: Mimikatz) and custom password retrieval tools on victims.'),
'T1003.001': ('APT3 has used a tool to dump credentials by injecting itself into lsass.exe and triggering with the argument dig.'),
'T1003.001': ('APT32 used Mimikatz and customized versions of Windows Credential Dumper to harvest credentials.'),
'T1003.001': ('APT33 has used a variety of publicly available tools like LaZagne Mimikatz and ProcDump to dump credentials.'),
'T1003.001': ('APT39 has used Mimikatz Windows Credential Editor and ProcDump to dump credentials.'),
'T1003.001': ('APT41 used the Windows Credential Editor to dump password hashes from memory and authenticate to other user accounts.'),
'T1003.001': ('Blue Mockingbird has used Mimikatz to retrieve credentials from LSASS memory.'),
'T1003.001': ('BRONZE BUTLER has used various tools (such as Mimikatz and WCE) to perform credential dumping.'),
'T1003.001': ('Cleaver has been known to dump credentials using Mimikatz and Windows Credential Editor.'),
'T1003.001': ('CozyCar has executed Mimikatz to harvest stored credentials from the victim and further victim penetration.'),
'T1003.001': ('Daserf leverages Mimikatz and Windows Credential Editor to steal credentials.'),
'T1003.001': ('Emotet has been observed dropping password grabber modules including Mimikatz.'),
'T1003.001': ('Empire contains an implementation of Mimikatz to gather credentials from memory.'),
'T1003.001': ('FIN6 has used Windows Credential Editor for credential dumping.'),
'T1003.001': ('FIN8 harvests credentials using Invoke-Mimikatz or Windows Credentials Editor (WCE).'),
'T1003.001': ('Fox Kitten has used prodump to dump credentials from LSASS.'),
'T1003.001': ('GALLIUM used a modified version of Mimikatz along with a PowerShell-based Mimikatz to dump credentials on the victim machines.'),
'T1003.001': ('GreyEnergy has a module for Mimikatz to collect Windows credentials from the victimmachine.'),
'T1003.001': ('HAFNIUM has used procdump to dump the LSASS process memory.'),
'T1003.001': ('SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.'),
'T1003.001': ('Ke3chang has dumped credentials including by using Mimikatz.'),
'T1003.001': ('Kimsuky has used ProcDump to dump credentials.'),
'T1003.001': ('LaZagne can perform credential dumping from memory to obtain account and password information.'),
'T1003.001': ('Lazarus Group leveraged Mimikatz to extract Windows Credentials of currently logged-in users and steals passwords stored in browsers. Lazarus Group has also used a custom version Mimikatz to capture credentials.'),
'T1003.001': ('Leafminer used several tools for retrieving login and password information including LaZagne and Mimikatz.'),
'T1003.001': ('Leviathan has used publicly available tools to dump password hashes including ProcDump and WCE.'),
'T1003.001': ('Lslsass can dump active logon session password hashes from the lsass process.'),
'T1003.001': ('Magic Hound stole domain credentials from Microsoft Active Directory Domain Controller and leveraged Mimikatz.'),
'T1003.001': ('Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways including from the LSASS Memory.'),
'T1003.001': ('MuddyWater has performed credential dumping with Mimikatz and procdump64.exe.'),
'T1003.001': ('Net Crawler uses credential dumpers such as Mimikatz and Windows Credential Editor to extract cached credentials from Windows systems.'),
'T1003.001': ('NotPetya contains a modified version of Mimikatz to help gather credentials that are later used for lateral movement.'),
'T1003.001': ('OilRig has used credential dumping tools such as Mimikatz to steal credentials to accounts logged into the compromised system and to Outlook Web Access.'),
'T1003.001': ('Okrum was seen using MimikatzLite to perform credential dumping.'),
'T1003.001': ('Olympic Destroyer contains a module that tries to obtain credentials from LSASS similar to Mimikatz. These credentials are used with PsExec and Windows Management Instrumentation to help the malware propagate itself across a network.'),
'T1003.001': ('Operation Wocao has used ProcDump to dump credentials from memory.'),
'T1003.001': ('PLATINUM has used keyloggers that are also capable of dumping credentials.'),
'T1003.001': ('PoetRAT used voStro.exe a compiled pypykatz (Python version of Mimikatz) to steal credentials.'),
'T1003.001': ('PoshC2 contains an implementation of Mimikatz to gather credentials from memory.'),
'T1003.001': ('PowerSploit contains a collection of Exfiltration modules that can harvest credentials using Mimikatz.'),
'T1003.001': ('Pupy can execute Lazagne as well as Mimikatz using PowerShell.'),
'T1003.001': ('Pysa can perform OS credential dumping using Mimikatz.'),
'T1003.001': ('Sandworm Team  plainpwd tool is a modified version of Mimikatz and dumps Windows credentials from system memory.'),
'T1003.001': ('Silence has used the Farse6.1 utility (based on Mimikatz) to extract credentials from lsass.exe.'),
'T1003.001': ('Stolen Pencil gathers credentials using Mimikatz and Procdump.'),
'T1003.001': 'TEMP.Veles has used Mimikatz and a custom tool SecHack to harvest credentials.'),
'T1003.001': 'Threat Group-3390 actors have used a modified version of Mimikatz called Wrapikatz to dump credentials. They have also dumped credentials from domain controllers.'),
'T1003.001': ('Whitefly has used Mimikatz to obtain credentials.'),
'T1003.001': ('Windows Credential Editor can dump credentials.'),
'T1216.001': ('APT32 has used PubPrn.vbs within execution scripts to execute malware possibly bypassing defenses.'),
'T1216.001': ('PubPrn.vbs can be used to proxy execution from a remote site'),
'T1216.001': ('attacker uses a signed Microsoft WSH script (PubPrn.vbs) to run malicious code and bypass application whitelisting restrictions'),
'T1216.001': ('Adversaries use the trusted PubPrn script to proxy execution of malicious files'),
'T1216.001': 'To bypass application control restrictions malware uses PubPrn script to execute malicious files from remote site'),
'T1569.001': ('AppleJeus has loaded a plist file using the launchctl command.'),
'T1569.001': ('Calisto uses launchctl to enable screen sharing on the victimmachine.'),
'T1569.001': ('LoudMiner launched the QEMU services in the Library  LaunchDaemons folder using launchctl.'),
'T1569.001': ('Adversaries abuse launchctl to execute malicious commands on victim system'),
'T1569.001': ('Using launchctl adversaries can install persistence or execute changes they made'),
'T1074.001': ('ADVSTORESHELL stores output from command execution in a .dat file in the TEMP directory.'),
'T1074.001': ('APT28 has stored captured credential information in a file named pi.log.'),
'T1074.001': ('APT3 has been known to stage files for exfiltration in a single location.'),
'T1074.001': ('APT39 has utilized tools to aggregate data prior to exfiltration.'),
'T1074.001': ('Astaroth collects data in a plaintext file named r1.log before exfiltration.'),
'T1074.001': ('Attor has staged collected data in a central upload directory prior to exfiltration.'),
'T1074.001': ('BADNEWS copies documents under 15MB found on the victim system to is the user  tempSMB folder. It also copies files from USB devices to a predefined directory.'),
'T1074.001': ('BadPatch stores collected data in log files before exfiltration.'),
'T1074.001': ('Calisto uses a hidden directory named .calisto to store data from the victimmachine before exfiltration.'),
'T1074.001': ('Carbon creates a base directory that contains the files and folders that are collected.'),
'T1074.001': ('Catchamas stores the gathered data from the machine in .db files and .bmp files under four separate locations.'),
'T1074.001': ('Chimera has staged stolen data locally on compromised hosts.'),
'T1074.001': ('Crutch has staged stolen files in the C:AMDTemp directory.'),
'T1074.001': ('Dragonfly 2.0 created a directory named out in the user  AppData folder and copied files to it.'),
'T1074.001': ('Dtrack can save collected data to disk different file formats and network shares.'),
'T1074.001': ('Modules can be pushed to and executed by Duqu that copy data to a staging area compress it and XOR encrypt it.'),
'T1074.001': ('DustySky created folders in temp directories to host collected files before exfiltration.'),
'T1074.001': ('Dyre has the ability to create files in a TEMP folder to act as a database to store information.'),
'T1074.001': ('ECCENTRICBANDWAGON has stored keystrokes and screenshots within the tempGoogleChrome tempDownloads and tempTrendMicroUpdate directories.'),
'T1074.001': ('Elise creates a file in AppDataLocalMicrosoftWindowsExplorer and stores all harvested data in that file.'),
'T1074.001': ('Exaramel for Windows specifies a path to store files scheduled for exfiltration.'),
'T1074.001': ('FIN5 scripts save memory dump data into a specific directory on hosts in the victim environment.'),
'T1074.001': ('FLASHFLOOD stages data it copies from the local system or removable drives in the WINDIR$NtUninstallKB885884$ directory.'),
'T1074.001': ('FrameworkPOS can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:Windows.'),
'T1074.001': ('GALLIUM compressed and staged files in multi-part archives in the Recycle Bin prior to exfiltration.'),
'T1074.001': ('Gold Dragon stores information gathered from the endpoint in a file named 1.hwp.'),
'T1074.001': ('Helminth creates folders to store output from batch scripts prior to sending the information to its C2 server.'),
'T1074.001': ('Honeybee adds collected files to a temp.zip file saved in the temp folder then base64 encodes it and uploads it to control server.'),
'T1074.001': ('InvisiMole determines a working directory where it stores all the gathered data about the compromised machine.'),
'T1074.001': ('Kazuar stages command output and collected data in files before exfiltration.'),
'T1074.001': ('KGH_SPY can save collected system information to a file named info before exfiltration.'),
'T1074.001': ('Kimsuky has staged collected data files under C:Program FilesCommon FilesSystemOle DB.'),
'T1074.001': ('Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is saved in the TEMP directory then compressed encrypted and uploaded to a C2 server.'),
'T1074.001': ('Leviathan has used C:WindowsDebug and C:Perflogs as staging directories.'),
'T1074.001': ('LightNeuron can store email data in files and directories specified in its configuration such as C:WindowsServiceProfilesNetworkServiceappdataLocalTemp.'),
'T1074.001': ('Machete stores files and logs in a folder on the local drive.'),
'T1074.001': ('menuPass stages data prior to exfiltration in multi-part archives often saved in the Recycle Bin.'),
'T1074.001': ('MESSAGETAP stored targeted SMS messages that matched its target list in CSV files on the compromised system.'),
'T1074.001': ('MoonWind saves information from its keylogging routine as a .zip file in the present working directory.'),
'T1074.001': ('Mustang Panda has stored collected credential files in c:windowstemp prior to exfiltration. Mustang Panda has also stored documents for exfiltration in a hidden folder on USB drives.'),
'T1074.001': ('NavRAT writes multiple outputs to a TMP file using the >> method.'),
'T1074.001': ('NETWIRE has the ability to write collected data to a file created in the .  LOGS directory.'),
'T1074.001': ('NOKKI can collect data from the victim and stage it in LOCALAPPDATAMicroSoft Updateauplog.tmp.'),
'T1074.001': ('OopsIE stages the output from command execution and collected files in specific folders before exfiltration.'),
'T1074.001': ('Operation Wocao has staged archived files in a temporary directory prior to exfiltration.'),
'T1074.001': ('Patchwork copied all targeted files to a directory called index that was eventually uploaded to the C&C server.'),
'T1074.001': ('PoisonIvy stages collected data in a text file.'),
'T1074.001': ('Prikormka creates a directory USERPROFILEAppDataLocalSKC which is used to store collected log files.'),
'T1074.001': ('Pteranodon creates various subdirectories under Tempreports and copies files to those subdirectories. It also creates a folder at C:UsersAppDataRoamingMicrosoftstore to store screenshot JPEG files.'),
'T1074.001': ('PUNCHBUGGY has saved information to a random temp file before exfil.'),
'T1074.001': ('PUNCHTRACK aggregates collected data in a tmp file.'),
'T1074.001': ('Ramsay can stage data prior to exfiltration in APPDATAMicrosoftUserSetting and APPDATAMicrosoftUserSettingMediaCache.'),
'T1074.001': ('Data captured by RawPOS is placed in a temporary file under a directory named memdump.'),
'T1074.001': ('Rover copies files from removable drives to C:system.'),
'T1074.001': ('Sidewinder has collected stolen files in a temporary folder in preparation for exfiltration.'),
'T1074.001': ('SPACESHIP identifies files with certain extensions and copies them to a directory in the user  profile.'),
'T1074.001': 'TEMP.Veles has created staging folders in directories that were infrequently used by legitimate users or processes.'),
'T1074.001': 'Threat Group-3390 has locally staged encrypted archives for later exfiltration efforts.'),
'T1074.001': 'Trojan.Karagany can create directories to store plugin output and stage data for exfiltration.'),
'T1074.001': ('Ursnif has used tmp files to stage gathered information.'),
'T1074.001': ('USBStealer collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration.'),
'T1074.001': ('Zebrocy stores all collected information in a single file before exfiltration.'),
'T1542.001': ('Hacking Team UEFI Rootkit is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems.'),
'T1542.001': ('LoJax is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems.'),
'T1542.001': 'Trojan.Mebromi performs BIOS modification and can download and execute a file as well as protect itself from removal.'),
'T1542.001': ('Sophisticated adversaries overwrite firmware to install malicious firmware updates as a means of persistence on a system that may be difficult to detect'),
'T1542.001': ('Rootkit malwares presist and evade detection by installing malicioufirmware updates on infected system'),
'T1546.008': ('APT29 used sticky-keys to obtain unauthenticated privileged console access.'),
'T1546.008': ('APT3 replaces the Sticky Keys binary C:WindowsSystem32sethc.exe for persistence.'),
'T1546.008': ('APT41 leveraged sticky keys to establish persistence.'),
'T1546.008': ('Axiom actors have been known to use the Sticky Keys replacement within RDP sessions to obtain persistence.'),
'T1546.008': ('Deep Panda has used the sticky-keys technique to bypass the RDP login screen on remote systems during intrusions.'),
'T1546.008': ('Empire can leverage WMI debugging to remotely replace binaries like sethc.exe Utilman.exe and Magnify.exe with cmd.exe.'),
'T1546.008': ('Fox Kitten has used sticky keys to launch a command prompt.'),
'T1098.002': ('APT29 added their own devices as allowed IDs for active sync using Set-CASMailbox allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.'),
'T1098.002': ('Magic Hound granted compromised email accounts read access to the email boxes of additional targeted accounts. The group then was able to authenticate to the intended victim  OWA (Outlook Web Access) portal and read hundreds of email communications for information on Middle East organizations.'),
'T1098.002': ('UNC2452 added their own devices as allowed IDs for active sync using Set-CASMailbox allowing it to obtain copies of victim mailboxes. It also added additional permissions (such as Mail.Read and Mail.ReadWrite) to compromised Application or Service Principals.'),
'T1098.002': ('Attacker added their own devices as allowed IDs for active sync for a number of mailboxes using Set-CASMailbox'),
'T1098.002': ('Set-CASMailbox is used by adversary to assign more access rights to the accounts they wish to compromise and use these accounts'),
'T1547.004': ('Bazar can use Winlogon Helper DLL to establish persistence.'),
'T1547.004': ('Cannon adds the Registry key HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon to establish persistence.'),
'T1547.004': ('A Dipsind variant registers as a Winlogon Event Notify DLL to establish persistence.'),
'T1547.004': ('Gazer can establish persistence by setting the valueShell withexplorer.exe malware_pathfile under the Registry key HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon.'),
'T1547.004': ('KeyBoy issues the command reg addHKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon to achieve persistence.'),
'T1547.004': ('Remexi achieves persistence using Userinit by adding the Registry key HKLMSoftwareMicrosoftWindows NTCurrentVersionWinlogonUserinit.'),
'T1547.004': 'Tropic Trooper has created the Registry key HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogonShell and sets the value to establish persistence.'),
'T1547.004': 'Turla established persistence by adding a Shell value under the Registry key HKCUSoftwareMicrosoftWindows NTCurrentVersionWinlogon.'),
'T1547.004': ('Wizard Spider has established persistence using Userinit by adding the Registry key HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon.'),
'T1557.001': ('Empire can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.'),
'T1557.001': ('Impacket modules like ntlmrelayx and smbrelayx can be used in conjunction with Network Sniffing and LLMNR  NBT-NS Poisoning and SMB Relay to gather NetNTLM credentials for Brute Force or relay attacks that can gain code execution.'),
'T1557.001': ('PoshC2 can use Inveigh to conduct name service poisoning for credential theft and associated relay attacks.'),
'T1557.001': ('Pupy can sniff plaintext network credentials and use NBNS Spoofing to poison name services.'),
'T1557.001': ('Responder is used to poison name services to gather hashes and credentials from systems within a local network.'),
'T1557.001': ('Wizard Spider has used the Invoke-Inveigh PowerShell cmdlets likely for name service poisoning.'),
'T1222.002': ('APT32  macOS backdoor changes the permission of the file it wants to execute to 755.'),
'T1222.002': ('Kinsing has used chmod to modify permissions on key files for use.'),
'T1222.002': ('OSX  Shlayer can use the chmod utility to set a .app file as executable and the spctl application to disable Gatekeeper protection for a downloaded file..'),
'T1222.002': ('P.A.S. Webshell has the ability to modify file permissions.'),
'T1222.002': ('Penquin can add the executable flag to a downloaded file.'),
'T1222.002': ('Rocke has changed file permissions of files so they could not be modified.'),
'T1491.001': ('Lazarus Group replaced the background wallpaper of systems with a threatening image after rendering the system unbootable with a Disk Structure Wipe'),
'T1491.001': ('Ransomware defaced internal website to show threatening message about exposing sensitive data'),
'T1491.001': ('Adversary may deface systems internal to an organization in an attempt to intimidate or mislead users'),
'T1491.001': ('Actor group replaced system wallpaper with company trade secret information to intimidate company paying the ransom'),
'T1491.001': ('Ransomware replaces background wallpaper with ransom message after encrypting the data'),
'T1564.003': ('Agent Tesla has used ProcessWindowStyle.Hidden to hide windows.'),
'T1564.003': ('A'),P'T19 used ': (' Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden.'),
'T1564.003': ('APT28 has used the WindowStyle parameter to conceal PowerShell windows.'),
'T1564.003': ('APT3 has been known to use -WindowStyle Hidden to conceal PowerShell windows.'),
'T1564.003': ('APT32 has used the WindowStyle parameter to conceal PowerShell windows.'),
'T1564.003': ('Astaroth loads its module with the XSL script parameter vShow set to zero which opens the application with a hidden window.'),
'T1564.003': ('BONDUPDATER uses -windowstyle hidden to conceal a PowerShell window that downloads a payload.'),
'T1564.003': ('CopyKittens has used -w hidden and -windowstyle hidden to conceal PowerShell windows.'),
'T1564.003': ('DarkHydrus has used -WindowStyle Hidden to conceal PowerShell windows.'),
'T1564.003': ('Deep Panda has used -w hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden.'),
'T1564.003': ('Gorgon Group has used -W Hidden to conceal PowerShell windows by setting the WindowStyle parameter to hidden.'),
'T1564.003': ('HAMMERTOSS has used -WindowStyle hidden to conceal PowerShell windows.'),
'T1564.003': ('Higaisa used a payload that creates a hidden window.'),
'T1564.003': ('HotCroissant has the ability to hide the window for operations performed on a given file.'),
'T1564.003': ('InvisiMole has executed legitimate tools in hidden windows.'),
'T1564.003': ('KeyBoy uses -w Hidden to conceal a PowerShell window that downloads a payload.'),
'T1564.003': ('Kivars has the ability to conceal its activity through hiding active windows.'),
'T1564.003': ('Magic Hound malware has a function to determine whether the C2 server wishes to execute the newly dropped file in a hidden window.'),
'T1564.003': ('MCMD can modify processes to prevent them from being visible on the desktop.'),
'T1564.003': ('Metamorfo has hidden its GUI using the ShowWindow() WINAPI call.'),
'T1564.003': ('PowerShower has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default.'),
'T1564.003': ('StrongPity has the ability to hide the console window for its document search module from the user.'),
'T1564.003': ('Ursnif droppers have used COM properties to execute malware in hidden windows.'),
'T1564.003': ('WindTail can instruct the OS to execute an application without a dock icon or menu.'),
'T1564.004': ('Anchor has used NTFS to hide files.'),
'T1564.004': ('APT32 used NTFS alternate data streams to hide their payloads.'),
'T1564.004': ('Astaroth can abuse alternate data streams (ADS) to store content for malicious payloads.'),
'T1564.004': ('BitPaymer has copied itself to the :bin alternate data stream of a newly created file.'),
'T1564.004': ('esentutl can be used to read and write alternate data streams.'),
'T1564.004': ('Expand can be used to download or copy a file into an alternate data stream.'),
'T1564.004': ('Gazer stores configuration items in alternate data streams (ADSs) if the Registry is not accessible.'),
'T1564.004': ('LoJax has loaded an embedded NTFS DXE driver to be able to access and write to NTFS partitions.'),
'T1564.004': ('PowerDuke hides many of its backdoor payloads in an alternate data stream (ADS).'),
'T1564.004': ('If the victim is using PowerShell 3.0 or later POWERSOURCE writes its decoded payload to an alternate data stream (ADS) named kernel32.dll that is saved in PROGRAMDATAWindows.'),
'T1564.004': 'The Regin malware platform uses Extended Attributes to store encrypted executables.'),
'T1564.004': ('Valak has the ability save and execute files as alternate data streams (ADS).'),
'T1564.004': ('Some variants of the Zeroaccess Trojan have been known to store data in Extended Attributes.'),
'T1564.001': ('Agent Tesla has created hidden folders.'),
'T1564.001': ('AppleJeus has added a leading . to plist filenames unlisting them from the Finder app and default Terminal directory listings.'),
'T1564.001': ('APT28 has saved files with hidden file attributes.'),
'T1564.001': ('APT32  macOS backdoor hides the clientID file via a chflags function.'),
'T1564.001': ('Attor can set attributes of log files and directories to HIDDEN SYSTEM ARCHIVE or a combination of those.'),
'T1564.001': ('BackConfig has the ability to set folders or files to be hidden from the Windows Explorer default view.'),
'T1564.001': ('Calisto uses a hidden directory named .calisto to store data from the victimmachine before exfiltration.'),
'T1564.001': ('Carberp has created a hidden file in the Startup folder of the current user.'),
'T1564.001': ('CoinTicker downloads the following hidden files to evade detection and maintain persistence: private  tmp  .info.enc private  tmp  .info.py private  tmp  .server.sh ~  Library  LaunchAgents  .espl.plist ~  Library  Containers  .random string  random string.'),
'T1564.001': ('Dacls has had its payload named with a dot prefix to make it hidden from view in the Finder application.'),
'T1564.001': ('Explosive has commonly set file and path attributes to hidden.'),
'T1564.001': ('FruitFly saves itself with a leading . to make it a hidden file.'),
'T1564.001': ('iKitten saves itself with a leading . so that it  hidden from users by default.'),
'T1564.001': ('Imminent Monitor has a dynamic debugging feature to set the file attribute to hidden.'),
'T1564.001': ('InvisiMole can create hidden system directories.'),
'T1564.001': ('Ixeshe sets its own executable file  attributes to hidden.'),
'T1564.001': 'The Komplex payload is stored in a hidden directory at Users  Shared  .local  kextd.'),
'T1564.001': ('Lazarus Group has used a VBA Macro to set its file attributes to System and Hidden and has named files with a dot prefix to hide them from the Finder application.'),
'T1564.001': ('Lokibot has the ability to copy itself to a hidden file and directory.'),
'T1564.001': ('LoudMiner has set the attributes of the VirtualBox directory and VBoxVmService parent directory to hidden.'),
'T1564.001': ('Machete has the capability to exfiltrate stolen data to a hidden folder on a removable drive.'),
'T1564.001': ('MacSpy stores itself in ~  Library  .DS_Stores  '),
'T1564.001': ('Micropsia creates a new hidden directory to store all components outputs in a dedicated sub-folder for each.'),
'T1564.001': ('Mustang Panda  PlugX variant has created a hidden folder on USB drives named RECYCLE.BIN to store malicious executables and collected data.'),
'T1564.001': ('NETWIRE can copy itself to and launch itself from hidden folders.'),
'T1564.001': ('Before exfiltration Okrum  backdoor has used hidden files to store logs and outputs from backdoor commands.'),
'T1564.001': ('OSX  Shlayer executes a .command script from a hidden directory in a mounted DMG.'),
'T1564.001': ('OSX_OCEANLOTUS.D sets the main loader fileattributes to hidden.'),
'T1564.001': ('PoetRAT has the ability to hide and unhide files.'),
'T1564.001': ('Rising Sun can modify file attributes to hide files.'),
'T1564.001': ('Rocke downloaded a file libprocesshider which could hide files on the target system.'),
'T1564.001': ('SLOTHFULMEDIA has been created with a hidden attribute to insure it  not visible to the victim.'),
'T1564.001': 'ThiefQuest hides a copy of itself in the user  ~  Library directory by using a . at the beginning of the file name followed by 9 random characters.'),
'T1564.001': 'Tropic Trooper has created a hidden directory under C:ProgramDataAppleUpdates and C:UsersPublicDocumentsFlash.'),
'T1564.001': ('WannaCry uses attrib +h to make some of its files hidden.'),
'T1562.004': ('APT29 used netsh to configure firewall rules that limited certain UDP outbound packets.'),
'T1562.004': 'The ZR variant of BACKSPACE will check to see if known host-based firewalls are installed on the infected systems. BACKSPACE will attempt to establish a C2 channel then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed.'),
'T1562.004': ('BADCALL disables the Windows firewall before binding to a port.'),
'T1562.004': ('Carbanak may use netsh to add local firewall rule exceptions.'),
'T1562.004': ('CookieMiner has checked for the presence of Little Snitch macOS network monitoring and application firewall software stopping and exiting if it is found.'),
'T1562.004': ('DarkComet can disable Security Center functions like the Windows Firewall.'),
'T1562.004': ('Dragonfly 2.0 has disabled host-based firewalls. The group has also globally opened port 3389.'),
'T1562.004': ('Grandoreiro can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level.'),
'T1562.004': ('H1N1 kills and disables services for Windows Firewall.'),
'T1562.004': ('HARDRAIN opens the Windows Firewall to modify incoming connections.'),
'T1562.004': ('HOPLIGHT has modified the firewall using netsh.'),
'T1562.004': ('InvisiMole has a command to disable routing and the Firewall on the victimmachine.'),
'T1562.004': ('Kasidet has the ability to change firewall settings to allow a plug-in to be downloaded.'),
'T1562.004': ('Kimsuky has been observed disabling the system firewall.'),
'T1562.004': ('Various Lazarus Group malware modifies the Windows firewall to allow incoming connections or disable it entirely using netsh.'),
'T1562.004': ('NanoCore can modify the victim  firewall.'),
'T1562.004': ('netsh can be used to disable local firewall settings.'),
'T1562.004': ('njRAT has modified the Windows firewall to allow itself to communicate through the firewall.'),
'T1562.004': ('Operation Wocao has used PowerShell to add and delete rules in the Windows firewall.'),
'T1562.004': ('Remsec can add or remove applications or ports on the Windows firewall or disable it entirely.'),
'T1562.004': ('Rocke used scripts which killed processes and added firewall rules to block traffic related to other cryptominers.'),
'T1562.004': 'TYPEFRAME can open the Windows Firewall on the victimmachine to allow incoming connections.'),
'T1562.004': ('UNC2452 used netsh to configure firewall rules that limited certain UDP outbound packets.'),
'T1562.004': ('ZxShell can disable the firewall by modifying the registry key HKLMSYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyStandardProfile. '),
'T1562.002': ('APT29 used AUDITPOL to prevent the collection of audit logs.'),
'T1562.002': 'Threat Group-3390 has used appcmd.exe to disable logging on a victim server.'),
'T1562.002': ('UNC2452 used AUDITPOL to prevent the collection of audit logs.'),
'T1562.002': ('Malware disable Windows event logging to limit data that can be leveraged for detections and audits'),
'T1562.002': ('Adversary disabled windows event logging for database application to supress evidance of exfilteration'),
'T1070.006': ('3PARA RAT has a command to set certain attributes such as creation  modification timestamps on files.'),
'T1070.006': ('APT28 has performed timestomping on victim files.'),
'T1070.006': ('APT29 modified timestamps of backdoors to match legitimate Windows files.'),
'T1070.006': ('APT32 has used scheduled task raw XML with a backdated timestamp of June 2 2016. The group has also set the creation time of the files dropped by the second stage of the exploit to match the creation time of kernel32.dll. Additionally APT32 has used a random value to modify the timestamp of the file storing the clientID.'),
'T1070.006': ('Attor has manipulated the time of last access to files and registry keys after they have been created or modified.'),
'T1070.006': ('Bankshot modifies the time of a file as specified by the control server.'),
'T1070.006': ('BitPaymer can modify the timestamp of an executable so that it can be identified and restored by the decryption tool.'),
'T1070.006': ('BLINDINGCAN has modified file and directory timestamps.'),
'T1070.006': ('Chimera has used a Windows version of the Linux touch command to modify the date and time stamp on DLLs.'),
'T1070.006': ('China Chopper  server component can change the timestamp of files.'),
'T1070.006': ('Cobalt Strike can timestomp any files or payloads placed on a target machine to help them blend in.'),
'T1070.006': 'The Derusbi malware supports timestomping.'),
'T1070.006': ('Elise performs timestomping of a CAB file it creates.'),
'T1070.006': ('Empire can timestomp any files or payloads placed on a target machine to help them blend in.'),
'T1070.006': ('EVILNUM has changed the creation date of files.'),
'T1070.006': ('FALLCHILL can modify file or directory timestamps.'),
'T1070.006': ('For early Gazer versions the compilation timestamp was faked.'),
'T1070.006': ('InvisiMole samples were timestomped by the authors by setting the PE timestamps to all zero values. InvisiMole also has a built-in command to modify file times.'),
'T1070.006': ('KeyBoy time-stomped its DLL in order to evade detection.'),
'T1070.006': ('Kimsuky has manipulated timestamps for creation or compilation dates to defeat anti-forensics.'),
'T1070.006': ('Several Lazarus Group malware families use timestomping including modifying the last write timestamp of a specified Registry key to a random date as well as copying the timestamp for legitimate .exe files (such as calc.exe or mspaint.exe) to its dropped files.'),
'T1070.006': ('Many Misdat samples were programmed using Borland Delphi which will mangle the default PE compile timestamp of a file.'),
'T1070.006': ('OSX_OCEANLOTUS.D can use the touch command to change timestamps.'),
'T1070.006': ('OwaAuth has a command to timestop a file or directory.'),
'T1070.006': ('POSHSPY modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013.'),
'T1070.006': ('PowerStallion modifies the MAC times of its local log files to match that of the victim  desktop.ini file.'),
'T1070.006': ('Psylo has a command to conduct timestomping by setting a specified filetimestamps to match those of a system file in the System32 directory.'),
'T1070.006': ('Rocke has changed the time stamp of certain files.'),
'T1070.006': ('SEASHARPEE can timestomp files on victims using a Web shell.'),
'T1070.006': ('Shamoon can change the modified time for files to evade forensic detection.'),
'T1070.006': 'TAINTEDSCRIBE can change the timestamp of specified filenames.'),
'T1070.006': ('After creating a new service for persistence TDTESS sets the file creation time for the service to the creation time of the victim  legitimate svchost.exe file.'),
'T1070.006': 'TEMP.Veles used timestomping to modify the $STANDARD_INFORMATION attribute on tools.'),
'T1070.006': ('UNC2452 modified timestamps of backdoors to match legitimate Windows files.'),
'T1070.006': ('USBStealer sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system.'),
'T1552.004': ('APT29 obtained the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.'),
'T1552.004': ('Ebury has intercepted unencrypted private keys as well as private key pass-phrases.'),
'T1552.004': ('Empire can use modules like Invoke-SessionGopher to extract private key and session information.'),
'T1552.004': ('Hildegard has searched for private keys in .ssh.'),
'T1552.004': ('jRAT can steal keys for VPNs and cryptocurrency wallets.'),
'T1552.004': ('Kinsing has searched for private keys.'),
'T1552.004': ('Machete has scanned and looked for cryptographic keys and certificate file extensions.'),
'T1552.004': ('Mimikatz  CRYPTO::Extract module can extract keys by interacting with Windows cryptographic application programming interface (API) functions.'),
'T1552.004': ('Operation Wocao has used Mimikatz to dump certificates and private keys from the Windows certificate store.'),
'T1552.004': ('Rocke has used SSH private keys on the infected machine to spread its coinminer throughout a network.'),
'T1552.004': ('UNC2452 obtained the private encryption key from an Active Directory Federation Services (AD FS) container to decrypt corresponding SAML signing certificates.'),
'T1070.004': ('ADVSTORESHELL can delete files and directories.'),
'T1070.004': ('Anchor can self delete its dropper after the malware is successfully deployed.'),
'T1070.004': ('AppleJeus has deleted the MSI file after installation.'),
'T1070.004': ('A'),P'T18 actor': ('leted tools and batch files from victim systems.'),
'T1070.004': ('APT28 has intentionally deleted computer files to cover their tracks including with use of the program CCleaner.'),
'T1070.004': ('APT29 routinely removed their tools including custom backdoors once remote access was achieved. APT29 has also used SDelete to remove artifacts from victims.'),
'T1070.004': ('APT3 has a tool that can delete files.'),
'T1070.004': ('APT32  macOS backdoor can receive adelete command.'),
'T1070.004': ('APT38 has used a utility called CLOSESHAVE that can securely delete a file from the system.'),
'T1070.004': ('APT39 has used malware to delete files after they are deployed on a compromised host.'),
'T1070.004': ('APT41 deleted files from the system.'),
'T1070.004': ('Aria-body has the ability to delete files and directories on compromised hosts.'),
'T1070.004': ('Attorplugin deletes the collected files and log files after exfiltration.'),
'T1070.004': ('AuditCred can delete files from the system.'),
'T1070.004': ('Azorult can delete files from victim machines.'),
'T1070.004': ('BabyShark has cleaned up all files associated with the secondary payload execution.'),
'T1070.004': ('BackConfig has the ability to remove files and folders related to previous infections.'),
'T1070.004': ('Backdoor.Oldrea contains a cleanup module that removes traces of itself from the victim.'),
'T1070.004': ('Bankshot marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system.'),
'T1070.004': ('Bazar can delete its loader using a batch file in the Windows temporary folder.'),
'T1070.004': ('BBSRAT can delete files and directories.'),
'T1070.004': ('Bisonal deletes its dropper and VBS scripts from the victimmachine.'),
'T1070.004': ('BLACKCOFFEE has the capability to delete files.'),
'T1070.004': ('BLINDINGCAN has deleted itself and associated artifacts from victim machines.'),
'T1070.004': 'The BRONZE BUTLER uploader or malware the uploader uses command to delete the RAR archives after they have been exfiltrated.'),
'T1070.004': ('Calisto has the capability to use rm -rf to remove folders and files from the victim  machine.'),
'T1070.004': ('Carbanak has a command to delete files.'),
'T1070.004': ('Cardinal RAT can uninstall itself including deleting its executable.'),
'T1070.004': ('CARROTBAT has the ability to delete downloaded files from a compromised host.'),
'T1070.004': ('Recent versions of Cherry Picker delete files and registry keys created by the malware.'),
'T1070.004': ('Chimera has performed file deletion to evade detection.'),
'T1070.004': ('cmd can be used to delete files from the file system.'),
'T1070.004': ('Cobalt Group deleted the DLL dropper from the victimmachine to cover their tracks.'),
'T1070.004': ('Cryptoistic has the ability delete files from a compromised host.'),
'T1070.004': ('CSPY Downloader has the ability to self delete.'),
'T1070.004': ('Denis has a command to delete files from the victimmachine.'),
'T1070.004': ('Derusbi is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes.'),
'T1070.004': ('Dragonfly 2.0 deleted many of its files used during operations as part of cleanup including removing applications and deleting screenshots.'),
'T1070.004': ('Drovorub can delete specific files from a compromised host.'),
'T1070.004': ('Dtrack can remove its persistence and delete itself.'),
'T1070.004': ('DustySky can delete files it creates from the infected system.'),
'T1070.004': ('ECCENTRICBANDWAGON can delete log files generated from the malware stored at C:windowstemptmp0207.'),
'T1070.004': ('Elise is capable of launching a remote shell on the host to delete itself.'),
'T1070.004': ('Epic has a command to delete a file from the machine.'),
'T1070.004': ('EvilBunny has deleted the initial dropper after running through the environment checks.'),
'T1070.004': ('Evilnum has deleted files used during infection.'),
'T1070.004': ('Exaramel for Linux can uninstall its persistence mechanism and delete its configuration file.'),
'T1070.004': ('FALLCHILL can delete malware and associated artifacts from the victim.'),
'T1070.004': ('FatDuke can secure delete its DLL.'),
'T1070.004': ('FELIXROOT deletes the .LNK file from the startup directory as well as the dropper components.'),
'T1070.004': ('FIN10 has used batch scripts and scheduled tasks to delete critical system files.'),
'T1070.004': ('FIN5 uses SDelete to clean up the environment and attempt to prevent detection.'),
'T1070.004': ('FIN6 has removed files from victim machines.'),
'T1070.004': ('FIN8 has deleted tmp and prefetch files during post compromise cleanup activities.'),
'T1070.004': ('FruitFly will delete files on the system.'),
'T1070.004': ('Fysbis has the ability to delete files.'),
'T1070.004': ('Gamaredon Group tools can delete files used during an infection.'),
'T1070.004': ('Gazer has commands to delete files and persistence mechanisms from the victim.'),
'T1070.004': ('gh0st RAT has the capability to to delete files.'),
'T1070.004': ('Gold Dragon deletes one of its files 2.hwp from the endpoint after establishing persistence.'),
'T1070.004': ('GoldenSpy  uninstaller can delete registry entries files and folders and finally itself once these tasks have been completed.'),
'T1070.004': ('Grandoreiro can delete .LNK files created in the Startup folder.'),
'T1070.004': ('GreyEnergy can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API.'),
'T1070.004': ('Malware used by Group5 is capable of remotely deleting files from victims.'),
'T1070.004': ('GuLoader can delete its executable from the AppDataLocalTemp directory on the compromised host.'),
'T1070.004': ('HALFBAKED can delete a specified file.'),
'T1070.004': ('Hancitor has deleted files using the VBA kill function.'),
'T1070.004': ('HAWKBALL has the ability to delete files.'),
'T1070.004': ('Hi-Zor deletes its RAT installer file as it executes its DLL payload file.'),
'T1070.004': ('Hildegard has deleted scripts after execution.'),
'T1070.004': ('Honeybee removes batch files to reduce fingerprint on the system as well as deletes the CAB file that gets encoded upon infection.'),
'T1070.004': ('HotCroissant has the ability to clean up installed files delete files and delete itself from the victimmachine.'),
'T1070.004': ('HTTPBrowser deletes its original installer file once installation is complete.'),
'T1070.004': ('Hydraq creates a backdoor through which remote attackers can delete files.'),
'T1070.004': ('HyperBro has the ability to delete a specified file.'),
'T1070.004': ('Imminent Monitor has deleted files related to its dynamic debugger feature.'),
'T1070.004': ('InnaputRAT has a command to delete files.'),
'T1070.004': ('InvisiMole has deleted files and directories including XML and files successfully uploaded to C2 servers.'),
'T1070.004': ('Ixeshe has a command to delete a file from the machine.'),
'T1070.004': 'The JHUHUGIT dropper can delete itself from the victim. Another JHUHUGIT variant has the capability to delete specified files.'),
'T1070.004': ('JPIN  installer  uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running.'),
'T1070.004': ('jRAT has a function to delete files from the victimmachine.'),
'T1070.004': ('Kazuar can delete files.'),
'T1070.004': ('KEYMARBLE has the capability to delete files off the victimmachine.'),
'T1070.004': ('Kimsuky has deleted the exfiltrated data on disk after transmission.'),
'T1070.004': ('Kivars has the ability to uninstall malware from the infected host.'),
'T1070.004': 'The Komplex trojan supports file deletion.'),
'T1070.004': ('KONNI can delete files.'),
'T1070.004': ('Lazarus Group malware deletes files in various ways including suicide scripts to delete malware binaries from the victim. Lazarus Group also uses secure file deletion to delete files from the victim.'),
'T1070.004': ('LightNeuron has a function to delete files.'),
'T1070.004': ('Linfo creates a backdoor through which remote attackers can delete files.'),
'T1070.004': ('LockerGoga has been observed deleting its original launcher after execution.'),
'T1070.004': ('LookBack removes itself after execution and can delete files on the system.'),
'T1070.004': ('LoudMiner deleted installation files after completion.'),
'T1070.004': ('Once a file is uploaded Machete will delete it from the machine.'),
'T1070.004': ('MacSpy deletes any temporary files it creates'),
'T1070.004': ('Magic Hound has deleted and overwrote files to cover tracks.'),
'T1070.004': ('A menuPass macro deletes files after it has decoded and decompressed them.'),
'T1070.004': ('Once loaded into memory MESSAGETAP deletes the keyword_parm.txt and parm.txt configuration files from disk.'),
'T1070.004': ('Metamorfo has deleted itself from the system after execution.'),
'T1070.004': ('Misdat is capable of deleting the backdoor file.'),
'T1070.004': ('MoonWind can delete itself or specified files.'),
'T1070.004': ('More_eggs can remove itself from a system.'),
'T1070.004': ('Mosquito deletes files using DeleteFileW API call.'),
'T1070.004': ('MURKYTOP has the capability to delete local files.'),
'T1070.004': ('Mustang Panda will delete their tools and files and kill processes after their objectives are reached.'),
'T1070.004': ('NanHaiShu launches a script to delete their original decoy file to cover tracks.'),
'T1070.004': ('NOKKI can delete files to cover tracks.'),
'T1070.004': ('OceanSalt can delete files from the system.'),
'T1070.004': ('OilRig has deleted files associated with their payload after execution.'),
'T1070.004': ('Okrum  backdoor deletes files after they have been successfully uploaded to C2 servers.'),
'T1070.004': ('OopsIE has the capability to delete files and scripts from the victim  machine.'),
'T1070.004': ('Operation Wocao has deleted logs and executable files used during an intrusion.'),
'T1070.002': ('Proton removes logs from var  logs and Library  logs.'),
'T1070.002': ('Rocke has cleared log files within the var  log folder.'),
'T1070.002': ('Adversaries deleted var  log  auth.log after braking into system by password bruteforce attack'),
'T1070.002': ('Actor clear system logs to hide evidence of an intrusion'),
'T1070.002': ('Malware deletes var  log  cron.log to hide evidence of tampering with cron jobs to enable persistence'),
'T1070.001': ('APT28 has cleared event logs including by using the commands wevtutil cl System and wevtutil cl Security.'),
'T1070.001': ('APT32 has cleared select event log entries.'),
'T1070.001': ('APT38 clears Window Event logs and Sysmon logs from the system.'),
'T1070.001': ('APT41 attempted to remove evidence of some of its activity by clearing Windows security and system events.'),
'T1070.001': 'The BlackEnergy component KillDisk is capable of deleting Windows Event Logs.'),
'T1070.001': ('Chimera has cleared event logs on compromised hosts.'),
'T1070.001': ('Dragonfly 2.0 cleared Windows event logs and other logs produced by tools they used including system security terminal services remote services and audit logs. The actors also deleted specific Registry keys.'),
'T1070.001': ('FIN5 has cleared event logs from victims.'),
'T1070.001': ('FIN8 has cleared logs during post compromise cleanup activities.'),
'T1070.001': ('FinFisher clears the system event logs using OpenEventLog  ClearEventLog APIs .'),
'T1070.001': ('gh0st RAT is able to wipe event logs.'),
'T1070.001': ('Hydraq creates a backdoor through which remote attackers can clear all system event logs.'),
'T1070.001': ('Lucifer can clear and remove event logs.'),
'T1070.001': ('NotPetya uses wevtutil to clear the Windows event logs.'),
'T1070.001': ('Olympic Destroyer will attempt to clear the System and Security event logs using wevtutil.'),
'T1070.001': ('Operation Wocao has deleted Windows Event Logs to hinder forensic investigation.'),
'T1070.001': ('Pupy has a module to clear event logs with PowerShell.'),
'T1070.001': ('RunningRAT contains code to clear event logs.'),
'T1070.001': ('SynAck clears event logs.'),
'T1070.001': ('ZxShell has a command to clear system event logs.'),
'T1027.005': ('APT3 has been known to remove indicators of compromise from tools.'),
'T1027.005': ('Cobalt Strike includes a capability to modify the beacon payload to eliminate known signatures or unpacking methods.'),
'T1027.005': ('Analysis of Daserf has shown that it regularly undergoes technical improvements to evade anti-virus detection.'),
'T1027.005': ('Deep Panda has updated and modified its malware resulting in different hash values that evade detection.'),
'T1027.005': ('GALLIUM ensured each payload had a unique hash including by using different types of packers.'),
'T1027.005': 'The author of GravityRAT submitted samples to VirusTotal for testing showing that the author modified the code to try to hide the DDE object in a different part of the document.'),
'T1027.005': ('InvisiMole has undergone regular technical improvements in an attempt to evade detection.'),
'T1027.005': ('OilRig has tested malware samples to determine AV detection and subsequently modified the samples to ensure AV evasion.'),
'T1027.005': ('Operation Wocao has edited variable names within the Impacket suite to avoid automated detection.'),
'T1027.005': ('Patchwork apparently altered NDiskMonitor samples by adding four bytes of random letters in a likely attempt to change the file hashes.'),
'T1027.005': ('Penquin can remove strings from binaries.'),
'T1027.005': ('PowerSploit  Find-AVSignature AntivirusBypass module can be used to locate single byte anti-virus signatures.'),
'T1027.005': ('SUNBURST source code used generic variable names and pre-obfuscated strings and was likely sanitized of developer comments before being added to SUNSPOT.'),
'T1027.005': 'TEMP.Veles has modified files based on the open-source project cryptcat in an apparent attempt to decrease AV detection rates.'),
'T1027.005': ('Based on comparison of Gazer versions Turla made an effort to obfuscate strings in the malware that could be used as IoCs including the mutex name and named pipe.'),
'T1027.005': ('Waterbear can scramble functions not to be executed again with random values.'),
'T1027.004': ('Cardinal RAT and its watchdog component are compiled and executed after being delivered to victims as embedded uncompiled source code.'),
'T1027.004': ('Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class.'),
'T1027.004': ('MuddyWater has used the .NET csc.exe tool to compile executables from downloaded C# code.'),
'T1027.004': ('njRAT has used AutoIt to compile the payload and main script into a single executable after delivery.'),
'T1027.004': ('Rocke has compiled malware delivered to victims as .c files with the GNU Compiler Collection (GCC).'),
'T1036.006': ('Keydnap puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program.'),
'T1036.006': ('Adversary put extra space after .doc extension inside a filename to trick users into double clicking assuming its benign document and instead executing malicious binary through Terminal App'),
'T1036.006': ('Malware put extra space after a false .png extension so user inadvertantly clicks it assuming its a harmless photo'),
'T1036.006': ('Campaign puts blank space after filename to evade monitoring rules for blocking executable files'),
'T1036.006': ('then drops a malware with extension having an extra space at the end  so that it will actually run via terminal app instead of opening via photo app'),
'T1036.002': ('BlackTech has used right-to-left-override to obfuscate the filenames of malicious e-mail attachments.'),
'T1036.002': ('BRONZE BUTLER has used Right-to-Left Override to deceive victims into executing several strains of malware.'),
'T1036.002': ('Ke3chang has used the right-to-left override character in spearphishing attachment names to trick targets into executing .scr and .exe files.'),
'T1036.002': ('Scarlet Mimic has used the left-to-right override character in self-extracting RAR archive spearphishing attachment file names.'),
'T1036.002': ('Adversary use the right-to-left override (RTLO) as a means of tricking a user into executing what they think is a benign file type but is actually executable code'),
'T1560.002': ('BBSRAT can compress data with ZLIB prior to sending it back to the C2 server.'),
'T1560.002': ('Cardinal RAT applies compression to C2 traffic using the ZLIB library.'),
'T1560.002': ('Denis compressed collected data using zlib.'),
'T1560.002': ('Epic compresses the collected data with bzip2 before sending it to the C2 server.'),
'T1560.002': ('InvisiMole can use zlib to compress and decompress data.'),
'T1560.002': ('Lazarus Group malware IndiaIndia saves information gathered about the victim to a file that is compressed with Zlib encrypted and uploaded to a C2 server.'),
'T1560.002': ('SeaDuke compressed data with zlib prior to sending it over C2.'),
'T1560.002': 'TajMahal has the ability to use the open source libraries XZip  Xunzip and zlib to compress files.'),
'T1560.002': 'Threat Group-3390 has used RAR to compress encrypt and password-protect files prior to exfiltration.'),
'T1560.002': 'The ZLib backdoor compresses communications using the standard Zlib compression library.'),
'T1565.003': ('APT38 has used DYEPACK.FOX to manipulate PDF data as it is accessed to remove traces of fraudulent SWIFT transactions from the data displayed to the end user.'),
'T1565.003': ('DYEPACK malware modifies documents before they are accessed and executes the legitimate Foxit reader program to display the modified documents'),
'T1565.003': ('Malware removes failed authentication entries from log before they are accessed to evade detection by administrator'),
'T1565.003': ('Malware changes bank account numbers from payable receipts before displaying to user to cause fund transfer to adversary account'),
'T1565.003': ('Malware changes bitcoin address from clipboard before they are pasted by user to cause funds getting transfered to adversary account.'),
'T1565.003': (''),
'T1561.002': ('APT37 has access to destructive malware that is capable of overwriting a machine  Master Boot Record (MBR).'),
'T1561.002': ('APT38 has used a custom MBR wiper named BOOTWRECK to render systems inoperable.'),
'T1561.002': ('Lazarus Group malware SHARPKNOT overwrites and deletes the Master Boot Record (MBR) on the victim  machine and has possessed MBR wiper malware since at least 2009.'),
'T1561.002': ('RawDisk was used in Shamoon to help overwrite components of disk structure like the MBR and disk partitions.'),
'T1561.002': ('Sandworm Team has used the BlackEnergy KillDisk component to corrupt the infected system  master boot record.'),
'T1561.002': ('Shamoon has been seen overwriting features of disk structure such as the MBR.'),
'T1561.002': ('StoneDrill can wipe the master boot record of an infected computer.'),
'T1561.001': ('Lazarus Group has used malware like WhiskeyAlfa to overwrite the first 64MB of every drive with a mix of static and random buffers. A similar process is then used to wipe content in logical drives and finally attempt to wipe every byte of every sector on every drive. WhiskeyBravo can be used to overwrite the first 4.9MB of physical drives. WhiskeyDelta can overwrite the first 132MB or 1.5MB of each drive with random data from heap memory.'),
'T1561.001': ('MegaCortex can wipe deleted data from all drives using cipher.exe.'),
'T1561.001': ('RawDisk has been used to directly access the hard disk to help overwrite arbitrarily sized portions of disk content.'),
'T1561.001': ('StoneDrill can wipe the accessible physical or logical drives of the infected machine.'),
'T1561.001': 'The group carried out the attack using a custom modular ransomware executable and master boot record (MBR) wiper dubbedApostle.'),
'T1561.001': ('NotPetya infects the master boot record (MBR) and prevents any system from booting. Even if the ransom is paid however the damage from NotPetya is irreversible so it is likely that the actoraim was to sabotage the infected system rather than gaining money out of it.'),
'T1559.002': ('APT28 has delivered JHUHUGIT and Koadic by executing PowerShell commands through DDE in Word documents.'),
'T1559.002': ('APT37 has used Windows DDE for execution of commands and a malicious VBS.'),
'T1559.002': ('Cobalt Group has sent malicious Word OLE compound documents to victims.'),
'T1559.002': ('FIN7 spear phishing campaigns have included malicious Word documents with DDE execution.'),
'T1559.002': ('Gallmaker attempted to exploit MicrosoftDDE protocol in order to gain access to victim machines and for execution.'),
'T1559.002': ('GravityRAT has been delivered via Word documents using DDE for execution.'),
'T1559.002': ('HAWKBALL has used an OLE object that uses Equation Editor to drop the embedded shellcode.'),
'T1559.002': ('KeyBoy uses the Dynamic Data Exchange (DDE) protocol to download remote payloads.'),
'T1559.002': ('MuddyWater has used malware that can execute PowerShell scripts via DDE.'),
'T1559.002': ('Patchwork leveraged the DDE protocol to deliver their malware.'),
'T1559.002': ('PoetRAT was delivered with documents using DDE to execute malicious code.'),
'T1559.002': ('POWERSTATS can use DDE to execute additional payloads on compromised hosts.'),
'T1559.002': ('Ramsay has been delivered using OLE objects in malicious documents.'),
'T1559.002': ('RTM can search for specific strings within browser tabs using a Dynamic Data Exchange mechanism.'),
'T1559.002': ('Sharpshooter has sent malicious Word OLE documents to victims.'),
'T1559.002': ('Sidewinder has used the ActiveXObject utility to create OLE objects to obtain execution through Internet Explorer.'),
'T1559.002': 'TA505 has leveraged malicious Word documents that abused DDE.'),
'T1559.002': ('Valak can execute tasks via OLE.'),
'T1559.001': ('Gamaredon Group malware can insert malicious macros into documents using a Microsoft.Office.Interop object.'),
'T1559.001': ('InvisiMole can use the ITaskService ITaskDefinition and ITaskSettings COM interfaces to schedule a task.'),
'T1559.001': ('MuddyWater has used malware that has the capability to execute malicious code via COM DCOM and Outlook.'),
'T1559.001': ('POWERSTATS can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts.'),
'T1559.001': ('Ramsay can use the Windows COM API to schedule tasks and maintain persistence.'),
'T1559.001': 'TrickBot used COM to setup scheduled task for persistence.'),
'T1559.001': ('Ursnif droppers have used COM objects to execute the malware  full executable payload.'),
'T1569.002': ('Anchor can create and execute services to load its payload.'),
'T1569.002': ('APT32  backdoor has used Windows services as a way to execute its malicious payload.'),
'T1569.002': ('APT39 has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.'),
'T1569.002': ('APT41 used Net to execute a system service installed to launch a Cobalt Strike BEACON loader.'),
'T1569.002': ('Attor  dispatcher can be executed as a service.'),
'T1569.002': ('BBSRAT can start stop or delete services.'),
'T1569.002': ('Blue Mockingbird has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the wercplsupport service.'),
'T1569.002': ('Chimera has used PsExec to deploy beacons on compromised systems.'),
'T1569.002': ('Cobalt Strike can use PsExec to execute a payload on a remote host. It can also use Service Control Manager to start new services.'),
'T1569.002': ('Empire can use PsExec to execute a payload on a remote host.'),
'T1569.002': ('FIN6 has created Windows services to execute encoded PowerShell commands.'),
'T1569.002': ('gh0st RAT can execute its service if the Service key exists. If the key does not exist gh0st RAT will create and run the service.'),
'T1569.002': ('Honeybee launches a DLL file that gets executed as a service using svchost.exe'),
'T1569.002': ('HOPLIGHT has used svchost.exe to execute a malicious DLL .'),
'T1569.002': ('Hydraq uses svchost.exe to execute a malicious DLL included in a new service group.'),
'T1569.002': ('HyperBro has the ability to start and stop a specified service.'),
'T1569.002': ('Impacket contains various modules emulating other service execution tools such as PsExec.'),
'T1569.002': ('InvisiMole has used Windows services as a way to execute its malicious payload.'),
'T1569.002': ('Ke3chang has used a tool known as RemoteExec (similar to PsExec) to remotely execute batch scripts and binaries.'),
'T1569.002': ('Koadic can run a command on another machine using PsExec.'),
'T1569.002': ('LoudMiner started the cryptomining virtual machine as a service on the infected machine.'),
'T1569.002': 'The net start and net stop commands can be used in Net to execute or stop Windows services.'),
'T1569.002': ('Net Crawler uses PsExec to perform remote service manipulation to execute a copy of itself as part of lateral movement.'),
'T1569.002': ('Operators deploying Netwalker have used psexec and certutil to retrieve the Netwalker payload.'),
'T1569.002': ('NotPetya can use PsExec to help propagate itself across a network.'),
'T1569.002': ('Okrum  loader can create a new service named NtmsSvc to execute the payload.'),
'T1569.002': ('Olympic Destroyer utilizes PsExec to help propagate itself across a network.'),
'T1569.002': ('Operation Wocao has created services on remote systems for execution purposes.'),
'T1569.002': ('PoshC2 contains an implementation of PsExec for remote execution.'),
'T1569.002': ('Proxysvc registers itself as a service on the victimmachine to run as a standalone process.'),
'T1569.002': ('Microsoft Sysinternals PsExec is a popular administration tool that can be used to execute binaries on remote systems using a temporary Windows service.'),
'T1569.002': ('Pupy uses PsExec to execute a payload or commands on a remote host.'),
'T1569.002': ('Pysa has used PsExec to copy and execute the ransomware.'),
'T1569.002': ('Ragnar Locker has used sc.exe to execute a service that it creates.'),
'T1569.002': ('RemoteCMD can execute commands remotely by creating a new service on the remote system.'),
'T1569.002': ('Shamoon creates a new service namedntssrv to execute the payload. Shamoon can also spread via PsExec.'),
'T1569.002': ('Silence has used Winexe to install a service on the remote system.'),
'T1569.002': ('SLOTHFULMEDIA has the capability to start services.'),
'T1569.002': ('StrongPity can install a service to execute itself as a service.'),
'T1569.002': ('Winexe installs a service on the remote system executes the command then uninstalls the service.'),
'T1569.002': ('Wingbird uses services.exe to register a new autostart service named Audit Service using a copy of the local lsass.exe file.'),
'T1569.002': ('Wizard Spider has used services.exe to execute scripts and executables during lateral movement within a victim network.'),
'T1569.002': ('xCmd can be used to execute binaries on remote systems by creating and starting a service.'),
'T1567.002': ('Chimera has exfiltrated stolen data to OneDrive accounts.'),
'T1567.002': ('Crutch has exfiltrated stolen data to Dropbox.'),
'T1567.002': ('Empire can use Dropbox for data exfiltration.'),
'T1567.002': ('HAFNIUM has exfiltrated data to file sharing sites including MEGA.'),
'T1567.002': ('HAMMERTOSS exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later.'),
'T1567.002': ('Leviathan has used an uploader known as LUNCHMONEY that can exfiltrate files to Dropbox.'),
'T1567.002': 'Turla has used WebDAV to upload stolen USB files to a cloud drive. Turla has also exfiltrated stolen files to OneDrive and 4shared.'),
'T1567.002': ('ZIRCONIUM has exfiltrated stolen data to Dropbox.'),
'T1567.001': ('Empire can use GitHub for data exfiltration.'),
'T1567.001': ('Actors appear to have leveraged the popular github service to host the breached data during exfiltration. Leveraging popular services such as github can assist them evading security controls.'),
'T1567.001': ('GitHub can be used as exfiltration destination for organizational data.'),
'T1567.001': ('Stolen data has been compressed as rar files and exfiltrated to github.'),
'T1567.001': ('Actor is believed to have been able to compromise organizations around the globe and exfiltrated large amounts of sensitive information to a code repository.'),
'T1048.003': ('Agent Tesla has routines for exfiltration over SMTP FTP and HTTP.'),
'T1048.003': ('APT32  backdoor can exfiltrate data by encoding it in the subdomain field of DNS packets.'),
'T1048.003': ('APT33 has used FTP to exfiltrate files (separately from the C2 channel).'),
'T1048.003': ('BITSAdmin can be used to create BITS Jobs to upload files from a compromised host.'),
'T1048.003': ('Some Brave Prince variants have used South Korea  Daum email service to exfiltrate information and later variants have posted the data to a web server via an HTTP post command.'),
'T1048.003': ('Carbon uses HTTP to send data to the C2 server.'),
'T1048.003': ('Cherry Picker exfiltrates files over FTP.'),
'T1048.003': ('CookieMiner has used the curl --upload-file command to exfiltrate data over HTTP.'),
'T1048.003': ('CORALDECK has exfiltrated data in HTTP POST headers.'),
'T1048.003': ('CosmicDuke exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers.'),
'T1048.003': ('FIN6 has sent stolen payment card data to remote servers via HTTP POSTs.'),
'T1048.003': ('FIN8 has used FTP to exfiltrate collected data.'),
'T1048.003': ('FTP may be used to exfiltrate data separate from the main command and control protocol.'),
'T1048.003': ('Kessel can exfiltrate credentials and other information via HTTP POST request TCP and DNS.'),
'T1048.003': ('KONNI has used FTP to exfiltrate reconnaissance data out.'),
'T1048.003': ('Lazarus Group malware SierraBravo-Two generates an email message via SMTP containing information about newly infected victims.'),
'T1048.003': ('OilRig has exfiltrated data over FTP separately from its primary C2 channel over DNS.'),
'T1048.003': ('PoetRAT has used FTP for exfiltration.'),
'T1048.003': ('Remsec can exfiltrate data via a DNS tunnel or email separately from its C2 channel.'),
'T1048.003': 'Thrip has used WinSCP to exfiltrate data from a targeted organization over FTP.'),
'T1048.003': ('WindTail has the ability to automatically exfiltrate files using the macOS built-in utility usr  bin  curl.'),
'T1048.003': ('Wizard Spider has exfiltrated victim information using FTP.'),
'T1048.002': ('APT29 has exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim  OWA servers.'),
'T1048.002': ('UNC2452 exfiltrated collected data over a simple HTTPS request to a password-protected archive staged on a victim  OWA servers.'),
'T1048.002': 'The threat actors collected and exfiltrated the contents of network shares for use in a double extortion demand. The data exported was encrypted using public and private keys.'),
'T1048.002': 'The actors downloaded archives of collected data that was asymmetrically encrypted.'),
'T1048.002': 'The attack involved uploading password-protected archives of collected data that had been staged on the victim  servers.'),
'T1048.001': ('Adversaries may opt to manually share keys and implement symmetric cryptographic algorithms (ex: RC4 AES) even while utilizing otherwise encrypted protocols such as HTTPS.'),
'T1048.001': ('Attackers used a pre-shared key to symmetrically encrypt the collected data for upload to separate infrastructure from the C2 channel.'),
'T1048.001': ('Actor was observed to have encrypted the breached information before exfiltrating it to their FTP server.'),
'T1048.001': 'The group has the ability to read file contents encrypt the information and exfiltrate them to attacker controlled infrastructure separate from their C2 channel.'),
'T1048.001': 'The functionality that they all have in common is that each exfiltrates collected credentials and its bash command history as an encrypted bundle to servers they control.'),
'T1011.001': ('Flame has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways including transmitting encoded information from the infected system over the Bluetooth protocol acting as a Bluetooth beacon and identifying other Bluetooth devices in the vicinity.'),
'T1011.001': ('Bluetooth is rarely used and only if the other network options are inaccessible or are not properly set up to exfiltrate data without the risk of detection.'),
'T1011.001': ('Adversaries may attempt to exfiltrate data over Bluetooth rather than the command and control channel.'),
'T1011.001': ('We believe the malicious APKs may be distributed through links sent to the victims via text messages. The APK has the capability to turn bluetooh on which would allow for data exfiltration via that channel.'),
'T1011.001': ('StarCruft became known for creating new tools and techniques to identify Bluetooth devices. These are used for information gathering for export.'),
'T1052.001': ('Agent.btz creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs.'),
'T1052.001': ('Machete has a feature to copy files from every drive onto a removable drive in a hidden folder.'),
'T1052.001': ('Mustang Panda has used a customized PlugX variant which could exfiltrate documents from air-gapped networks.'),
'T1052.001': ('Remsec contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device.'),
'T1052.001': ('SPACESHIP copies staged data to removable drives when they are inserted into the system.'),
'T1052.001': 'Tropic Trooper has exfiltrated data using USB storage devices.'),
'T1052.001': ('USBStealer exfiltrates collected files via removable media from air-gapped victims.'),
'T1568.003': ('A'),P'T12 has u': ('multiple variants of DNS Calculation including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port.'),
'T1568.003': ('Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control.'),
'T1568.003': ('Necurs also uses a a method of DNS calculation to determine the proper IP address of the C2 host.'),
'T1568.003': ('Mekotio uses an algorithm to modify the resolved IP address to obtain the actual C&C address.'),
'T1568.003': 'This malware uses a caclulation on the returned DNS data to find the correct C2 server to use.'),
'T1090.002': ('APT28 used other victims as proxies to relay command traffic for instance using a compromised Georgian military email server as a hop point to NATO victims. The group has also used a tool that acts as a proxy to allow C2 even if the victim is behind a router. APT28 has also used a machine to relay and obscure communications between CHOPSTICK and their server.'),
'T1090.002': ('An APT3 downloader establishes SOCKS5 connections for its initial C2.'),
'T1090.002': ('APT39 has used various tools to proxy C2 communications.'),
'T1090.002': ('FIN5 maintains access to victim environments by using FLIPSIDE to create a proxy for a backup RDP tunnel.'),
'T1090.002': ('GALLIUM used a modified version of HTRAN to redirect connections between networks.'),
'T1090.002': ('InvisiMole InvisiMole can identify proxy servers used by the victim and use them for C2 communication.'),
'T1090.002': ('Lazarus Group uses multiple proxies to obfuscate network traffic from victims.'),
'T1090.002': ('menuPass has used a global service provider  IP as a proxy for C2 traffic from a victim.'),
'T1090.002': ('MuddyWater has controlled POWERSTATS from behind a proxy network to obfuscate the C2 location. MuddyWater has used a series of compromised websites that victims connected to randomly to relay information to command and control (C2).'),
'T1090.002': ('Okrum can identify proxy servers configured and used by the victim and use it to make HTTP requests to C2 its server.'),
'T1090.002': ('POWERSTATS has connected to C2 servers through proxies.'),
'T1090.002': ('Regin leveraged several compromised universities as proxies to obscure its origin.'),
'T1090.002': ('ShimRat can use pre-configured HTTP proxies.'),
'T1090.002': ('Silence has used ProxyBot which allows the attacker to redirect traffic from the current node to the backconnect server via Sock4Socks5.'),
'T1037.002': ('Adversaries may use macOS logon scripts automatically executed at logon initialization to establish persistence.'),
'T1037.002': ('A login hook tells Mac OS X to execute a certain script when a user logs in but unlike Startup Items a login hook executes as the elevated root user.'),
'T1037.002': ('Monitor logon scripts for unusual access by abnormal users or at abnormal times.'),
'T1037.002': ('LoginHooks and LogoutHooks have been around for years and are rarely used these days but are still a perfectly viable way of running a persistence script on macOS Mojave.'),
'T1037.002': ('Access to login hook scripts may allow an adversary to insert additional malicious code.'),
'T1568.001': ('gh0st RAT operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses.'),
'T1568.001': ('menuPass has used dynamic DNS service providers to host malicious domains.'),
'T1568.001': ('njRAT has used a fast flux DNS for C2 IP resolution.'),
'T1568.001': 'TA505 has used fast flux to mask botnets by distributing payloads across multiple IPs.'),
'T1568.001': ('Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution.'),
'T1568.001': ('A researcher has published a blog identifying nameservers servicing malware command and control (C2) domains and providing Fast Flux DNS to the malicious botnets.'),
'T1548.004': ('OSX  Shlayer can escalate privileges to root by asking the user for credentials.'),
'T1548.004': ('Adversaries may leverage the AuthorizationExecuteWithPrivileges API to escalate privileges by prompting the user for credentials.'),
'T1548.004': 'The software downloaded has a multi-stage installer that once given authentication from the user gathers system information and ultimately installs multiple adware programs as root.'),
'T1548.004': ('All infection vectors required user interaction at some level in order to compromise the host including installation of software packages and authentication.'),
'T1548.004': 'The downloaded installer is designed to look like a legitimate installation to trick the user into authenticating with their password to continue the second stage infection.'),
'T1548.003': ('Proton modifies the tty_tickets line in the sudoers file.'),
'T1548.003': ('Adversaries may perform sudo caching and  or use the suoders file to elevate privileges.'),
'T1548.003': ('However the sudoers file can also specify when to not prompt users for passwords.'),
'T1548.003': ('Within Linux and MacOS systems sudo (sometimes referred to as superuser do) allows users to perform commands from terminals with elevated privileges and to control who can perform these commands on the system.'),
'T1548.003': ('Adversaries can leverage initial access and elevate privileges using sudo caching which leverages the time between when sudo can be used without authentication after a previous authenticated call.'),
'T1548.001': ('Exaramel for Linux can execute commands with high privileges via a specific binary with setuid functionality.'),
'T1548.001': ('Keydnap adds the setuid flag to a binary so it can easily elevate in the future.'),
'T1548.001': ('An adversary may perform shell escapes or exploit vulnerabilities in an application with the setsuid or setgid bits to get code running in a different usercontext.'),
'T1548.001': ('Instead of creating an entry in the sudoers file which must be done by root any user can specify the setuid or setgid flag to be set for their own applications.'),
'T1548.001': ('An additional binary was identified with SetUID functionalities on the path bin  backup. It offers the execution of a list of commands with high privileges. The decompiled code is noted below.'),
'T1102.003': ('EVILNUM has used a one-way communication method via GitLab and Digital Point to perform C2.'),
'T1102.003': 'The tDiscoverer variant of HAMMERTOSS establishes a C2 channel by downloading resources from Web services like Twitter and GitHub. HAMMERTOSS binaries contain an algorithm that generates a different Twitter handle for the malware to check for instructions every day.'),
'T1102.003': ('Leviathan has received C2 instructions from user profiles created on legitimate websites such as Github and TechNet.'),
'T1102.003': ('Metamorfo has downloaded a zip file for execution on the system.'),
'T1102.003': ('OnionDuke uses Twitter as a backup C2.'),
'T1102.002': ('A'),P'T12 has u': ('blogs and WordPress for C2 infrastructure.'),
'T1102.002': ('APT28 has used Google Drive for C2.'),
'T1102.002': ('APT29 has used social media platforms to hide communications to C2 servers.'),
'T1102.002': ('APT37 leverages social networking sites and cloud platforms (AOL Twitter Yandex Mediafire pCloud Dropbox and Box) for C2.'),
'T1102.002': ('APT39 has communicated with C2 through files uploaded to and downloaded from DropBox.'),
'T1102.002': ('BADNEWS can use multiple C2 channels including RSS feeds Github forums and blogs.'),
'T1102.002': ('BLACKCOFFEE has also obfuscated its C2 traffic as normal traffic to sites such as Github.'),
'T1102.002': 'The CALENDAR malware communicates through the use of events in Google Calendar.'),
'T1102.002': ('Carbanak has used a VBScript named ggldr that uses Google Apps Script Sheets and Forms services for C2.'),
'T1102.002': ('One variant of CloudDuke uses a Microsoft OneDrive account to exchange commands and stolen data with its operators.'),
'T1102.002': ('Comnie uses blogs and third-party sites (GitHub tumbler and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server.'),
'T1102.002': ('ComRAT has the ability to use the Gmail web UI to receive commands and exfiltrate information.'),
'T1102.002': ('CozyCar uses Twitter as a backup C2 channel to Twitter accounts specified in its configuration file.'),
'T1102.002': ('Crutch can use Dropbox to receive commands and upload stolen data.'),
'T1102.002': ('DOGCALL is capable of leveraging cloud storage APIs such as Cloud Box Dropbox and Yandex for C2.'),
'T1102.002': ('Empire can use Dropbox and GitHub for C2.'),
'T1102.002': ('FIN7 used legitimate services like Google Docs Google Scripts and Pastebin for C2.'),
'T1102.002': ('GLOOXMAIL communicates to servers operated by Google using the Jabber  XMPP protocol.'),
'T1102.002': ('Grandoreiro can utilize web services including Google sites to send and receive C2 data.'),
'T1102.002': ('KARAE can use public cloud-based storage providers for command and control.'),
'T1102.002': ('Kazuar has used compromised WordPress blogs as C2 servers.'),
'T1102.002': ('LOWBALL uses the Dropbox cloud storage service for command and control.'),
'T1102.002': ('Magic Hound malware can use a SOAP Web service to communicate with its C2 server.'),
'T1102.002': ('MuddyWater has used web services including OneHub to distribute remote access tools.'),
'T1102.002': ('Orz has used Technet and Pastebin web pages for command and control.'),
'T1102.002': ('POORAIM has used AOL Instant Messenger for C2.'),
'T1102.002': ('PowerStallion uses Microsoft OneDrive as a C2 server via a network drive mapped with net use.'),
'T1102.002': ('RegDuke can use Dropbox as its C2 server.'),
'T1102.002': ('Revenge RAT used blogpost.com as its primary command and control server during a campaign.'),
'T1102.002': ('RogueRobin has used Google Drive as a Command and Control channel.'),
'T1102.002': ('ROKRAT leverages legitimate social networking sites and cloud platforms (Twitter Yandex and Mediafire) for C2 communications.'),
'T1102.002': ('Sandworm Team has used the Telegram Bot API from Telegram Messenger to send and receive commands to its Python backdoor. Sandworm Team also used legitimate M.E.Doc software update check requests for sending and receiving commands and hosted malicious payloads on putdrive.com.'),
'T1102.002': ('SLOWDRIFT uses cloud based services for C2.'),
'T1102.002': ('A Turla JavaScript backdoor has used Google Apps Script as its C2 server.'),
'T1102.002': ('UBoatRAT has used GitHub and a public blog service in Hong Kong for C2 communications.'),
'T1102.002': ('yty communicates to the C2 server by retrieving a Google Doc.'),
'T1102.002': ('ZIRCONIUM has used Dropbox for C2 allowing upload and download of files as well as execution of arbitrary commands.'),
'T1102.001': ('APT41 used legitimate websites for C2 through dead drop resolvers (DDR) including GitHub Pastebin and Microsoft TechNet.'),
'T1102.001': ('Astaroth can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook.'),
'T1102.001': ('BADNEWS collects C2 information via a dead drop resolver.'),
'T1102.001': ('BLACKCOFFEE uses MicrosoftTechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server.'),
'T1102.001': ('BRONZE BUTLER  MSGET downloader uses a dead drop resolver to access malicious payloads.'),
'T1102.001': ('Grandoreiro can obtain C2 information from Google Docs.'),
'T1102.001': ('Javali can read C2 information from Google Documents and YouTube.'),
'T1102.001': ('Some MiniDuke components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds.'),
'T1102.001': ('Patchwork hides base64-encoded and encrypted C2 server locations in comments on legitimate websites.'),
'T1102.001': ('PlugX uses Pastebin to store C2 addresses.'),
'T1102.001': ('PolyglotDuke can use Twitter Reddit Imgur and other websites to get a C2 URL.'),
'T1102.001': ('Rocke has used Pastebin to check the version of beaconing malware and redirect to another Pastebin hosting updated malware.'),
'T1102.001': ('RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names.'),
'T1102.001': ('RTM has used an RSS feed on Livejournal to update a list of encrypted C2 server names. RTM has also hidden Pony C2 server IP addresses within transactions on the Bitcoin and Namecoin blockchain.'),
'T1102.001': ('Xbash can obtain a webpage hosted on Pastebin to update its C2 domain list.'),
'T1134.001': ('APT28 has used CVE-2015-1701 to access the SYSTEM token and copy it into the current process as part of privilege escalation.'),
'T1134.001': ('Aria-body has the ability to duplicate a token from ntprint.exe.'),
'T1134.001': ('BitPaymer can use the tokens of users to create processes on infected systems.'),
'T1134.001': ('Cobalt Strike can steal access tokens from exiting processes.'),
'T1134.001': ('FinFisher uses token manipulation with NtFilterToken as part of UAC bypass.'),
'T1134.001': ('Okrum can impersonate a logged-on user  security context using a call to the ImpersonateLoggedOnUser API.'),
'T1134.001': ('Pupy can obtain a list of SIDs and provide the option for selecting process tokens to impersonate.'),
'T1134.001': ('REvil can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user.'),
'T1134.001': ('Shamoon can impersonate tokens using LogonUser ImpersonateLoggedOnUser and ImpersonateNamedPipeClient.'),
'T1134.002': ('Aria-body has the ability to execute a process using runas.'),
'T1134.002': ('Azorult can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges.'),
'T1134.002': ('Bankshot grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user.'),
'T1134.002': ('Empire can use Invoke-RunAs to make tokens.'),
'T1134.002': ('KONNI has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user.'),
'T1134.002': ('Lazarus Group keylogger KiloAlfa obtains user tokens from interactive sessions to execute itself with API call CreateProcessAsUserA under that user  context.'),
'T1134.002': ('PipeMon can attempt to gain administrative privileges using token impersonation.'),
'T1134.002': ('PoshC2 can use Invoke-RunAs to make tokens.'),
'T1134.002': ('REvil can launch an instance of itself with administrative rights using runas.'),
'T1134.002': 'Turla RPC backdoors can impersonate or steal process tokens before executing commands.'),
'T1134.002': ('ZxShell has a command called RunAs which creates a new process as another user or process context.'),
'T1573.001': ('3PARA RAT command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&9&jkMCXuiS. 3PARA RAT will use an 8-byte XOR key derived from the string HYF54&9&jkMCXuiS if the DES decoding fails'),
'T1573.001': ('4H RAT obfuscates C2 communication using a 1-byte XOR with the key 0xBE.'),
'T1573.001': ('A variant of ADVSTORESHELL encrypts some C2 with 3DES.'),
'T1573.001': ('APT28 installed a Delphi backdoor that used a custom algorithm for C2 communications.'),
'T1573.001': ('APT33 has used AES for encryption of command and control traffic.'),
'T1573.001': ('Attor has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key.'),
'T1573.001': ('Azorult can encrypt C2 traffic using XOR.'),
'T1573.001': ('BADCALL encrypts C2 traffic using an XOR  ADD cipher.'),
'T1573.001': ('BADNEWS encrypts C2 data with a ROR by 3 and an XOR by 0x23.'),
'T1573.001': ('Bazar can send C2 communications with XOR encryption.'),
'T1573.001': ('BBSRAT uses a custom encryption algorithm on data sent back to the C2 server over HTTP.'),
'T1573.001': ('BendyBear communicates to a C2 server over port 443 using modified RC4 and XOR-encrypted chunks.'),
'T1573.001': ('Bisonal variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some Bisonal samples encrypt C2 communications with RC4.'),
'T1573.001': ('BLINDINGCAN has encrypted its C2 traffic with RC4.'),
'T1573.001': ('Bonadan can XOR-encrypt C2 communications.'),
'T1573.001': ('BRONZE BUTLER has used RC4 encryption (for Datper malware) and AES (for xxmm malware) to obfuscate HTTP traffic. BRONZE BUTLER has also used a tool called RarStar that encodes data with a custom XOR algorithm when posting it to a C2 server.'),
'T1573.001': ('CallMe uses AES to encrypt C2 traffic.'),
'T1573.001': ('Carbanak encrypts the message body of HTTP traffic with RC2 (in CBC mode). Carbanak also uses XOR with random keys for its communications.'),
'T1573.001': ('Cardinal RAT uses a secret key with a series of XOR and addition operations to encrypt C2 traffic.'),
'T1573.001': ('Chaos provides a reverse shell connection on 8338  TCP encrypted via AES.'),
'T1573.001': ('ChChes can encrypt C2 traffic with AES or RC4.'),
'T1573.001': ('CHOPSTICK encrypts C2 communications with RC4.'),
'T1573.001': ('Cobalt Strike has the ability to use AES-256 symmetric encryption in CBC mode with HMAC-SHA-256 to encrypt task commands and XOR to encrypt shell code and configuration data.'),
'T1573.001': ('Comnie encrypts command and control communications with RC4.'),
'T1573.001': ('CORESHELL C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys.'),
'T1573.001': ('CosmicDuke contains a custom version of the RC4 algorithm that includes a programming error.'),
'T1573.001': ('Darkhotel has used AES-256 and 3DES for C2 communications.'),
'T1573.001': ('Daserf uses RC4 encryption to obfuscate HTTP traffic.'),
'T1573.001': ('Derusbi obfuscates C2 traffic with variable 4-byte XOR keys.'),
'T1573.001': ('Dipsind encrypts C2 data with AES256 in ECB mode.'),
'T1573.001': ('down_new has the ability to AES encrypt C2 communications.'),
'T1573.001': ('Downdelph uses RC4 to encrypt C2 responses.'),
'T1573.001': ('Dridex has encrypted traffic with RC4.'),
'T1573.001': 'The Duqu command and control protocol  data stream can be encrypted with AES-CBC.'),
'T1573.001': ('Ebury has encrypted C2 traffic using the client IP address then encoded it as a hexadecimal string.'),
'T1573.001': ('Elise encrypts exfiltrated data with RC4.'),
'T1573.001': 'The C2 server response to a beacon sent by a variant of Emissary contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of Emissary use various XOR operations to encrypt C2 data.'),
'T1573.001': ('Epic encrypts commands from the C2 server using a hardcoded key.'),
'T1573.001': ('Explosive has encrypted communications with the RC4 method.'),
'T1573.001': 'The original variant of FakeM encrypts C2 traffic using a custom encryption cipher that uses an XOR key ofYHCRA and bit rotation between each XOR operation. Some variants of FakeM use RC4 to encrypt C2 traffic.'),
'T1573.001': ('FALLCHILL encrypts C2 data with RC4 encryption.'),
'T1573.001': ('FatDuke can AES encrypt C2 communications.'),
'T1573.001': ('Some Felismus samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys.'),
'T1573.001': ('FlawedAmmyy has used SEAL encryption during the initial C2 handshake.'),
'T1573.001': ('Frankenstein has communicated with a C2 via an encrypted RC4 byte stream and AES-CBC.'),
'T1573.001': ('Gazer uses custom encryption for C2 that uses 3DES.'),
'T1573.001': ('gh0st RAT uses RC4 and XOR to encrypt C2 traffic.'),
'T1573.001': ('GreyEnergy encrypts communications using AES256.'),
'T1573.001': ('H1N1 encrypts C2 traffic using an RC4 key.'),
'T1573.001': ('Before being appended to image files HAMMERTOSS commands are encrypted with a key composed of both a hard-coded value and a string contained on that day  tweet. To decrypt the commands an investigator would need access to the intended malware sample the day  tweet and the image file containing the command.'),
'T1573.001': ('Helminth encrypts data sent to its C2 server over HTTP with RC4.'),
'T1573.001': ('Hi-Zor encrypts C2 traffic with a double XOR using two distinct single-byte keys.'),
'T1573.001': ('HiddenWasp uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication.'),
'T1573.001': ('Higaisa used AES-128 to encrypt C2 traffic.'),
'T1573.001': ('Hikit performs XOR encryption.'),
'T1573.001': ('HotCroissant has compressed network communications and encrypted them with a custom stream cipher.'),
'T1573.001': ('httpclient encrypts C2 content with XOR using a single byte 0x12.'),
'T1573.001': ('Hydraq C2 traffic is encrypted using bitwise NOT and XOR operations.'),
'T1573.001': ('HyperStack has used RSA encryption for C2 communications.'),
'T1573.001': ('Inception has encrypted network communications with AES.'),
'T1573.001': ('InvisiMole uses variations of a simple XOR encryption routine for C&C communications.'),
'T1573.001': ('KEYMARBLE uses a customized XOR algorithm to encrypt C2 communications.'),
'T1573.001': 'The Komplex C2 channel uses an 11-byte XOR algorithm to hide data.'),
'T1573.001': ('Several Lazarus Group malware families encrypt C2 traffic using custom code that uses XOR with an ADD operation and XOR with a SUB operation. Another Lazarus Group malware sample XORs C2 traffic. Other Lazarus Group malware uses Caracachs encryption to encrypt C2 payloads.'),
'T1573.001': ('LightNeuron uses AES to encrypt C2 traffic.'),
'T1573.001': ('LookBack uses a modified version of RC4 for data transfer.'),
'T1573.001': ('Lucifer can perform a decremental-xor encryption on the initial C2 request before sending it over the wire.'),
'T1573.001': ('Lurid performs XOR encryption.'),
'T1573.001': ('Machete has used AES to exfiltrate documents.'),
'T1573.001': ('MoonWind encrypts C2 traffic using RC4 with a static key.'),
'T1573.001': ('More_eggs has used an RC4-based encryption method for its C2 communications.'),
'T1573.001': ('Mosquito uses a custom encryption algorithm which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm.'),
'T1573.001': ('Mustang Panda has encrypted C2 communications with RC4.'),
'T1573.001': ('NanoCore uses DES to encrypt the C2 traffic.'),
'T1573.001': ('NDiskMonitor uses AES to encrypt certain information sent over its C2 channel.'),
'T1573.001': ('NETEAGLE will decrypt resources it downloads with HTTP requests by using RC4 with the key ScoutEagle.'),
'T1573.001': ('NETWIRE can use AES encryption for C2 data transferred.'),
'T1573.001': ('Okrum uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase.'),
'T1573.001': ('PipeMon communications are RC4 encrypted.'),
'T1573.001': ('PLAINTEE encodes C2 beacons using XOR.'),
'T1573.001': ('PLEAD has used RC4 encryption to download modules.'),
'T1573.001': ('PoisonIvy uses the Camellia cipher to encrypt communications.'),
'T1573.001': ('POWERTON has used AES for encrypting C2 traffic.'),
'T1573.001': ('Prikormka encrypts some C2 traffic with the Blowfish cipher.'),
'T1573.001': ('QuasarRAT uses AES to encrypt network communication.'),
'T1573.001': ('RDAT has used AES ciphertext to encode C2 communications.'),
'T1573.001': ('RedLeaves has encrypted C2 traffic with RC4 previously using keys of 88888888 and babybear.'),
'T1573.001': ('Rifdoor has encrypted command and control (C2) communications with a stream cipher.'),
'T1573.001': ('A'),P'T12 has u': ('the RIPTIDE RAT which communicates over HTTP with a payload encrypted with RC4.'),
'T1573.001': ('RTM encrypts C2 traffic with a custom RC4 variant.'),
'T1573.001': ('Sakula encodes C2 traffic with single-byte XOR keys.'),
'T1573.001': ('SeaDuke C2 traffic has been encrypted with RC4 and AES.'),
'T1573.001': ('SNUGRIDE encrypts C2 traffic using AES with a static key.'),
'T1573.001': ('Stealth Falcon malware encrypts C2 traffic using RC4 with a hard-coded key.'),
'T1573.001': ('SUNBURST encrypted C2 traffic using a single-byte-XOR cipher.'),
'T1573.001': ('Sys10 uses an XOR 0x1 loop to encrypt its C2 domain.'),
'T1573.001': 'Taidoor uses RC4 to encrypt the message body of HTTP content.'),
'T1573.001': 'TAINTEDSCRIBE uses a Linear Feedback Shift Register (LFSR) algorithm for network encryption.'),
'T1573.001': 'TrickBot uses a custom crypter leveraging Microsoftâ„¢s CryptoAPI to encrypt C2 traffic.'),
'T1573.001': 'TSCookie has encrypted network communications with RC4.'),
'T1573.001': ('Some versions of UPPERCUT have used the hard-coded stringthis is the encrypt key for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address.'),
'T1573.001': ('Volgmer uses a simple XOR cipher to encrypt traffic and files.'),
'T1573.001': ('WellMess can encrypt HTTP POST data using RC6 and a dynamically generated AES key encrypted with a hard coded RSA public key.'),
'T1573.001': ('Winnti for Linux has used a custom TCP protocol with four-byte XOR for command and control (C2).'),
'T1573.001': ('ZeroT has used RC4 to encrypt C2 traffic.'),
'T1573.001': ('ZIRCONIUM has used AES encrypted communications in C2.'),
'T1071.001': ('3PARA RAT uses HTTP for command and control.'),
'T1071.001': ('4H RAT uses HTTP for command and control.'),
'T1071.001': ('ABK has the ability to use HTTP in communications with C2.'),
'T1071.001': ('ADVSTORESHELL connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs.'),
'T1071.001': ('Agent Tesla has used HTTP for C2 communications.'),
'T1071.001': ('Anchor has used HTTP and HTTPS in C2 communications.'),
'T1071.001': ('AppleJeus has sent data to its C2 server via POST requests.'),
'T1071.001': ('A'),P'T18 uses ': 'TP for C2 communications.'),
'T1071.001': ('A'),P'T19 used ': 'TP for C2 communications. A'),P'T19 also ': ('ed an HTTP malware variant to communicate over HTTP for C2.'),
'T1071.001': ('Later implants used by APT28 such as CHOPSTICK use a blend of HTTP and other legitimate channels for C2 depending on module configuration.'),
'T1071.001': ('APT29 has used HTTP for C2 and data exfiltration.'),
'T1071.001': ('APT32 has used JavaScript that communicates over HTTP or HTTPS to attacker controlled domains to download additional frameworks. The group has also used downloaded encrypted payloads over HTTP.'),
'T1071.001': ('APT33 has used HTTP for command and control.'),
'T1071.001': ('APT37 uses HTTPS to conceal C2 communications.'),
'T1071.001': ('APT38 used a backdoor QUICKRIDE to communicate to the C2 server over HTTP and HTTPS.'),
'T1071.001': ('APT39 has used HTTP in communications with C2.'),
'T1071.001': ('APT41 used HTTP to download payloads for CVE-2019-19781 and CVE-2020-10189 exploits.'),
'T1071.001': ('Aria-body has used HTTP in C2 communications.'),
'T1071.001': ('Avenger has the ability to use HTTP in communication with C2.'),
'T1071.001': ('BackConfig has the ability to use HTTPS for C2 communiations.'),
'T1071.001': ('BACKSPACE uses HTTP as a transport to communicate with its command server.'),
'T1071.001': ('BADNEWS establishes a backdoor over HTTP.'),
'T1071.001': ('BadPatch uses HTTP for C2.'),
'T1071.001': ('Bankshot uses HTTP for command and control communication.'),
'T1071.001': ('Bazar can use HTTP and HTTPS over ports 80 and 443 in C2 communications.'),
'T1071.001': ('BBK has the ability to use HTTP in communications with C2.'),
'T1071.001': ('BBSRAT uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server.'),
'T1071.001': ('Bisonal uses HTTP for C2 communications.'),
'T1071.001': ('BlackEnergy communicates with its C2 server over HTTP.'),
'T1071.001': ('BlackMould can send commands to C2 in the body of HTTP POST requests.'),
'T1071.001': ('BLINDINGCAN has used HTTPS over port 443 for command and control.'),
'T1071.001': ('BRONZE BUTLER malware has used HTTP for C2.'),
'T1071.001': ('BUBBLEWRAP can communicate using HTTP or HTTPS.'),
'T1071.001': ('Bundlore uses HTTP requests for C2.'),
'T1071.001': 'The Carbanak malware communicates to its command server using HTTP with an encrypted payload.'),
'T1071.001': ('Carberp has connected to C2 servers via HTTP.'),
'T1071.001': ('Carbon can use HTTP in C2 communications.'),
'T1071.001': ('Cardinal RAT is downloaded using HTTP over port 443.'),
'T1071.001': ('ChChes communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header.'),
'T1071.001': ('Chimera has used HTTPS for C2 communications.'),
'T1071.001': ('China Chopper  server component executes code sent via HTTP POST commands.'),
'T1071.001': ('Various implementations of CHOPSTICK communicate with C2 over HTTP.'),
'T1071.001': ('One variant of CloudDuke uses HTTP and HTTPS for C2.'),
'T1071.001': ('Cobalt Group has used HTTPS for C2.'),
'T1071.001': ('Cobalt Strike can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All protocols use their standard assigned ports.'),
'T1071.001': ('Comnie uses HTTP for C2 communication.'),
'T1071.001': ('ComRAT has used HTTP requests for command and control.'),
'T1071.001': ('CORESHELL can communicate over HTTP for C2.'),
'T1071.001': ('CosmicDuke can use HTTP or HTTPS for command and control to hard-coded C2 servers.'),
'T1071.001': ('CozyCar  main method of communicating with its C2 servers is using HTTP or HTTPS.'),
'T1071.001': ('Crutch has conducted C2 communications with a Dropbox account using the HTTP API.'),
'T1071.001': ('CSPY Downloader can use GET requests to download additional payloads from C2.'),
'T1071.001': ('Dacls can use HTTPS in C2 communications.'),
'T1071.001': ('Dark Caracal  version of Bandook communicates with their server over a TCP port using HTTP payloads Base64 encoded and suffixed with the string&&&.'),
'T1071.001': ('DarkComet can use HTTP for C2 communications.'),
'T1071.001': ('Daserf uses HTTP for C2.'),
'T1071.001': ('DealersChoice uses HTTP for communication with the C2 server.'),
'T1071.001': ('Dipsind uses HTTP for C2.'),
'T1071.001': ('Doki has communicated with C2 over HTTPS.'),
'T1071.001': ('down_new has the ability to use HTTP in C2 communications.'),
'T1071.001': ('DownPaper communicates to its C2 server over HTTP.'),
'T1071.001': ('Dridex has used HTTPS for C2 communications.'),
'T1071.001': ('Drovorub can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request.'),
'T1071.001': ('DustySky has used both HTTP and HTTPS for C2.'),
'T1071.001': ('Dyre uses HTTPS for C2 communications.'),
'T1071.001': ('Egregor has communicated with its C2 servers via HTTPS protocol.'),
'T1071.001': ('Elise communicates over HTTP or HTTPS for C2.'),
'T1071.001': ('ELMER uses HTTP for command and control.'),
'T1071.001': ('Emissary uses HTTP or HTTPS for C2.'),
'T1071.001': ('Empire can conduct command and control over protocols like HTTP and HTTPS.'),
'T1071.001': ('Epic uses HTTP and HTTPS for C2 communications.'),
'T1071.001': ('EvilBunny has executed C2 commands directly via HTTP.'),
'T1071.001': ('Exaramel for Linux uses HTTPS for C2 communications.'),
'T1071.001': ('Explosive has used HTTP for communication.'),
'T1071.001': ('FatDuke can be controlled via a custom C2 protocol over HTTP.'),
'T1071.001': ('Felismus uses HTTP for C2.'),
'T1071.001': ('FELIXROOT uses HTTP and HTTPS to communicate with the C2 server.'),
'T1071.001': ('FIN4 has used HTTP POST requests to transmit data.'),
'T1071.001': ('Final1stspy uses HTTP for C2.'),
'T1071.001': ('FlawedAmmyy has used HTTP for C2.'),
'T1071.001': ('A Gamaredon Group file stealer can communicate over HTTP for C2.'),
'T1071.001': ('Gazer communicates with its C2 servers over HTTP.'),
'T1071.001': ('GeminiDuke uses HTTP and HTTPS for command and control.'),
'T1071.001': ('Get2 has the ability to use HTTP to send information collected from an infected host to C2.'),
'T1071.001': ('Gold Dragon uses HTTP for communication to the control servers.'),
'T1071.001': ('GoldenSpy has used the Ryeol HTTP Client to facilitate HTTP internet communication.'),
'T1071.001': ('GoldFinder has used HTTP for C2.'),
'T1071.001': ('GoldMax has used HTTPS and HTTP GET requests with custom HTTP cookies for C2.'),
'T1071.001': ('Goopy has the ability to communicate with its C2 over HTTP.'),
'T1071.001': ('Grandoreiro has the ability to use HTTP in C2 communications.'),
'T1071.001': ('GravityRAT uses HTTP for C2.'),
'T1071.001': ('GreyEnergy uses HTTP and HTTPS for C2 communications.'),
'T1071.001': ('GuLoader can use HTTP to retrieve additional binaries.'),
'T1071.001': ('HAFNIUM has used open-source C2 frameworks including Covenant.'),
'T1071.001': 'The Uploader variant of HAMMERTOSS visits a hard-coded server over HTTP  S to download the images HAMMERTOSS uses to receive commands.'),
'T1071.001': ('HAWKBALL has used HTTP to communicate with a single hard-coded C2 server.'),
'T1071.001': ('Helminth can use HTTP for C2.'),
'T1071.001': ('Hi-Zor communicates with its C2 server over HTTPS.'),
'T1071.001': ('Higaisa used HTTP and HTTPS to send data back to its C2 server.'),
'T1071.001': ('Hikit has used HTTP for C2.'),
'T1071.001': ('HTTPBrowser has used HTTP and HTTPS for command and control.'),
'T1071.001': ('httpclient uses HTTP for command and control.'),
'T1071.001': ('HyperBro has used HTTPS for C2 communications.'),
'T1071.001': ('IcedID has used HTTPS in communications with C2.'),
'T1071.001': ('Inception has used HTTP HTTPS and WebDav in network communications.'),
'T1071.001': ('InvisiMole uses HTTP for C2 communications.'),
'T1071.001': ('Ixeshe uses HTTP for command and control.'),
'T1071.001': ('JHUHUGIT variants have communicated with C2 servers over HTTP and HTTPS.'),
'T1071.001': ('Kazuar uses HTTP and HTTPS to communicate with the C2 server. Kazuar can also act as a webserver and listen for inbound HTTP requests through an exposed API.'),
'T1071.001': ('Ke3chang malware RoyalCli and BS2005 have communicated over HTTP with the C2 server through Internet Explorer (IE) by using the COM interface IWebBrowser2.'),
'T1071.001': ('Keydnap uses HTTPS for command and control.'),
'T1071.001': ('KGH_SPY can send data to C2 with HTTP POST requests.'),
'T1071.001': ('Kinsing has communicated with C2 over HTTP.'),
'T1574.005': ('Adversaries may execute their own malicious payloads by hijacking the binaries used by an installer.'),
'T1574.005': ('When installers create subdirectories and files they often do not set appropriate permissions to restrict write access which allows for execution of untrusted code placed in the subdirectories or overwriting of binaries used in the installation process.'),
'T1574.005': ('Attackers can leverage file permissions weaknessses in software installers to get their payload deployed without the user being aware.'),
'T1574.005': ('An external tool or installer is required to enable the malware to maintain persistence through reboot.'),
'T1574.005': ('PowerSpritz decrypts a legitimate Skype or Telegram installer using a custom Spritz implementation with the keyZnxkai@ if8qa9w9489. PowerSpritz then writes the legitimate installer to disk in the directory returned by GetTempPathA.'),
'T1069.001': ('admin@338 actors used the following command following exploitation of a machine with LOWBALL malware to list local groups: net localgroup administrator >> tempdownload'),
'T1069.001': ('BloodHound can collect information about local groups and members.'),
'T1069.001': ('Caterpillar WebShell can obtain a list of local groups of users from a system.'),
'T1069.001': ('Chimera has used net localgroup administrators to identify accounts with local administrative rights.'),
'T1069.001': ('Emissary has the capability to execute the command net localgroup administrators.'),
'T1069.001': ('Epic gathers information on local group names.'),
'T1069.001': ('FlawedAmmyy enumerates the privilege level of the victim during the initial infection.'),
'T1069.001': ('Helminth has checked the local administrators group.'),
'T1069.001': ('JPIN can obtain the permissions of the victim user.'),
'T1069.001': ('Kazuar gathers information about local groups and members.'),
'T1069.001': ('Kwampirs collects a list of users belonging to the local users and administrators groups with the commands net localgroup administrators and net localgroup users.'),
'T1069.001': ('Commands such as net group and net localgroup can be used in Net to gather information about and manipulate groups.'),
'T1069.001': ('OilRig has used net localgroup administrators to find local administrators on compromised systems.'),
'T1069.001': ('Operation Wocao has used the command net localgroup administrators to list all administrators part of a local group.'),
'T1069.001': ('OSInfo has enumerated the local administrators group.'),
'T1069.001': ('PoshC2 contains modules such as Get-LocAdm for enumerating permission groups.'),
'T1069.001': ('POWRUNER may collect local group information by running net localgroup administrators or a series of other commands on a victim.'),
'T1069.001': ('Sys10 collects the group name of the logged-in user and sends it to the C2.'),
'T1069.001': 'Turla has used net localgroup and net localgroup Administrators to enumerate group information including members of the local administrators group.'),
'T1137.005': ('Ruler can be used to automate the abuse of Outlook Rules to establish persistence.'),
'T1137.005': ('Adversaries may abuse Microsoft Outlook rules to obtain persistence on a compromised system.'),
'T1137.005': ('Malicious Outlook rules can be created that can trigger code execution when an adversary sends a specifically crafted email to that user.'),
'T1137.005': ('In summary inbox rules can be hidden by leveraging an API called Messaging Application Programming Interface (MAPI) which provides low level access to exchange data stores.'),
'T1137.005': ('User interaction is required to exploit this vulnerability wherein the victim must import a malformed Outlook Rules (.RWZ) file.'),
'T1137.004': ('OilRig has abused the Outlook Home Page feature for persistence. OilRig has also used CVE-2017-11774 to roll back the initial patch designed to protect against Home Page abuse.'),
'T1137.004': ('Ruler can be used to automate the abuse of Outlook Home Pages to establish persistence.'),
'T1137.004': ('Adversaries may abuse Microsoft Outlook  Home Page feature to obtain persistence on a compromised system.'),
'T1137.004': ('Once malicious home pages have been added to the usermailbox they will be loaded when Outlook is started.'),
'T1137.004': ('After APT33 initially gained access to Microsoft Exchange accounts through password spraying the threat actors replaced the Outlook homepage for the victim accounts with a malicious Microsoft Outlook homepage URL crafted through Ruler.'),
'T1137.003': ('Ruler can be used to automate the abuse of Outlook Forms to establish persistence.'),
'T1137.003': ('Custom Outlook forms can be created that will execute code when a specifically crafted email is sent by an adversary utilizing the same custom Outlook form.'),
'T1137.003': ('Adversaries may abuse Microsoft Outlook forms to obtain persistence on a compromised system.'),
'T1137.003': ('Once malicious forms have been added to the usermailbox they will be loaded when Outlook is started.'),
'T1137.003': 'The custom form is triggered when the mailbox receives a specific message from the attacker that requires the mailbox to load the custom form.'),
'T1137.006': ('Naikon has used the RoyalRoad exploit builder to drop a second stage loader intel.wll into the Word Startup folder on the compromised host.'),
'T1137.006': ('Add-ins can be used to obtain persistence because they can be set to execute code when an Office application starts.'),
'T1137.006': ('Actors may abuse Microsoft Office add-ins to obtain persistence on a compromised system.'),
'T1137.006': ('XLAM files are add-in files for Excel 2010 and Excel 2007 based on XML with support for macros. As victims interacted with these files an attacker-controlled cloud storage was set up on the local system as a network drive and launched RedCurl.Dropper which was hosted there.'),
'T1137.006': ('Further investigation of thisStartUp trusted location found that it could hostWord Add-Ins of a*.wll extension.'),
'T1087.002': ('AdFind can enumerate domain users.'),
'T1087.002': ('Bankshot gathers domain and account names  information through process monitoring.'),
'T1087.002': ('Bazar has the ability to identify domain administrator accounts.'),
'T1087.002': ('BloodHound can collect information about domain users including identification of domain admin accounts.'),
'T1087.002': ('BRONZE BUTLER has used net user domain to identify account information.'),
'T1087.002': ('Chimera has has used net user dom and net user Administrator to enumerate domain accounts including administrator accounts.'),
'T1087.002': ('Cobalt Strike can determine if the user on an infected machine is in the admin or domain admin group.'),
'T1087.002': ('CrackMapExec can enumerate the domain user accounts on a targeted system.'),
'T1087.002': ('Dragonfly 2.0 used batch scripts to enumerate users on a victim domain controller.'),
'T1087.002': ('dsquery can be used to gather information on user accounts within a domain.'),
'T1087.002': ('Empire can acquire local and domain user account information.'),
'T1087.002': ('FIN6 has used MetasploitPsExec NTDSGRAB module to obtain a copy of the victim  Active Directory database.'),
'T1087.002': ('Fox Kitten has used the Softerra LDAP browser to browse documentation on service accounts.'),
'T1087.002': ('IcedID can query LDAP to identify additional users on the network to infect.'),
'T1087.002': ('Ke3chang performs account discovery using commands such as net localgroup administrators and net group REDACTED domain on specific permissions groups.'),
'T1087.002': ('menuPass has used the Microsoft administration tool csvde.exe to export Active Directory data.'),
'T1087.002': ('MuddyWater has used cmd.exe net user domain to enumerate domain users.'),
'T1087.002': ('Net commands used with the domain flag can be used to gather information about and manipulate user accounts on the current domain.'),
'T1087.002': ('OilRig has run net user net user domain net groupdomain admins domain and net groupExchange Trusted Subsystem domain to get account listings on a victim.'),
'T1087.002': ('Operation Wocao has used the net command to retrieve information about domain accounts.'),
'T1087.002': ('OSInfo enumerates local and domain users'),
'T1087.002': ('Poseidon Group searches for administrator accounts on both the local victim machine and the network.'),
'T1087.002': ('PoshC2 can enumerate local and domain user account information.'),
'T1087.002': ('POWRUNER may collect user account information by running net user domain or a series of other commands on a victim.'),
'T1087.002': ('Sandworm Team has used a tool to query Active Directory using LDAP discovering information about usernames listed in AD.'),
'T1087.002': ('SoreFang can enumerate domain accounts via net.exe user domain.'),
'T1087.002': ('Sykipot may use net group domain admins domain to display accounts in the domain admins permissions group and net localgroup administrators to list local system administrator group membership.'),
'T1087.002': 'Turla has used net user domain to enumerate domain accounts.'),
'T1087.002': ('Valak has the ability to enumerate domain admin accounts.'),
'T1087.002': ('Wizard Spider has identified domain admins through the use ofnet group˜Domain admins commands.'),
'T1505.001': 'Threat actors may abuse SQL stored procedures to establish persistent access to systems.'),
'T1505.001': ('Adversaries may craft or modify CLR assemblies that are linked to stored procedures since these CLR assemblies can be made to execute arbitrary commands.'),
'T1505.001': ('As a result the stored procedures will run the next time a patch is applied to SQL Server or the server is restarted.'),
'T1505.001': ('Create a stored procedure to use the xp_cmdshell stored procedure to download and execute a PowerShell payload from the internet using the query below.'),
'T1505.001': 'The SQL injection string attempted to launch PowerShell via the xp_cmdshell stored procedure.'),
'T1505.001': ('An unspecified vulnerability exists within the Stored Procedure component in Oracle MySQL Server 8.0.23 that when exploited allows an authenticated attacker to remotely manipulate data and cause a complete denial-of-service (DoS) condition.'),
'T1505.002': ('LightNeuron has used a malicious Microsoft Exchange transport agent for persistence.'),
'T1505.002': ('Adversaries may abuse Microsoft transport agents to establish persistent access to systems.'),
'T1505.002': 'Though a malicious transport agent may be invoked for all emails passing through the Exchange transport pipeline the agent can be configured to only carry out specific tasks in response to adversary defined criteria.'),
'T1505.002': ('Leveraging a Microsoft Exchange Transport Agent for persistence is something unique and never before seen.'),
'T1505.002': 'The Turla tool leverages a Microsoft Exchange transport agent in parallel with XTRANS to receive and process email messages delivered to the Exchange server.'),
'T1560.003': ('ADVSTORESHELL compresses output data generated by command execution with a custom implementation of the Lempel“Ziv“Welch (LZW) algorithm.'),
'T1560.003': ('Agent.btz saves system information into an XML file that is then XOR-encoded.'),
'T1560.003': ('Attor encrypts collected data with a custom implementation of Blowfish and RSA ciphers.'),
'T1560.003': ('CopyKittens encrypts data with a substitute cipher prior to exfiltration.'),
'T1560.003': ('Modules can be pushed to and executed by Duqu that copy data to a staging area compress it and XOR encrypt it.'),
'T1560.003': ('FIN6 has encoded data gathered from the victim with a simple substitution cipher and single-byte XOR using the 0xAA key and Base64 with character permutation.'),
'T1560.003': ('FLASHFLOOD employs the same encoding scheme as SPACESHIP for data it stages. Data is compressed with zlib and bytes are rotated four times before being XOR  ed with 0x23.'),
'T1560.003': ('FrameworkPOS can XOR credit card information before exfiltration.'),
'T1560.003': ('HAWKBALL has encrypted data with XOR before sending it over the C2 channel.'),
'T1560.003': ('InvisiMole uses a variation of the XOR cipher to encrypt files before exfiltration.'),
'T1560.003': ('Kimsuky has used RC4 encryption before exfil.'),
'T1560.003': ('A Lazarus Group malware sample encrypts data using a simple byte based XOR operation prior to exfiltration.'),
'T1560.003': ('Machete  collected data is encrypted with AES before exfiltration.'),
'T1560.003': ('MESSAGETAP has XOR-encrypted and stored contents of SMS messages that matched its target list.'),
'T1560.003': ('Mustang Panda has encrypted documents with RC4 prior to exfiltration.'),
'T1560.003': ('NETWIRE has used a custom encryption algorithm to encrypt collected data.'),
'T1560.003': ('Okrum has used a custom implementation of AES encryption to encrypt collected data.'),
'T1560.003': ('OopsIE compresses collected files with a simple character replacement scheme before sending them to its C2 server.'),
'T1560.003': ('OwaAuth DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file.'),
'T1560.003': ('Ramsay can store collected documents in a custom container after encrypting and compressing them using RC4 and WinRAR.'),
'T1560.003': ('RawPOS encodes credit card data it collected from the victim with XOR.'),
'T1560.003': ('Reaver encrypts collected data with an incremental XOR key prior to exfiltration.'),
'T1560.003': ('RGDoor encrypts files with XOR before sending them back to the C2 server.'),
'T1560.003': ('Rising Sun can archive data using RC4 encryption and Base64 encoding prior to exfiltration.'),
'T1560.003': ('Data SPACESHIP copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR  ed with 0x23.'),
'T1560.003': ('StrongPity can compress and encrypt archived files into multiple .sft files with a repeated xor encryption scheme.'),
'T1560.003': 'T9000 encrypts collected data using a single byte XOR key.'),
'T1543.001': ('Bundlore can persist via a LaunchAgent.'),
'T1543.001': ('Calisto adds a .plist file to the Library  LaunchAgents folder to maintain persistence.'),
'T1543.001': ('CoinTicker creates user launch agents named .espl.plist and com.apple.random string.plist to establish persistence.'),
'T1543.001': ('CookieMiner has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software.'),
'T1543.001': ('CrossRAT creates a Launch Agent on macOS.'),
'T1543.001': ('Dacls can establish persistence via a LaunchAgent.'),
'T1543.001': ('Dok persists via a Launch Agent.'),
'T1543.001': ('FruitFly persists via a Launch Agent.'),
'T1543.001': ('Keydnap uses a Launch Agent to persist.'),
'T1543.001': 'The Komplex trojan creates a persistent launch agent called with $HOME  Library  LaunchAgents  com.apple.updates.plist with launchctl load -w ~  Library  LaunchAgents  com.apple.updates.plist.'),
'T1543.001': ('MacSpy persists via a Launch Agent.'),
'T1543.001': ('NETWIRE can use launch agents for persistence.'),
'T1543.001': ('OSX_OCEANLOTUS.D can create a persistence file in the folder Library  LaunchAgents.'),
'T1543.001': ('Proton persists via Launch Agent.'),
'T1543.001': 'ThiefQuest installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the ~  Library  LaunchAgents folder and configured with the path to the persistent binary located in the ~  Library folder.'),
'T1560.001': ('A'),P'T1 has us': (' RAR to compress files before moving them outside of the victim network.'),
'T1560.001': ('APT29 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration.'),
'T1560.001': ('APT3 has used tools to compress data before exfilling it.'),
'T1560.001': ('APT33 has used WinRAR to compress data prior to exfil.'),
'T1560.001': ('APT39 has used WinRAR and 7-Zip to compress an archive stolen data.'),
'T1560.001': ('APT41 created a RAR archive of targeted files for exfiltration.'),
'T1560.001': ('BRONZE BUTLER has compressed data into password-protected RAR archives prior to exfiltration.'),
'T1560.001': ('Calisto uses the zip -r command to compress the data collected on the local system.'),
'T1560.001': ('Chimera has used gzip for Linux OS and a modified RAR software to archive data on Windows hosts.'),
'T1560.001': ('CopyKittens uses ZPP a .NET console program to compress files with ZIP.'),
'T1560.001': ('CORALDECK has created password-protected RAR WinImage and zip archives to be exfiltrated.'),
'T1560.001': ('Crutch has used the WinRAR utility to compress and encrypt stolen files.'),
'T1560.001': ('Daserf hides collected data in password-protected .rar archives.'),
'T1560.001': ('DustySky can compress files via RAR while staging data to be exfiltrated.'),
'T1560.001': ('FIN8 has used RAR to compress collected data before Exfiltration.'),
'T1560.001': ('Fox Kitten has used 7-Zip to archive data.'),
'T1560.001': ('GALLIUM used WinRAR to compress and encrypt stolen data prior to exfiltration.'),
'T1560.001': ('Gallmaker has used WinZip likely to archive data prior to exfiltration.'),
'T1560.001': ('HAFNIUM has used 7-Zip and WinRAR to compress stolen files for exfiltration.'),
'T1560.001': ('iKitten will zip up the Library  Keychains directory before exfiltrating it.'),
'T1560.001': ('InvisiMole uses WinRAR to compress data that is intended to be exfiltrated.'),
'T1560.001': ('Ke3chang is known to use RAR with passwords to encrypt data prior to exfiltration.'),
'T1560.001': ('Magic Hound has used RAR to stage and compress local folders.'),
'T1560.001': ('menuPass has compressed files before exfiltration using TAR and RAR.'),
'T1560.001': ('Micropsia creates a RAR archive based on collected files on the victim  machine.'),
'T1560.001': ('MuddyWater has used the native Windows cabinet creation tool makecab.exe likely to compress stolen data to be uploaded.'),
'T1560.001': ('Mustang Panda has used RAR to create password-protected archives of collected documents prior to exfiltration.'),
'T1560.001': ('Okrum was seen using a RAR archiver tool to compress  decompress data.'),
'T1560.001': ('OopsIE compresses collected files with GZipStream before sending them to its C2 server.'),
'T1560.001': ('Operation Wocao has archived collected files with WinRAR prior to exfiltration.'),
'T1560.001': ('PoetRAT has the ability to compress files with zip.'),
'T1560.001': ('PoshC2 contains a module for compressing data using ZIP.'),
'T1560.001': ('PowerShower has used 7Zip to compress .txt .pdf .xls or .doc files prior to exfiltration.'),
'T1560.001': ('PUNCHBUGGY has Gzipped information and saved it to a random temp file before exfil.'),
'T1560.001': ('Pupy can compress data with Zip before sending it over C2.'),
'T1560.001': ('Ramsay can compress and archive collected files using WinRAR.'),
'T1560.001': ('Sowbug extracted documents and bundled them into a RAR archive.'),
'T1560.001': 'Turla has encrypted files stolen from connected USB drives into a RAR file before exfiltration.'),
'T1560.001': ('UNC2452 used 7-Zip to compress stolen emails into password-protected archives prior to exfiltration.'),
'T1560.001': ('WindTail has the ability to use the macOS built-in zip utility to archive files.'),
'T1558.002': ('Empire can leverage its implementation of Mimikatz to obtain and use silver tickets.'),
'T1558.002': ('Mimikatz  kerberos module can create silver tickets.'),
'T1558.002': ('Silver Tickets are forged Kerberos Ticket Granting Service (TGS) tickets also called service tickets.'),
'T1558.002': ('Adversaries who have the password hash of a target service account (e.g. SharePoint MSSQL) may forge Kerberos ticket granting service (TGS) tickets also known as silver tickets.'),
'T1558.002': ('Silver Tickets can be more dangerous than Golden Tickets“ while the scope is more limited than Golden Tickets the required hash is easier to get and there is no communication with a DC when using them so detection is more difficult than Golden Tickets.'),
'T1558.002': ('Once a threat actor has gained access to at least one service account and extracted the password they can conduct a silver-ticket attack creating forged service tickets that provide access to the service that was compromised with the extracting password attack.'),
'T1547.008': ('Pasam establishes by infecting the Security Accounts Manager (SAM) DLL to load a malicious DLL dropped to disk.'),
'T1547.008': ('Wingbird drops a malicious file (sspisrv.dll) alongside a copy of lsass.exe which is used to register a service that loads sspisrv.dll as a driver. The payload of the malicious driver (located in its entry-point function) is executed when loaded by lsass.exe before the spoofed service becomes unstable and crashes.'),
'T1547.008': ('Adversaries may target LSASS drivers to obtain persistence. By either replacing or adding illegitimate drivers (e.g. Hijack Execution Flow) an adversary can use LSA operations to continuously execute malicious payloads.'),
'T1547.008': ('Adversaries may modify or add LSASS drivers to obtain persistence on compromised systems.'),
'T1547.008': ('Hunting efforts identified an atypical living-off-the-land technique being employed to exploit the LSASS process via the use of comsvcs.dll.'),
'T1547.005': ('Empire can enumerate Security Support Providers (SSPs) as well as utilize PowerSploit  Install-SSP and Invoke-Mimikatz to install malicious SSPs and log authentication events.'),
'T1547.005': ('Lazarus Group has rebooted victim machines to establish persistence by installing a SSP DLL.'),
'T1547.005': 'The Mimikatz credential dumper contains an implementation of an SSP.'),
'T1547.005': ('PowerSploit  Install-SSP Persistence module can be used to establish by installing a SSP DLL.'),
'T1547.005': ('Adversaries may abuse security support providers (SSPs) to execute DLLs when the system boots.'),
'T1547.003': ('Adversaries may abuse this architecture to establish persistence specifically by registering and enabling a malicious DLL as a time provider.'),
'T1547.003': ('Actors may abuse time providers to execute DLLs when the system boots.'),
'T1547.003': ('Reports indicate that any user may start the W32Time service. This may be used to aid in further attacks launched against the vulnerable computer.'),
'T1547.003': ('Once initial access was obtained the attacker was able to achieve persistence via a custom crafted DLL that presented as a time provider.'),
'T1547.003': ('During this incident Time Provider Registry keys were modified to enable the implanted DLL to be run as a time service.'),
'T1003.002': ('Cobalt Strike can recover hashed passwords.'),
'T1003.002': ('CosmicDuke collects Windows account hashes.'),
'T1003.002': ('Password stealer and NTLM stealer modules in CozyCar harvest stored credentials from the victim including credentials used as part of Windows NTLM user authentication.'),
'T1003.002': ('CrackMapExec can dump usernames and hashed passwords from the SAM.'),
'T1003.002': ('Dragonfly 2.0 dropped and executed SecretsDump to dump password hashes.'),
'T1003.002': ('Fgdump can dump Windows password hashes.'),
'T1003.002': ('GALLIUM used reg commands to dump specific hives from the Windows Registry such as the SAM hive and obtain password hashes.'),
'T1003.002': ('gsecdump can dump Windows password hashes from the SAM.'),
'T1003.002': ('HOPLIGHT has the capability to harvest credentials and passwords from the SAM database.'),
'T1003.002': ('SecretsDump and Mimikatz modules within Impacket can perform credential dumping to obtain account and password information.'),
'T1003.002': ('Ke3chang has dumped credentials including by using gsecdump.'),
'T1003.002': ('Koadic can gather hashed passwords by dumping SAM  SECURITY hive.'),
'T1003.002': ('menuPass has used a modified version of pentesting tools wmiexec.vbs and secretsdump.py to dump credentials.'),
'T1003.002': ('Mimikatz performs credential dumping to obtain account and password information useful in gaining access to additional systems and enterprise network resources. It contains functionality to acquire information about credentials in many ways including from the SAM table.'),
'T1003.002': ('Mivast has the capability to gather NTLM password information.'),
'T1003.002': ('Night Dragon has dumped account hashes with Carbanak and cracked them with Cain & Abel.'),
'T1003.002': ('POWERTON has the ability to dump password hashes.'),
'T1003.002': ('pwdump can be used to dump credentials from the SAM.'),
'T1003.002': ('Remsec can dump the SAM database.'),
'T1003.002': 'Threat Group-3390 actors have used gsecdump to dump credentials. They have also dumped credentials from domain controllers.'),
'T1003.002': ('Wizard Spider has acquired credentials from the SAM  SECURITY registry hives.'),
'T1547.002': ('Flame can use Windows Authentication Packages for persistence.'),
'T1547.002': ('Adversaries may abuse authentication packages to execute DLLs when the system boots.'),
'T1547.002': ('Adversaries can use the autostart mechanism provided by LSA authentication packages for persistence by placing a reference to a binary in the Windows Registry.'),
'T1547.002': ('An authentication package (AP) can be used by a malicious actor to extend interactive logon authentication i.e. to enable RSA token authentication.'),
'T1547.002': ('At startup mssecmgr.ocx is loaded as LSA Authentication Package.'),
'T1021.006': ('APT29 has used WinRM via PowerShell to execute command and payloads on remote hosts.'),
'T1021.006': ('Chimera has used WinRM for lateral movement.'),
'T1021.006': ('Cobalt Strike can use WinRM to execute a payload on a remote host.'),
'T1021.006': 'Threat Group-3390 has used WinRM to enable remote execution.'),
'T1021.006': ('UNC2452 has used WinRM via PowerShell to execute command and payloads on remote hosts.'),
'T1021.006': ('Wizard Spider has used Window Remote Management to move laterally through a victim network.'),
'T1037.005': ('jRAT can list and manage startup entries.'),
'T1037.005': ('Adversaries may use startup items automatically executed at boot initialization to establish persistence.'),
'T1037.005': ('Attackers can create the appropriate folders  files in the StartupItems directory to register their own persistence mechanism.'),
'T1037.005': ('Renepo is an older OS X malware sample that persists as a startup item.'),
'T1037.005': 'The malware achieves persistence by placing its script (and a StartupParameters.plist) in a sub-directory in either the System  Library  StartupItems or Library  StartupItems directory.'),
'T1037.003': ('Adversaries may use network logon scripts automatically executed at logon initialization to establish persistence.'),
'T1037.003': ('APT31 has been known to leverage boot or logon initialization scripts to achieve persistence and lateral movement.'),
'T1037.003': ('Attackers may use boot or logon scripts to maintain persistence on a network. Depending on the access configuration of the logon scripts either local credentials or an administrator account may be necessary.'),
'T1037.003': ('One of FontOnLakerootkits can be executed with a startup script.'),
'T1037.003': ('At first machine reboot the LNK file placed into system Startup folder triggers the execution of devtmrn.exe executable.'),
'T1037.001': ('An APT28 loader Trojan adds the Registry key HKCUEnvironmentUserInitMprLogonScript to establish persistence.'),
'T1037.001': ('Attor  dispatcher can establish persistence via adding a Registry key with a logon script HKEY_CURRENT_USEREnvironment UserInitMprLogonScript .'),
'T1037.001': ('Cobalt Group has added persistence by registering the file name for the next stage malware under HKCUEnvironmentUserInitMprLogonScript.'),
'T1037.001': ('JHUHUGIT has registered a Windows shell script under the Registry key HKCUEnvironmentUserInitMprLogonScript to establish persistence.'),
'T1037.001': ('KGH_SPY has the ability to set the HKCUEnvironmentUserInitMprLogonScript Registry key to execute logon scripts.'),
'T1037.001': ('Zebrocy performs persistence with a logon script via adding to the Registry key HKCUEnvironmentUserInitMprLogonScript.'),
'T1546.014': ('Adversaries may gain persistence and elevate privileges by executing malicious content triggered by the Event Monitor Daemon (emond).'),
'T1546.014': ('Attackers abuse the emond service by writing a rule to execute commands when a defined event occurs such as system start up or user authentication.'),
'T1546.014': ('Actors may also be able to escalate privileges from administrator to root as the emond service is executed with root privileges by the Launch Daemon service.'),
'T1546.014': 'The ransomware was triggered by a custom rule that caused the event monitor daemon to execute the malware during user logon.'),
'T1546.014': ('Malware was executed by forcing a reboot of the victim  computer after placing a custom rule that was executed by the emond process during startup.'),
'T1546.013': 'Turla has used PowerShell profiles to maintain persistence on an infected machine.'),
'T1546.013': ('Adversaries may gain persistence and elevate privileges by executing malicious content triggered by PowerShell profiles. A PowerShell profile (profile.ps1) is a script that runs when PowerShell starts and can be used as a logon script to customize user environments.'),
'T1546.013': ('An adversary may also be able to escalate privileges if a script in a PowerShell profile is loaded and executed by an account with higher privileges such as a domain administrator.'),
'T1546.013': 'The actor started using PowerShell scripts that provide direct in-memory loading and execution of malware executables and libraries.'),
'T1546.013': 'The activity used PowerShell likely to load the BELUGASTURGEON implant COMRAT on compromised clients.'),
'T1056.003': ('Adversaries may install code on externally facing portals such as a VPN login page to capture and transmit credentials of users who attempt to log into the service.'),
'T1056.003': ('Attackers have been able to successfully implant JavaScript code on the login pages that enables them to surreptitiously steal employee credentials as they login to access internal corporate resources.'),
'T1056.003': ('A vulnerability in the Clientless SSL VPN portal customization framework could allow an unauthenticated remote attacker to modify the content of the Clientless SSL VPN portal which could lead to several attacks including the stealing of credentials cross-site scripting (XSS) and other types of web attacks on the client using the affected system.'),
'T1056.003': 'Threat actors sold and deployed phishing pages mimicking financial sites to obtain credentials or financial information.'),
'T1056.003': 'Threat actors sold and deployed phishing pages mimicking government e-portals to obtain credentials or financial information.'),
'T1056.002': ('Bundlore prompts the user for their credentials.'),
'T1056.002': ('Calisto presents an input prompt asking for the user  login and password.'),
'T1056.002': ('Dok prompts the user for credentials.'),
'T1056.002': ('FIN4 has presented victims with spoofed Windows Authentication prompts to collect their credentials.'),
'T1056.002': ('iKitten prompts the user for their credentials.'),
'T1056.002': ('Keydnap prompts the users for credentials.'),
'T1056.002': ('Metamorfo has displayed fake forms on top of banking sites to intercept credentials from victims.'),
'T1056.002': ('Proton prompts users for their credentials.'),
'T1003.005': ('APT33 has used a variety of publicly available tools like LaZagne to gather credentials.'),
'T1003.005': ('Cachedump can extract cached password hashes from cache entry information.'),
'T1003.005': ('LaZagne can perform credential dumping from MSCache to obtain account and password information.'),
'T1003.005': ('Leafminer used several tools for retrieving login and password information including LaZagne.'),
'T1003.005': ('MuddyWater has performed credential dumping with LaZagne.'),
'T1003.005': ('OilRig has used credential dumping tools such as LaZagne to steal credentials to accounts logged into the compromised system and to Outlook Web Access.'),
'T1003.005': ('Okrum was seen using modified Quarks PwDump to perform credential dumping.'),
'T1003.005': ('Pupy can use Lazagne for harvesting credentials.'),
'T1546.007': ('netsh can be used as a persistence proxy technique to execute a helper DLL when netsh.exe is executed.'),
'T1546.007': ('Adversaries can use netsh.exe helper DLLs to trigger execution of arbitrary code in a persistent manner.'),
'T1546.007': 'The attackers established persistence by executing malicious content triggered by Netsh Helper DLLs.'),
'T1546.007': 'Threat group FIN13 has been observed to use netsh to install the downloader known as DRAWSTRING.'),
'T1546.007': ('A previously unknown Chinese hacking group used netsh rules to attempt to bypass network restrictions on the victim machine.'),
'T1114.001': ('A'),P'T1 uses t': (' utilities GETMAIL and MAPIGET to steal email. GETMAIL extracts emails from archived Outlook .pst files.'),
'T1114.001': ('Carbanak searches recursively for Outlook personal storage tables (PST) files within user directories and sends them back to the C2 server.'),
'T1114.001': ('Chimera has harvested data from victim  e-mail including through execution of wmic node: process call create cmd c copy c:Usersbackup.pst c:windowstempbackup.pst copy i:My Documents.pstcopy.'),
'T1114.001': ('CosmicDuke searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration.'),
'T1114.001': ('Crimson contains a command to collect and exfiltrate emails from Outlook.'),
'T1114.001': ('Emotet has been observed leveraging a module that scrapes email data from Outlook.'),
'T1114.001': ('Empire has the ability to collect emails on a target system.'),
'T1114.001': ('KGH_SPY can harvest data from mail clients.'),
'T1114.001': ('Magic Hound has collected .PST archives.'),
'T1114.001': ('Out1 can parse e-mails on a target machine.'),
'T1114.001': ('Pupy can interact with a victimOutlook session and look through folders and emails.'),
'T1114.001': ('Smoke Loader searches through Outlook files and directories (e.g. inbox sent templates drafts archives etc.).'),
'T1114.001': 'The FBI and CISA have detected multiple zero-day exploits with actors attempting to collect mailbox data in the form of .ost files from Microsoft Exchange servers.'),
'T1114.001': ('Warzone features functionality precipitating the theft of browser and email clients.'),
'T1114.001': 'The cmdlet New-MailboxExportRequest within Powershell is used to steal email boxes and has been observed to be used by Chinese state sponsored actors.'),
'T1546.005': ('Cobaltstrike often achieves persistence through executing malicious code through a system event triggered by the trap command.'),
'T1546.005': ('WMI runs commands on remote systems via malicious commands triggered through a system event such as the trap command.'),
'T1546.005': ('Helper .dll files can be utilized for persistence often executed through the trap command.'),
'T1546.005': ('Remote access trojans (RATs) such as Neurevt maintain persistence on a machine with malicious payloads triggered via a system event such as the trap command.'),
'T1546.005': 'The trap command can be utilised to achieve remote code execution when an interrupt signal is received.'),
'T1213.001': ('APT41 often gather information from popular data sharing repositories such as Confluence.'),
'T1213.001': ('Lebanese Cedar    an APT group often creates campaigns where a large amount of data is stolen from Confluence.'),
'T1213.001': ('Confluence and JIRA are popular targets for APT groups wishing to receive sensitive documents and share them publicly.'),
'T1213.001': ('A popular reconnaissance technique that threat actors employ is to steal data from company data repositories such as Confluence.'),
'T1213.001': ('Given that companies often store development documentation on Confluence it is often a target for APT27 to harvest data from.'),
'T1213.002': ('APT28 has collected information from Microsoft SharePoint services within target networks.'),
'T1213.002': ('Chimera has collected documents from the victim  SharePoint.'),
'T1213.002': ('Ke3chang used a SharePoint enumeration and data dumping tool known as spwebmember.'),
'T1213.002': ('spwebmember is used to enumerate and dump information from Microsoft SharePoint.'),
'T1213.002': ('After achieving persistence on a network threat actors will often move to harvesting data from popular data repositories such as SharePoint.'),
'T1053.002': ('A'),P'T18 actor': ('ed the native at Windows task scheduler tool to use scheduled tasks for execution on a victim network.'),
'T1053.002': ('at can be used to schedule a task on a system.'),
'T1053.002': ('BRONZE BUTLER has used at to register a scheduled task to execute malware during lateral movement.'),
'T1053.002': ('CrackMapExec can set a scheduled task on the target system to execute commands remotely using at.'),
'T1053.002': ('MURKYTOP has the capability to schedule remote AT jobs.'),
'T1053.002': 'Threat Group-3390 actors use at to schedule tasks to run self-extracting RAR archives which install HTTPBrowser or PlugX on other victims on a network.'),
'T1053.002': ('Lateral movement within infrastructure has been observed by CTU analysts with attackers utilising at.exe for the movement.'),
'T1053.002': ('Scheduled tasks that run using at.exe could be an indicator of a depreciated program that needs to be updated or malicious activity.'),
'T1053.002': 'The Bamital Trojan utilised at.exe for privilege escalation.'),
'T1098.003': ('WastedLocker often achieves persistence through creating user accounts or upgrading existing accounts to have Office 365 Administrator privileges.'),
'T1098.003': ('Phishing campaigns targeting business tech and telecom industries often use phishing emails to compromise an account before upgrading it to an Office 365 Administrator for further malicious activity.'),
'T1098.003': ('SODINOKIBI a REvil ransomware as a service (RaaS) can compromise accounts and achieve persistence through malicious code executed via privileges achieved via an account being upgraded to an administrator of Office 365.'),
'T1098.003': ('APT41 employs a variety of persistence methods one of which involved increasing a compromised account  privileges through the Office 365 Administrator role.'),
'T1098.003': ('In order to compromise more accounts TEMP.Zagros employs malicious software which will increase the privileges of an already compromised account via increasing it  Office 365 account to an administrator one.'),
'T1542.002': ('Equation is known to have the capability to overwrite the firmware on hard drives from some manufacturers.'),
'T1542.002': 'Trickbot will often achieve persistence through compromising the firmware of a system.'),
'T1542.002': ('UEFI-related attacks increasingly involve the component firmware of critical systems being compromised.'),
'T1542.002': ('Attackers are increasingly targeting the firmware of component systems to achieve persistence as they often cannot verify their integrity as well as the main system components.'),
'T1542.002': ('APT34 can achieve persistence on machines via compromising component firmware allowing them to execute low level commands before the BIOS loads.'),
'T1021.004': ('APT39 used secure shell (SSH) to move laterally among their targets.'),
'T1021.004': ('Cobalt Strike can SSH to a remote service.'),
'T1021.004': ('Empire contains modules for executing commands over SSH as well as in-memory VNC agent injection.'),
'T1021.004': ('Fox Kitten has used the PuTTY and Plink tools for lateral movement.'),
'T1021.004': ('GCMAN uses Putty for lateral movement.'),
'T1021.004': ('Kinsing has used SSH for lateral movement.'),
'T1021.004': ('Leviathan used ssh for internal reconnaissance.'),
'T1021.004': ('menuPass has used Putty Secure Copy Client (PSCP) to transfer data.'),
'T1021.004': ('OilRig has used Putty to access compromised systems.'),
'T1021.004': ('Rocke has spread its coinminer via SSH.'),
'T1021.004': 'TEMP.Veles has relied on encrypted SSH-based tunnels to transfer tools and for remote command  program execution.'),
'T1021.004': ('SSH fingerprint data shows that Sysrv-hello compromised 26 servers utilising them as C2 servers.'),
'T1021.004': ('APT24 has utilised SSH in addition to a credential stealer such as MIMIKATZ to operate on victim hosts.'),
'T1021.004': ('SSH client Bitvise was used to log into a VMWare ESXi with an open SSH connection.'),
'T1053.003': ('Anchor can install itself as a cron job.'),
'T1053.003': ('Exaramel for Linux uses crontab for persistence if it does not have root privileges.'),
'T1053.003': ('Janicab used a cron job for persistence on Mac devices.'),
'T1053.003': ('Kinsing has used crontab to download and run shell scripts every minute to ensure persistence.'),
'T1053.003': ('NETWIRE can use crontabs to establish persistence.'),
'T1053.003': ('Penquin can use Cron to create periodic and pre-scheduled background jobs.'),
'T1053.003': ('Rocke installed a cron job that downloaded and executed files from the C2.'),
'T1053.003': ('Skidmap has installed itself via crontab.'),
'T1053.003': ('SpeakUp uses cron tasks to ensure persistence.'),
'T1053.003': ('Xbash can create a cronjob for persistence if it determines it is on a Linux system.'),
'T1053.003': ('Muhstik a threat actor group often abuses the cron utility using crontab files within scripts such as IDM scripts to establish persistence.'),
'T1053.003': ('Chinese state sponsored actors often utilise CLI tools such as crontab to schedule malicious tasks that enumerate victim devices.'),
'T1053.003': ('Moobot a Mirai botnet variant achieves persistence through crontab and connections to malicious domains for communication and malware downloads.'),
'T1563.002': ('WannaCry enumerates current remote desktop sessions and tries to execute the malware on each session.'),
'T1563.002': ('REvil will hijack Remote Desktop Services (RDS) for lateral movement.'),
'T1563.002': ('CIS based ransomware such as Fonix will often try to infect as many machines that are accessed via lateral movement instagated from the hijacking of a Remote Desktop Protocol (RDP).'),
'T1563.002': ('Companies should ensure that Remote Desktop Services are secure as they are commonly hijacked my ransomware such as CryptConsole for movements and victim enumeration.'),
'T1563.002': ('Blocking RDP access from the internet is a recommended security policy to prevent them from being abused by Phobos a ransomware that can hijack RDP sessions.'),
'T1563.001': ('From old ransomware such as Cryakl to new ones like XMRLocker lateral movement via SSH hijacking is a popular TTP.'),
'T1563.001': ('Ransomware will utilise SSH vulnerabilities to move laterally within a system.'),
'T1563.001': ('Password policies should be implemented and enforced for SSH usage to prevent hijacking of weak  standard passwords by malicious actors.'),
'T1563.001': ('Linux  Mac OS administrators should be wary of unprotected SSH communications within the network as these remote connections are a favourite way of maintaining persistence by threat actors.'),
'T1563.001': ('SSH certificates should always be validated as forged credentials will allow actors to move laterally within the network.'),
'T1053.004': ('Malware that installs .msi files often abuse the root privileges of launchd daemons to repeatedly execute malicious activity.'),
'T1053.004': ('Launchd can change the permissions of files escalating the privileges of malware.'),
'T1053.004': ('Copying malicious files from the installer location to Library  LaunchDaemons  folder will escalate the copied privileges.'),
'T1053.004': ('BeagleBoyz North Korean Actors will often obfuscate their malware whilst simultaneously escalating it  privilege through running the malware under launchd  privileged context.'),
'T1053.004': ('Reconnaissance and background checks can be routinely automated through scheduling a launchd task.'),
'T1053.001': ('Cryptocurrency miners abuse the at command on Linux to schedule recurring mining on victim machines.'),
'T1053.001': ('Communication with a CnC server can be automated via the at command on Linux OS.'),
'T1053.001': ('Golden Chickens Malware-as-a-Service (MaaS) will utilize to schedule malicious tasks.'),
'T1053.001': ('Malware will exfiltrate stolen data at regular intervals on Linux servers through abusing the at command functionality'),
'T1053.001': ('Ransomware will often schedule the encryption of victim data via the at command.'),
'T1021.002': ('Anchor can support windows execution via SMB shares.'),
'T1021.002': ('APT3 will copy files over to Windows Admin Shares (like ADMIN$) as part of lateral movement.'),
'T1021.002': ('APT32 used Net to use Windows hidden network shares to copy their tools to remote machines for execution.'),
'T1021.002': ('APT39 has used SMB for lateral movement.'),
'T1021.002': ('APT41 has transferred implant files using Windows Admin Shares.'),
'T1021.002': ('BlackEnergy has run a plug-in on a victim to spread through the local network by using PsExec and accessing admin shares.'),
'T1021.002': ('Blue Mockingbird has used Windows Explorer to manually copy malicious files to remote hosts over SMB.'),
'T1021.002': ('Chimera has used Windows admin shares to move laterally.'),
'T1021.002': ('Cobalt Strike can use Window admin shares (C$ and ADMIN$) for lateral movement.'),
'T1021.002': ('Conti can spread via SMB and encrypts files on different hosts potentially compromising an entire network.'),
'T1021.002': ('Deep Panda uses net.exe to connect to network shares using net use commands with compromised credentials.'),
'T1021.002': ('Adversaries can instruct Duqu to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.'),
'T1021.002': ('Emotet leverages the Admin$ share for lateral movement once the local admin password has been brute forced.'),
'T1021.002': ('FIN8 has attempted to map to C$ on enumerated hosts to test the scope of their current credentials  context.'),
'T1021.002': ('Fox Kitten has used valid accounts to access SMB shares.'),
'T1021.002': ('Ke3chang actors have been known to copy files to the network shares of other computers to move laterally.'),
'T1021.002': ('Kwampirs copies itself over network shares to move laterally on a victim network.'),
'T1021.002': ('Lazarus Group malware SierraAlfa accesses the ADMIN$ share via SMB to conduct lateral movement.'),
'T1021.002': ('Lucifer can infect victims by brute forcing SMB.'),
'T1021.002': ('Lateral movement can be done with Net through net use commands to connect to the on remote systems.'),
'T1021.002': ('Net Crawler uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement.'),
'T1021.002': ('NotPetya can use PsExec which interacts with the ADMIN$ network share to execute commands on remote systems.'),
'T1021.002': ('Olympic Destroyer uses PsExec to interact with the ADMIN$ network share to execute commands on remote systems.'),
'T1021.002': ('Operation Wocao has used Impacket  smbexec.py as well as accessing the C$ and IPC$ shares to move laterally.'),
'T1021.002': ('Orangeworm has copied its backdoor across open network shares including ADMIN$ C$WINDOWS D$WINDOWS and E$WINDOWS.'),
'T1021.002': ('PsExec a tool that has been used by adversaries writes programs to the ADMIN$ network share to execute commands on remote systems.'),
'T1021.002': 'The Regin malware platform can use Windows admin shares to move laterally.'),
'T1021.002': ('Ryuk has used the C$ network share for lateral movement.'),
'T1021.002': ('Shamoon accesses network share(s) enables share access to the target device copies an executable payload to the target system and uses a Scheduled Task  Job to execute the malware.'),
'T1021.002': 'Threat Group-1314 actors mapped network drives using net use.'),
'T1021.002': 'Turla used net use commands to connect to lateral systems within a network.'),
'T1021.002': ('Wizard Spider has used SMB to drop Cobalt Strike Beacon on a domain controller for lateral movement.'),
'T1021.002': ('zwShell has been copied over network shares to move laterally.'),
'T1021.002': ('BlackMatter ransomware with stolen credentials often uses SMB to access the active directory (AD) and perform host discovery.'),
'T1021.002': ('Attackers often use CobaltStrike functionality specifically named pipes in combination with SMB for lateral movement within networks.'),
'T1021.002': ('Net a utility program in windows systems is often used by APT groups synchronously with SMB to perform a variety of tasks on host machines such as discovery lateral movement and system  network information gathering.'),
'T1021.005': ('Carberp can start a remote VNC session by downloading a new plugin.'),
'T1021.005': ('Fox Kitten has installed TightVNC server and client on compromised servers and endpoints for lateral movement.'),
'T1021.005': ('GCMAN uses VNC for lateral movement.'),
'T1021.005': ('Proton uses VNC to connect into systems.'),
'T1021.005': ('ZxShell supports functionality for VNC sessions.'),
'T1021.005': ('Ramnit banking trojan and botnet uses VNC to access victim machines typically deploying the technique in later stages of the kill chain on command via the attacker C&C server.'),
'T1021.005': 'The SMOKEDHAM backdoor after executing Powershell commands installs the UltraVNC application renamed winvnc.exe to establish remote control of a target computer.'),
'T1021.005': ('Many ransomware variants that utilise CobaltStrike often combine it  functionality with dual-use tools such as TightVNC for remote access to a target machine.'),
'T1021.003': ('Cobalt Strike can deliver beacon payloads for lateral movement by leveraging remote COM execution.'),
'T1021.003': ('Empire can utilize Invoke-DCOM to leverage remote COM execution for lateral movement.'),
'T1021.003': ('JuicyPotato exploits the windows DCOM and SeImpersonate token privilege to elevate an unprivileged account to the highest level of privilege.'),
'T1021.003': 'The ExecuteShellCommand Method in Microsoft Management Console (MMC) 2.0 allows for lateral movement within a network when abusing DCOM with valid credentials.'),
'T1021.003': ('IcedID malware often accesses victim machines utilizing DCOM in combination with wuauclt.exe a CobaltStrike tool.'),
'T1136.002': ('Empire has a module for creating a new domain user if permissions allow.'),
'T1136.002': ('GALLIUM created high-privileged domain user accounts to maintain access to victim networks.'),
'T1136.002': ('HAFNIUM has created and granted privileges to domain accounts.'),
'T1136.002': 'The net user username password domain commands in Net can be used to create a domain account.'),
'T1136.002': ('Pupy can user PowerView to executenet user commands and create domain accounts.'),
'T1136.002': ('A reverse proxy that establishes a RDP connection can allow for lateral movement and control of a domain account after which local administrator accounts can be created for persistence.'),
'T1136.002': ('Prior to infecting a victim with malware such as Black Kingdom ransomware attackers will often create domain administrator accounts achieved through various means such as VPN login with compromised credentials.'),
'T1136.002': ('CobaltStrike persistence functionality allows for the creation of a new administrator account once a domain account has been compromised which is then added to the Administrator domain and granting the new account AD domain privileges.'),
'T1136.001': ('APT3 has been known to create or enable accounts such as support_388945a0.'),
'T1136.001': ('APT39 has created accounts on multiple compromised hosts to perform actions within the network.'),
'T1136.001': ('APT41 created user accounts and adds them to the User and Admin groups.'),
'T1136.001': ('Calisto has the capability to add its own account to the victim  machine.'),
'T1136.001': ('Carbanak can create a Windows account.'),
'T1136.001': ('Dragonfly 2.0 created accounts on victims including administrator accounts some of which appeared to be tailored to each individual staging target.'),
'T1136.001': ('Empire has a module for creating a local user if permissions allow.'),
'T1136.001': ('Flame can create backdoor accounts with loginHelpAssistant on domain connected systems if appropriate rights are available.'),
'T1136.001': ('Fox Kitten has created a local user account with administrator privileges.'),
'T1136.001': ('GoldenSpy can create new users on an infected system.'),
'T1136.001': ('HiddenWasp creates a user account as a means to provide initial persistence to the compromised machine.'),
'T1136.001': ('Hildegard has created a user namedmonerodaemon.'),
'T1136.001': ('Leafminer used a tool called Imecab to set up a persistent remote access account on the victim machine.'),
'T1136.001': ('Mis-Type may create a temporary user on the system namedLost_{Unique Identifier}.'),
'T1136.001': 'The net user username password commands in Net can be used to create a local account.'),
'T1136.001': ('Pupy can user PowerView to executenet user commands and create local system accounts.'),
'T1136.001': ('S-Type may create a temporary user on the system namedLost_{Unique Identifier} with the passwordpond~!@6{Unique Identifier}.'),
'T1136.001': ('ServHelper has created a new user and added it to the Remote Desktop Users and Administrators groups.'),
'T1136.001': ('ZxShell has a feature to create local user accounts.'),
'T1136.001': ('A known TTP of APT34 is to create local user accounts with the net command for the purpose of lateral movement.'),
'T1136.001': ('BazarLoader is known to deploy CobaltStrike beacons which create local accounts in addition to domain accounts.'),
'T1136.001': 'Threat actors often create local accounts to maintain presence within a network before infecting machines with ransomware such as Phobos or RagnarLocker.'),
'T1195.003': ('APT41 historically executed supply chain compromises often via modification of hardware systems.'),
'T1195.003': 'Through modifying the hardware functionality of certain systems backdoors can be maintained and utilized.'),
'T1195.003': ('APT groups will often attempt to manipulate hardware components of systems to their advantage such as with Stuxnet.'),
'T1195.003': ('Industrial Control Systems (ICS) are often a target of attack with threat actors aiming to abuse hardware functionality.'),
'T1195.003': 'Threat actors will often establish initial access with a system via the abuse of hardware components.'),
'T1546.002': ('Gazer can establish persistence through the system screensaver by configuring it to execute the malware.'),
'T1546.002': ('Persistence can be maintained via user inactivity through masking a malicious executable as a screensaver .scr file.'),
'T1546.002': ('FIN13 will modify screensaver files to execute persistence functionality.'),
'T1546.002': ('By hiding code as screensaver files their privileges can be executed as these files are run within the privileged environment of the C:WindowsSystem32 and C:WindowssysWOW64 folders.'),
'T1546.002': ('CobaltStrike functionality allows for the creation of disposable processes that can establish persistence via the injection of malicious code into .scr files on Windows machines.'),
'T1003.008': ('LaZagne can obtain credential information from etc  shadow using the shadow.py module.'),
'T1003.008': ('MAZE ransomware will enumerate user credentials by dumping user passwords usually hashed passwords from passwd directory.'),
'T1003.008': ('Dumping credentials from the etc  shadow directory is one way that EKANS ransomware steals credentials.'),
'T1003.008': ('Netwalker deploys various methods for credential stealing including utilising LaZagne to dump the shadow directory contents.'),
'T1003.008': ('Ransomware such as SODINOKIBI will attempt to dump hashed files from the etc  passwd directory for offline breaking as they are easier to acquire than the shadow directory.'),
'T1137.002': ('APT28 has used the Office Test persistence mechanism within Microsoft Office by adding the Registry key HKCUSoftwareMicrosoftOffice testSpecialPerf to execute code.'),
'T1137.002': ('Cybersecurity professionals should monitor registry activity for Office to ensure that on startup it does not execute malicious binaries within the registry.'),
'T1137.002': ('DIRTPYLE malware will use Office startup to execute malicious binaries utilising the registry key HKCUSoftwareMicrosoftOffice testSpecialPerf.'),
'T1137.002': ('Gamaredon group favour the tactic of maintaining persistence through abusing Office startup registry keys.'),
'T1137.002': 'The Office Test  Registry key does not come installed with Office by default so detecting it  presence within a system could be a sign of malicious activity.'),
'T1553.004': ('certutil can be used to install browser root certificates as a precursor to performing man-in-the-middle between connections to banking websites. Example command: certutil -addstore -f -user ROOT ProgramDatacert512121.der.'),
'T1553.004': ('Dok installs a root certificate to aid in man-in-the-middle actions.'),
'T1553.004': ('Hikit uses certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root and certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher to install a self-generated certificate to the local trust store as a root CA and Trusted Publisher.'),
'T1553.004': ('RTM can add a certificate to the Windows store.'),
'T1553.004': ('Babuk ransomware often installs a root certificate during its initial download stages to legitimise it  connections often to C2 servers.'),
'T1553.004': ('Netfilter.sys a malicious driver for Windows Hardware Quality Labs (WHQL) installs a root certificate to authenticate the C2 server domains that are contained within a simultaneously downloaded code.'),
'T1553.004': ('A common TTP of APT Group DarkSide is to bypass detection on victim machines through installing a root certificate before installing ransomware of the machine.'),
'T1003.007': ('LaZagne can obtain credential information running Linux processes.'),
'T1003.007': ('MimiPenguin can dump process memory and extract clear-text credentials.'),
'T1003.007': ('APT31 can dump credentials from programs in memory by running proc as root using stolen credentials.'),
'T1003.007': ('DarkSide an APT group will obtain access to an account using legitimate credentials then gather information about the proc directory to enumerate user credentials.'),
'T1003.007': ('Care should be taken around how much data proc gathers as it can steal credentials in memory that cannot be obfuscated there.'),
'T1090.001': ('APT29 configured at least one instance of Cobalt Strike to use a network pipe over SMB during the 2020 SolarWinds intrusion.'),
'T1090.001': ('APT39 used custom tools to create SOCK5 and custom protocol proxies between infected hosts.'),
'T1090.001': 'The ZJ variant of BACKSPACE allows ZJ link infections with Internet access to relay traffic from ZJ listen to a command server.'),
'T1090.001': ('CHOPSTICK used a proxy server between victims and the C2 server.'),
'T1090.001': ('Cobalt Strike can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points or provide access to a host without direct internet access.'),
'T1090.001': ('Drovorub can use a port forwarding rule on its agent module to relay network traffic through the client module to a remote host on the same network.'),
'T1090.001': ('Duqu can be configured to have commands relayed over a peer-to-peer network of infected hosts if some of the hosts do not have Internet access.'),
'T1090.001': ('FatDuke can used pipes to connect machines with restricted internet access to remote machines via other infected hosts.'),
'T1090.001': ('Higaisa discovered system proxy settings and used them if available.'),
'T1090.001': ('Hikit supports peer connections.'),
'T1090.001': ('InvisiMole can function as a proxy to create a server that relays communication between the client and C&C server or between two clients.'),
'T1090.001': ('Kazuar has used internal nodes on the compromised network for C2 communications.'),
'T1090.001': ('MiniDuke can can use a named pipe to forward communications from one compromised machine with internet access to other compromised machines.'),
'T1090.001': ('Operation Wocao can proxy traffic through multiple infected systems.'),
'T1090.001': ('Pay2Key has designated machines in the compromised network to serve as reverse proxy pivot points to channel communications with C2.'),
'T1090.001': ('Strider has used local servers with both local network and Internet access to act as internal proxy nodes to exfiltrate data from other parts of the network without direct Internet access.'),
'T1090.001': ('UNC2452 configured at least one instance of Cobalt Strike to use a network pipe over SMB during the 2020 SolarWinds intrusion.'),
'T1090.001': ('APT group SparklingGoblin often deploy SideWalk a backdoor which utilises shellcode containing C2 domains which are communicated with through the use of an internal proxy.'),
'T1090.001': ('Pysa a prolific ransomware group utilises a Chisel tunneling tool named MagicSocks to obfuscate malicious outbound traffic.'),
'T1090.001': ('SOCKS proxy tool Earthworm is a commonly distributed proxy tool that hosts a variety of functionality for communication with outside networks.'),
'T1001.003': ('BADCALL uses a FakeTLS method during C2.'),
'T1001.003': ('Bankshot generates a false TLS handshake using a public certificate to disguise C2 network communications.'),
'T1001.003': ('FakeM C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applications such as MSN and Yahoo! messengers. Additionally some variants of FakeM use modified SSL code for communications back to C2 servers making SSL decryption ineffective.'),
'T1001.003': ('FALLCHILL uses fake Transport Layer Security (TLS) to communicate with its C2 server.'),
'T1001.003': ('HARDRAIN uses FakeTLS to communicate with its C2 server.'),
'T1001.003': ('Higaisa used a FakeTLS session for C2 communications.'),
'T1001.003': ('InvisiMole can mimic HTTP protocol with custom HTTPverbs HIDE ZVVP and NOP.'),
'T1001.003': ('KeyBoy uses custom SSL libraries to impersonate SSL in C2 traffic.'),
'T1001.003': ('Lazarus Group malware also uses a unique form of communication encryption known as FakeTLS that mimics TLS but uses a different encryption method evading SSL man-in-the-middle decryption attacks.'),
'T1001.003': ('Okrum mimics HTTP protocol for C2 communication while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests.'),
'T1001.003': ('SUNBURST masqueraded its network traffic as the Orion Improvement Program (OIP) protocol.'),
'T1001.003': 'TAINTEDSCRIBE has used FakeTLS for session authentication.'),
'T1001.003': ('WellMass malware obfuscates it  C2 communications through abusing TLS via a hardcoded certificate.'),
'T1001.003': ('APT40 includes API keys for Dropbox in every command when uploading stolen data in an attempt to mask the activity as legitimate.'),
'T1001.003': ('Winnti (APT41) utilises the Crosswalk backdoor which abuses FakeTLS to obfuscate C2 traffic.'),
'T1001.002': ('APT29 has used steganography to hide C2 communications in images.'),
'T1001.002': ('Some malware that has been used by Axiom also uses steganography to hide communication in PNG image files.'),
'T1001.002': ('Daserf can use steganography to hide malicious code downloaded to the victim.'),
'T1001.002': ('When the Duqu command and control is operating over HTTP or HTTPS Duqu uploads data to its controller by appending it to a blank JPG file.'),
'T1001.002': ('HAMMERTOSS is controlled via commands that are appended to image files.'),
'T1001.002': ('LightNeuron is controlled via commands that are embedded into PDFs and JPGs using steganographic methods.'),
'T1001.002': ('RDAT can process steganographic images attached to email messages to send and receive C2 commands. RDAT can also embed additional messages within BMP images to communicate with the RDAT operator.'),
'T1001.002': ('SUNBURST C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob.'),
'T1001.002': ('ZeroT has retrieved stage 2 payloads as Bitmap images that use Least Significant Bit (LSB) steganography.'),
'T1001.001': ('APT28 added junk data to each encoded string preventing trivial decoding without knowledge of the junk removal algorithm. Each implant was given a junk length value when created tracked by the controller software to allow seamless communication but prevent analysis of the command protocol on the wire.'),
'T1001.001': ('BendyBear has used byte randomization to obscure its behavior.'),
'T1001.001': ('Downdelph inserts pseudo-random characters between each original character during encoding of C2 network requests making it difficult to write signatures on them.'),
'T1001.001': ('GoldMax has used decoy traffic to surround its malicious network traffic to avoid detection.'),
'T1001.001': ('P2P ZeuS added junk data to outgoing UDP packets to peer implants.'),
'T1001.001': ('PLEAD samples were found to be highly obfuscated with junk code.'),
'T1001.001': ('SUNBURST added junk bytes to its C2 over HTTP.'),
'T1001.001': ('WellMess can use junk data in the Base64 string for additional obfuscation.'),
'T1001.001': ('Data obfuscation is acheived for the WellMass malware through adding junk to it  C2 communications achieved by replacing characters with base64 encoded ones.'),
'T1001.001': ('CISA notes that junk data to obfuscate Command and Control activities is a favourite Technique of APT groups which target America.'),
'T1001.001': ('With the aim to make analysis of their code more difficult and time consuming the develepers of Cerberus jumble their code to hide it  functionality.'),
'T1132.002': ('Newer variants of BACKSPACE will encode C2 communications with a custom system.'),
'T1132.002': ('Bankshot encodes commands from the control server using a range of characters and gzip.'),
'T1132.002': ('InvisiMole can use a modified base32 encoding to encode data within the subdomain of C2 requests.'),
'T1132.002': ('OceanSalt can encode data with a NOT operation before sending the data to the control server.'),
'T1132.002': ('RDAT can communicate with the C2 via subdomains that utilize base64 with character substitutions.'),
'T1132.002': ('ShadowPad has encoded data as readable Latin characters.'),
'T1132.001': ('C2 traffic from ADVSTORESHELL is encrypted then encoded with Base64 encoding.'),
'T1132.001': ('An A'),P'T19 HTTP ': ('lware variant used Base64 to encode communications to the C2 server.'),
'T1132.001': ('APT33 has used base64 to encode command and control traffic.'),
'T1132.001': ('Astaroth encodes data using Base64 before sending it to the C2 server.'),
'T1132.001': ('AutoIt backdoor has sent a C2 response that was base64-encoded.'),
'T1132.001': ('BabyShark has encoded data using certutil before exfiltration.'),
'T1132.001': ('Some Backdoor.Oldrea samples use standard Base64 + bzip2 and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers.'),
'T1132.001': ('BADNEWS encodes C2 traffic with base64.'),
'T1132.001': ('BLINDINGCAN has encoded its C2 traffic with Base64.'),
'T1132.001': ('Several BRONZE BUTLER tools encode data with base64 when posting it to a C2 server.'),
'T1132.001': ('BS2005 uses Base64 encoding for communication in the message body of an HTTP request.'),
'T1132.001': ('Carbanak encodes the message body of HTTP traffic with Base64.'),
'T1132.001': ('ChChes can encode C2 data with a custom technique that utilizes Base64.'),
'T1132.001': ('Cobian RAT obfuscates communications with the C2 server using Base64 encoding.'),
'T1132.001': ('CORESHELL C2 messages are Base64-encoded.'),
'T1132.001': ('Daserf uses custom base64 encoding to obfuscate HTTP traffic.'),
'T1132.001': ('Denis encodes the data sent to the server in Base64.'),
'T1132.001': ('Dipsind encodes C2 traffic with base64.'),
'T1132.001': ('down_new has the ability to base64 encode C2 communications.'),
'T1132.001': ('Ebury has encoded C2 traffic in hexadecimal format.'),
'T1132.001': ('Elise exfiltrates data using cookie values that are Base64-encoded.'),
'T1132.001': ('Some Felismus samples use a custom method for C2 traffic that utilizes Base64.'),
'T1132.001': ('Fysbis can use Base64 to encode its C2 traffic.'),
'T1132.001': ('gh0st RAT has used Zlib to compress C2 communications data before encrypting it.'),
'T1132.001': ('HAFNIUM has used ASCII encoding for C2 traffic.'),
'T1132.001': ('For C2 over HTTP Helminth encodes data with base64 and sends it via the Cookie field of HTTP requests. For C2 over DNS Helminth converts ASCII characters into their hexadecimal values and sends the data in cleartext.'),
'T1132.001': ('HOPLIGHT has utilized Zlib compression to obfuscate the communications payload.'),
'T1132.001': ('Ixeshe uses custom Base64 encoding schemes to obfuscate command and control traffic in the message body of HTTP requests.'),
'T1132.001': ('A JHUHUGIT variant encodes C2 POST data base64.'),
'T1132.001': ('Kazuar encodes communications to the C2 server in Base64.'),
'T1132.001': ('Kessel has exfiltrated data via hexadecimal-encoded subdomain fields of DNS queries.'),
'T1132.001': ('KONNI has used a custom base64 key to encode stolen data before exfiltration.'),
'T1132.001': ('A Lazarus Group malware sample encodes data with base64.'),
'T1132.001': ('Machete has used base64 encoding.'),
'T1132.001': ('MechaFlounder has the ability to use base16 encoded strings in C2.'),
'T1132.001': ('Mis-Type uses Base64 encoding for C2 traffic.'),
'T1132.001': ('Misdat network traffic is Base64-encoded plaintext.'),
'T1132.001': ('More_eggs has used basE91 encoding along with encryption for C2 communication.'),
'T1132.001': ('MuddyWater has used tools to encode C2 communications including Base64 encoding.'),
'T1132.001': ('njRAT uses Base64 encoding for C2 traffic.'),
'T1132.001': ('Octopus encodes C2 communications in Base64.'),
'T1132.001': ('Okrum has used base64 to encode C2 communication.'),
'T1132.001': ('OopsIE encodes data in hexadecimal format over the C2 channel.'),
'T1132.001': ('Patchwork used Base64 to encode C2 traffic.'),
'T1132.001': ('Responses from the Pisloader C2 server are base32-encoded.'),
'T1132.001': ('PowerShower has the ability to encode C2 communications with base64 encoding.'),
'T1132.001': ('POWERSTATS encoded C2 traffic with base64.'),
'T1132.001': ('POWRUNER can use base64 encoded C2 communications.'),
'T1132.001': ('Prikormka encodes C2 traffic with Base64.'),
'T1132.001': ('QUADAGENT encodes C2 communications with base64.'),
'T1132.001': ('Ramsay has used base64 to encode its C2 traffic.'),
'T1132.001': ('RDAT can communicate with the C2 via base32-encoded subdomains.'),
'T1132.001': ('Revenge RAT uses Base64 to encode information sent to the C2 server.'),
'T1132.001': ('RogueRobin base64 encodes strings that are sent to the C2 over its DNS tunnel.'),
'T1132.001': ('S-Type uses Base64 encoding for C2 traffic.'),
'T1132.001': ('Sandworm Team  BCS-server tool uses base64 encoding and HTML tags for the communication traffic between the C2 server.'),
'T1132.001': ('SeaDuke C2 traffic is base64-encoded.'),
'T1132.001': ('Spark has encoded communications with the C2 server with base64.'),
'T1132.001': ('SpeakUp encodes C&C communication using Base64.'),
'T1132.001': ('SUNBURST used Base64 encoding in its C2 traffic.'),
'T1132.001': 'TA551 has used encoded ASCII text for initial C2 communications.'),
'T1132.001': 'TrickBot can Base64-encode C2 commands.'),
'T1132.001': 'Tropic Trooper has used base64 encoding to hide command strings delivered from the C2.'),
'T1132.001': ('Valak has returned C2 data as encoded ASCII.'),
'T1132.001': ('WellMess has used Base64 encoding to uniquely identify communication to and from the C2.'),
'T1132.001': ('Zebrocy has used URL  Percent Encoding on data exfiltrated via HTTP POST requests.'),
'T1069.002': ('AdFind can enumerate domain groups.'),
'T1069.002': ('BloodHound can collect information about domain groups and members.'),
'T1069.002': ('CrackMapExec can gather the user accounts within domain groups.'),
'T1069.002': ('Dragonfly 2.0 used batch scripts to enumerate administrators and users in the domain.'),
'T1069.002': ('dsquery can be used to gather information on permission groups within a domain.'),
'T1069.002': ('Egregor can conduct Active Directory reconnaissance using tools such as Sharphound or AdFind.'),
'T1069.002': ('GRIFFON has used a reconnaissance module that can be used to retrieve Windows domain membership information.'),
'T1069.002': ('Helminth has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem domain and net group domain admins domain.'),
'T1069.002': ('Inception has used specific malware modules to gather domain membership.'),
'T1069.002': ('Ke3chang performs discovery of permission groups net group domain.'),
'T1069.002': ('Kwampirs collects a list of domain groups with the command net localgroup domain.'),
'T1069.002': ('Commands such as net group domain can be used in Net to gather information about and manipulate groups.'),
'T1069.002': ('OilRig has used net group domain net groupdomain admins domain and net groupExchange Trusted Subsystem domain to find domain group permission settings.'),
'T1069.002': ('OSInfo specifically looks for Domain Admins and power users within the domain.'),
'T1069.002': ('POWRUNER may collect domain group information by running net group domain or a series of other commands on a victim.'),
'T1069.002': ('REvil can identify the domain membership of a compromised host.'),
'T1069.002': ('SoreFang can enumerate domain groups by executing net.exe group domain.'),
'T1069.002': 'Turla has used net group Domain Admins domain to identify domain administrators.'),
'T1069.002': ('WellMess can identify domain group membership for the current user.'),
'T1204.002': ('admin@338 has attempted to get victims to launch malicious Microsoft Word attachments delivered via spearphishing emails.'),
'T1204.002': ('Agent Tesla has been executed through malicious e-mail attachments'),
'T1204.002': ('Ajax Security Team has lured victims into executing malicious files.'),
'T1204.002': ('AppleJeus has required user execution of a malicious MSI installer.'),
'T1204.002': ('APT-C-36 has prompted victims to accept macros in order to execute the subsequent payload.'),
'T1204.002': ('A'),P'T12 has a': ('empted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing.'),
'T1204.002': ('A'),P'T19 attem': ('ed to get users to launch malicious attachments delivered via spearphishing emails.'),
'T1204.002': ('APT28 attempted to get users to click on Microsoft Office attachments containing malicious macro scripts.'),
'T1204.002': ('APT29 has used various forms of spearphishing attempting to get a user to open attachments including but not limited to malicious Microsoft Word documents .pdf and .lnk files.'),
'T1204.002': ('APT30 has relied on users to execute malicious file attachments delivered via spearphishing emails.'),
'T1204.002': ('APT32 has attempted to lure users to execute a malicious dropper delivered via a spearphishing attachment.'),
'T1204.002': ('APT33 has used malicious e-mail attachments to lure victims into executing malware.'),
'T1204.002': ('APT37 has sent spearphishing attachments attempting to get a user to open them.'),
'T1204.002': ('APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious attachment.'),
'T1204.002': ('Astaroth has used malicious files including VBS LNK and HTML for execution.'),
'T1204.002': ('BlackTech has used e-mails with malicious documents to lure victims into installing malware.'),
'T1204.002': ('BLINDINGCAN has lured victims into executing malicious macros embedded within Microsoft Office documents.'),
'T1204.002': ('BRONZE BUTLER has attempted to get users to launch malicious Microsoft Word attachments delivered via spearphishing emails.'),
'T1204.002': ('Bundlore has attempted to get users to execute a malicious .app file that looks like a Flash Player update.'),
'T1204.002': ('Cardinal RAT lures victims into executing malicious macros embedded within Microsoft Excel documents.'),
'T1204.002': ('CARROTBALL has been executed through users being lured into opening malicious e-mail attachments.'),
'T1204.002': ('Cobalt Group has sent emails containing malicious attachments that require users to execute a file or macro to infect the victim machine.'),
'T1204.002': ('CSPY Downloader has been delivered via malicious documents with embedded macros.'),
'T1204.002': ('Dark Caracal makes their malware look like Flash Player Office or PDF documents in order to entice a user to click on it.'),
'T1204.002': ('Darkhotel has sent spearphishing emails in an attempt to lure users into clicking on a malicious attachments.'),
'T1204.002': ('DarkHydrus has sent malware that required users to hit the enable button in Microsoft Excel to allow an .iqy file to be downloaded.'),
'T1204.002': ('Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open attachments.'),
'T1204.002': ('Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open attachments.'),
'T1204.002': ('Emotet has relied upon users clicking on a malicious attachment delivered through spearphishing.'),
'T1204.002': ('FIN4 has lured victims to launch malicious attachments delivered via spearphishing emails (often sent from compromised accounts).'),
'T1204.002': ('FIN6 has used malicious documents to lure victims into allowing execution of PowerShell scripts.'),
'T1204.002': ('FIN7 lured victims to double-click on images in the attachments they sent which would then execute the hidden LNK file.'),
'T1204.002': ('FIN8 has leveraged Spearphishing Attachments attempting to gain User Execution.'),
'T1204.002': ('Frankenstein has used trojanized Microsoft Word documents sent via email which prompted the victim to enable macros.'),
'T1204.002': ('Gallmaker sent victims a lure document with a warning that asked victims toenable content for execution.'),
'T1204.002': ('Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded.'),
'T1204.002': ('Gorgon Group attempted to get users to launch malicious Microsoft Office attachments delivered via spearphishing emails.'),
'T1204.002': ('Grandoreiro has infected victims via malicious attachments.'),
'T1204.002': 'The GuLoader executable has been retrieved via embedded macros in malicious Word documents.'),
'T1204.002': ('Hancitor has used malicious Microsoft Word documents sent via email which prompted the victim to enable macros.'),
'T1204.002': ('Higaisa used malicious e-mail attachments to lure victims into executing LNK files.'),
'T1204.002': ('IcedID has been executed through Word documents with malicious embedded macros.'),
'T1204.002': ('Inception lured victims into clicking malicious files for machine reconnaissance and to execute malware.'),
'T1204.002': ('InvisiMole can deliver trojanized versions of software and documents relying on user execution.'),
'T1204.002': ('Javali has achieved execution through victims opening malicious attachments including MSI files with embedded VBScript.'),
'T1204.002': ('JCry has achieved execution by luring users to click on a file that appeared to be an Adobe Flash Player update installer.'),
'T1204.002': ('Kerrdown has gained execution through victims opening malicious files.'),
'T1204.002': ('KGH_SPY has been spread through Word documents containing malicious macros.'),
'T1204.002': ('Kimsuky has used attempted to lure victims into opening malicious e-mail attachments.'),
'T1204.002': ('Lazarus Group has attempted to get users to launch a malicious Microsoft Word attachment delivered via a spearphishing email.'),
'T1204.002': ('Leviathan has sent spearphishing attachments attempting to get a user to click.'),
'T1204.002': ('Lokibot has been executed through malicious documents contained in spearphishing e-mails.'),
'T1204.002': ('Machete has has relied on users opening malicious attachments delivered through spearphishing to execute malware.'),
'T1204.002': ('menuPass has attempted to get victims to open malicious files such as Windows Shortcuts (.lnk) and  or Microsoft Office documents sent via email as part of spearphishing campaigns.'),
'T1204.002': ('Metamorfo requires the user to double-click the executable to run the malicious HTA file.'),
'T1204.002': ('Mofang  malicious spearphishing attachments required a user to open the file after receiving.'),
'T1204.002': ('Molerats has sent malicious files via email that tricked users into clicking Enable Content to run an embedded macro and to download malicious archives.'),
'T1204.002': ('MuddyWater has attempted to get users to enable macros and launch malicious Microsoft Word documents delivered via spearphishing emails.'),
'T1204.002': ('Mustang Panda has sent malicious files requiring direct victim interaction to execute.'),
'T1204.002': ('Naikon has convinced victims to open malicious attachments to execute malware.'),
'T1204.002': ('NETWIRE has been executed through luring victims into opening malicious documents.'),
'T1204.002': ('OilRig has delivered macro-enabled documents that required targets to click the enable content button to execute the payload on the system.'),
'T1204.002': ('OSX  Shlayer relies on users mounting and executing a malicious DMG file.'),
'T1204.002': ('Patchwork embedded a malicious macro in a Word document and lured the victim to click on an icon to execute the malware.'),
'T1204.002': ('PLATINUM has attempted to get users to open malicious files by sending spearphishing emails with attachments to victims.'),
'T1204.002': ('PLEAD has been executed via malicious e-mail attachments.'),
'T1204.002': ('PoetRAT has used spearphishing attachments to infect victims.'),
'T1204.002': ('Pony has attempted to lure targets into downloading an attached executable (ZIP RAR or CAB archives) or document (PDF or other MS Office format).'),
'T1204.002': ('PROMETHIUM has attempted to get users to execute compromised installation files for legitimate software including compression applications security software browsers file recovery applications and other tools and utilities.'),
'T1204.002': ('Ramsay has been executed through malicious e-mail attachments.'),
'T1204.002': ('Rancor attempted to get users to click on an embedded macro within a Microsoft Office Excel document to launch their malware.'),
'T1204.002': ('REvil has been executed via malicious MS Word e-mail attachments.'),
'T1204.002': ('Rifdoor has been executed from malicious Excel or Word documents containing macros.'),
'T1204.002': ('RTM has attempted to lure victims into opening e-mail attachments to execute malicious code.'),
'T1204.002': ('RTM has relied on users opening malicious email attachments decompressing the attached archive and double-clicking the executable within.'),
'T1204.002': ('Sandworm Team has tricked unwitting recipients into clicking on spearphishing attachments and enabling malicious macros embedded within files.'),
'T1204.002': ('Sharpshooter has sent malicious DOC and PDF files to targets so that they can be opened by a user.'),
'T1204.002': ('Sidewinder has lured targets to click on malicious files to gain execution in the target environment.'),
'T1204.002': ('Silence attempts to get users to launch malicious attachments delivered via spearphishing emails.'),
'T1204.002': ('SQLRat relies on users clicking on an embedded image to execute the scripts.'),
'T1204.002': ('StrongPity has been executed via compromised installation files for legitimate software including compression applications security software browsers file recovery applications and other tools and utilities.'),
'T1204.002': ('SYSCON has been executed by luring victims to open malicious e-mail attachments.'),
'T1204.002': 'TA459 has attempted to get victims to open malicious Microsoft Word attachment sent via spearphishing.'),
'T1204.002': 'TA505 has used lures to get users to enable content in malicious attachments and execute malicious files contained in archives. For example TA505 makes their malware look like legitimate Microsoft Word documents .pdf and  or .lnk files.'),
'T1204.002': 'TA551 has prompted users to enable macros within spearphishing attachments to install malware.'),
'T1204.002': 'The White Company has used phishing lure documents that trick users into opening them and infecting their computers.'),
'T1204.002': 'TrickBot has attempted to get users to launch malicious documents to deliver its payload.'),
'T1204.002': 'Tropic Trooper has lured victims into executing malware via malicious e-mail attachments.'),
'T1204.002': ('A Word document delivering TYPEFRAME prompts the user to enable macro execution.'),
'T1204.002': ('Valak has been executed via Microsoft Word documents containing malicious macros.'),
'T1204.002': ('Whitefly has used malicious .exe or .dll files disguised as documents or images.'),
'T1204.002': ('Windshift has used e-mail attachments to lure victims into executing malicious code.'),
'T1204.002': ('Wizard Spider has lured victims to execute malware with spearphishing attachments containing macros to download either Emotet Bokbot or TrickBot.'),
'T1204.001': ('AppleJeus  spearphishing links required user interaction to navigate to the malicious website.'),
'T1204.001': ('APT28 has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.'),
'T1204.001': ('APT29 has used various forms of spearphishing attempting to get a user to click on a malicous link.'),
'T1204.001': ('APT32 has lured targets to download a Cobalt Strike beacon by including a malicious link within spearphishing emails.'),
'T1204.001': ('APT33 has lured users to click links to malicious HTML applications delivered via spearphishing emails.'),
'T1204.001': ('APT39 has sent spearphishing emails in an attempt to lure users to click on a malicious link.'),
'T1204.001': ('BackConfig has compromised victims via links to URLs hosting malicious content.'),
'T1204.001': ('Bazar can gain execution via malicious links to decoy landing pages hosted on Google Docs.'),
'T1204.001': ('BlackTech has used e-mails with malicious links to lure victims into installing malware.'),
'T1204.001': ('Cobalt Group has sent emails containing malicious links that require users to execute a file or macro to infect the victim machine.'),
'T1204.001': ('Dragonfly 2.0 has used various forms of spearphishing in attempts to get users to open links.'),
'T1204.001': ('Elderwood has leveraged multiple types of spearphishing in order to attempt to get a user to open links.'),
'T1204.001': ('Emotet has relied upon users clicking on a malicious link delivered through spearphishing.'),
'T1204.001': ('Evilnum has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file.'),
'T1204.001': ('FIN4 has lured victims to click malicious links delivered via spearphishing emails (often sent from compromised accounts).'),
'T1204.001': ('FIN8 has leveraged Spearphishing Links attempting to gain User Execution.'),
'T1204.001': ('Grandoreiro has used malicious links to gain execution on victim machines.'),
'T1204.001': ('GuLoader has relied upon users clicking on links to malicious documents.'),
'T1204.001': ('Hancitor has relied upon users clicking on a malicious link delivered through phishing.'),
'T1204.001': ('Javali has achieved execution through victims clicking links to malicious websites.'),
'T1204.001': ('Kerrdown has gained execution through victims opening malicious links.'),
'T1204.001': ('Leviathan has sent spearphishing email links attempting to get a user to click.'),
'T1204.001': ('Machete has has relied on users opening malicious links delivered through spearphishing to execute malware.'),
'T1204.001': ('Melcoz has gained execution through victims opening malicious links.'),
'T1204.001': ('Mofang  spearphishing emails required a user to click the link to connect to a compromised website.'),
'T1204.001': ('Molerats has sent malicious links via email trick users into opening a RAR archive and running an executable.'),
'T1204.001': ('MuddyWater has distributed URLs in phishing e-mails that link to lure documents.'),
'T1204.001': ('Mustang Panda has sent malicious links directing victims to a Google Drive folder.'),
'T1204.001': ('NETWIRE has been executed through convincing victims into clicking malicious links.'),
'T1204.001': ('Night Dragon enticed users to click on links in spearphishing emails to download malware.'),
'T1204.001': ('OilRig has delivered malicious links to achieve execution on the target system.'),
'T1204.001': ('Patchwork has used spearphishing with links to try to get users to click download and open malicious files.'),
'T1204.001': ('PLEAD has been executed via malicious links in e-mails.'),
'T1204.001': ('Pony has attempted to lure targets into clicking links in spoofed emails from legitimate banks.'),
'T1204.001': ('Sandworm Team has tricked unwitting recipients into clicking on malicious hyperlinks within emails crafted to resemble trustworthy senders.'),
'T1204.001': ('Sidewinder has lured targets to click on malicious links to gain execution in the target environment.'),
'T1204.001': 'TA505 has used lures to get users to click links in emails and attachments. For example TA505 makes their malware look like legitimate Microsoft Word documents .pdf and  or .lnk files.'),
'T1204.001': 'TSCookie has been executed via malicious links embedded in e-mails spoofing the Ministries of Education Culture Sports Science and Technology of Japan.'),
'T1204.001': 'Turla has used spearphishing via a link to get users to download and run their malware.'),
'T1204.001': ('Windshift has used links embedded in e-mails to lure victims into executing malicious code.'),
'T1204.001': ('Wizard Spider has lured victims into clicking a malicious link delivered through spearphishing.'),
'T1204.001': ('ZIRCONIUM has used malicious links in e-mails to lure victims into downloading malware.'),
'T1195.002': ('APT29 gained initial network access to some victims via a trojanized update of SolarWinds Orion software.'),
'T1195.002': ('APT41 gained access to production environments where they could inject malicious code into legitimate signed files and widely distribute them to end users.'),
'T1195.002': ('CCBkdr was added to a legitimate signed version 5.33 of the CCleaner software and distributed on CCleaner  distribution site.'),
'T1195.002': ('Cobalt Group has compromised legitimate web browser updates to deliver a backdoor.'),
'T1195.002': ('Dragonfly has placed trojanized installers on legitimate vendor app stores.'),
'T1195.002': ('GOLD SOUTHFIELD has distributed ransomware by backdooring software installers via a strategic web compromise of the site hosting Italian WinRAR.'),
'T1195.002': ('GoldenSpy has been packaged with a legitimate tax preparation software.'),
'T1195.002': ('Sandworm Team has distributed NotPetya by compromising the legitimate Ukrainian accounting software M.E.Doc and replacing a legitimate software update with a malicious one.'),
'T1195.002': ('SUNSPOT malware was designed and used to insert SUNBURST into software builds of the SolarWinds Orion IT management product.'),
'T1195.002': ('UNC2452 gained initial network access via a trojanized update of SolarWinds Orion software.'),
'T1195.001': ('A'),P'T10 (HOGF': ('H) will commonly comprise the software dependency of a company with the aim of gaining access to said company  infrastructure and their customers.'),
'T1195.001': ('Supply chain compromise was common with COVID-19 domains as over 5000 domains were registered within a few months with many aiming to deliver malware.'),
'T1195.001': ('Rowhammer attacks compromise RAM leading to the potential compromise of systems that use RAM from manufacturers that are vulnerable to such attacks.'),
'T1195.001': ('A Javascript skimmer named Pipka can skim the credentials of customers of over 27 e-commerce sites.'),
'T1195.001': ('APT41 will use supply chain compromise attacks for initial access.'),
'T1565.002': ('APT38 has used DYEPACK to manipulate SWIFT messages en route to a printer.'),
'T1565.002': ('LightNeuron is capable of modifying email content headers and attachments during transit.'),
'T1565.002': ('Melcoz can monitor the clipboard for cryptocurrency addresses and change the intended address to one controlled by the adversary.'),
'T1565.002': ('Metamorfo has a function that can watch the contents of the system clipboard for valid bitcoin addresses which it then overwrites with the attacker  address.'),
'T1565.002': ('Ransomware such as Babuk will modify the data within transmissions between their C2 servers and the compromised host to hide their malicious activity.'),
'T1565.001': ('APT38 has used DYEPACK to create delete and alter records in databases used for SWIFT transactions.'),
'T1565.001': ('FIN4 has created rules in victims Microsoft Outlook accounts to automatically delete emails containing words such ashacked phish  andmalware in a likely attempt to prevent organizations from communicating about their activities.'),
'T1565.001': ('SUNSPOT created a copy of the SolarWinds Orion software source file with a .bk extension to backup the original content wrote SUNBURST using the same filename but with a .tmp extension and then moved SUNBURST using MoveFileEx to the original filename with a .cs extension so it could be compiled within Orion software.'),
'T1565.001': ('XMRLocker will delete log files to obfuscate malicious activity.'),
'T1565.001': ('REvil will compromise end users and modify data stored on machines to hide their presence before delivery of an encryption payload.'),
'T1021.001': 'The A'),P'T1 group ': (' known to have used RDP during operations.'),
'T1021.001': ('APT3 enables the Remote Desktop Protocol for persistence. APT3 has also interacted with compromised systems to browse and copy files through RDP sessions.'),
'T1021.001': ('APT39 has been seen using RDP for lateral movement and persistence in some cases employing the rdpwinst tool for mangement of multiple sessions.'),
'T1021.001': ('APT41 used RDP for lateral movement.'),
'T1021.001': 'The Axiom group is known to have used RDP during operations.'),
'T1021.001': ('Blue Mockingbird has used Remote Desktop to log on to servers interactively and manually copy files to remote hosts.'),
'T1021.001': ('Carbanak enables concurrent Remote Desktop Protocol (RDP) sessions.'),
'T1021.001': ('Chimera has used RDP to access targeted systems.'),
'T1021.001': ('Cobalt Group has used Remote Desktop Protocol to conduct lateral movement.'),
'T1021.001': ('Cobalt Strike can start a VNC-based remote desktop server and tunnel the connection through the already established C2 channel.'),
'T1021.001': ('DarkComet can open an active screen of the victimmachine and take control of the mouse and keyboard.'),
'T1021.001': ('Dragonfly 2.0 moved laterally via RDP.'),
'T1021.001': ('FIN10 has used RDP to move laterally to systems in the victim environment.'),
'T1021.001': ('FIN6 used RDP to move laterally in victim networks.'),
'T1021.001': ('FIN8 has used RDP for Lateral Movement.'),
'T1021.001': ('Fox Kitten has used RDP to log in and move laterally in the target environment.'),
'T1021.001': ('Imminent Monitor has a module for performing remote desktop access.'),
'T1021.001': ('jRAT can support RDP control.'),
'T1021.001': ('Koadic can enable remote desktop on the victim  machine.'),
'T1021.001': ('Lazarus Group malware SierraCharlie uses RDP for propagation.'),
'T1021.001': ('Leviathan has targeted RDP credentials and used it to move through the victim environment.'),
'T1021.001': ('menuPass has used RDP connections to move across the victim network.'),
'T1021.001': ('njRAT has a module for performing remote desktop access.'),
'T1021.001': ('OilRig has used Remote Desktop Protocol for lateral movement. The group has also used tunneling tools to tunnel RDP into the environment.'),
'T1021.001': ('Patchwork attempted to use RDP to move laterally.'),
'T1021.001': ('Pupy can enable  disable RDP connection and can start a remote desktop session using a browser web socket client.'),
'T1021.001': ('Pysa has laterally moved using RDP connections.'),
'T1021.001': ('QuasarRAT has a module for performing remote desktop access.'),
'T1021.001': ('Revenge RAT has a plugin to perform RDP access.'),
'T1021.001': ('SDBbot has the ability to use RDP to connect to victim  machines.'),
'T1021.001': ('ServHelper has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel.'),
'T1021.001': ('Silence has used RDP for lateral movement.'),
'T1021.001': ('Stolen Pencil utilized RDP for direct remote point-and-click access.'),
'T1021.001': 'TEMP.Veles utilized RDP throughout an operation.'),
'T1021.001': ('Wizard Spider has used RDP for lateral movement.'),
'T1021.001': ('zwShell has used RDP for lateral movement.'),
'T1021.001': ('ZxShell has remote desktop functionality.'),
'T1134.003': ('Cobalt Strike can make tokens from known credentials.'),
'T1134.003': ('RC2CL backdoor can modify access tokens to escalate privilege to the privileges of a process to the ones associated with the new token.'),
'T1134.003': 'Through creating a new login session and setting the token to another thread LazyCat can escalate privileges.'),
'T1134.003': 'The SetThreadToken command ifsoften used by malware to impersonate legitimate threads or processes  '),
'T1134.003': 'The creation of duplicate tokens allows for adversaries to escalate their privileges.'),
'T1555.002': ('Keydnap uses the keychaindump project to read securityd memory.'),
'T1555.002': ('Malware such as Mimikatz can elevate themselves to root privileges and then read Securityd  memory to harvest plaintext passwords.'),
'T1555.002': ('A'),P'T15 a c':h('nese based threat actor acquire password through reading Securityd  memory.'),
'T1555.002': ('REvil utilizes many methods of credential harvesting including reading plaintext passwords from a root account.'),
'T1555.002': ('Qakbot can read passwords from Securityd  memory.'),
'T1555.001': ('Calisto collects Keychain storage data and copies those passwords  tokens to a file.'),
'T1555.001': ('iKitten collects the keychains on the system.'),
'T1555.001': ('LaZagne can obtain credentials from macOS Keychains.'),
'T1555.001': ('Proton gathers credentials in files for keychains.'),
'T1555.001': ('Matiex keylogger can harvest passwords from keychains.'),
'T1036.001': ('APT37 has signed its malware with an invalid digital certificates listed asTencent Technology (Shenzhen) Company Limited.'),
'T1036.001': ('BADNEWS is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate.'),
'T1036.001': 'The NETWIRE client has been signed by fake and invalid digital certificates.'),
'T1036.001': ('Regin stage 1 modules for 64-bit systems have been found to be signed with fake certificates masquerading as originating from Microsoft Corporation and Broadcom Corporation.'),
'T1036.001': ('Windshift has used revoked certificates to sign malware.'),
'T1036.001': ('WindTail has been incompletely signed with revoked certificates.'),
'T1553.002': ('Anchor has been signed with valid certificates to evade detection by security tools.'),
'T1553.002': ('AppleJeus has used a valid digital signature from Sectigo to appear legitimate.'),
'T1553.002': ('APT29 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.'),
'T1553.002': ('APT41 leveraged code-signing certificates to sign malware when targeting both gaming and non-gaming organizations.'),
'T1553.002': ('BackConfig has been signed with self signed digital certificates mimicking a legitimate software company.'),
'T1553.002': ('Bazar has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD.'),
'T1553.002': ('BLINDINGCAN has been signed with code-signing certificates such as CodeRipper.'),
'T1553.002': ('BOOSTWRITE has been signed by a valid CA.'),
'T1553.002': ('ChChes samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked.'),
'T1553.002': ('Cobalt Strike can use self signed Java applets to execute signed applet attacks.'),
'T1553.002': ('CopyKittens digitally signed an executable with a stolen certificate from legitimate company AI Squared.'),
'T1553.002': ('CSPY Downloader has come signed with revoked certificates.'),
'T1553.002': ('Darkhotel has used code-signing certificates on its malware that are either forged due to weak keys or stolen. Darkhotel has also stolen certificates and signed backdoors and downloaders with them.'),
'T1553.002': ('Some Daserf samples were signed with a stolen digital certificate.'),
'T1553.002': ('Ebury has installed a self-signed RPM package mimicking the original system package on RPM based systems.'),
'T1553.002': 'Turla has used valid digital certificates from Sysprint AG to sign its Epic dropper.'),
'T1553.002': ('FIN6 has used Comodo code-signing certificates.'),
'T1553.002': ('FIN7 has signed Carbanak payloads with legally purchased code signing certificates. FIN7 has also digitally signed their phishing documents backdoors and other staging tools to bypass security controls.'),
'T1553.002': ('GALLIUM has used stolen certificates to sign its tools including those from Whizzimo LLC.'),
'T1553.002': ('Gazer versions are signed with various valid certificates; one was likely faked and issued by Comodo for Solid Loop Ltd  and another was issued for Ultimate Computer Support Ltd.'),
'T1553.002': ('GreyEnergy digitally signs the malware with a code-signing certificate.'),
'T1553.002': ('Helminth samples have been signed with legitimate compromised code signing certificates owned by software company AI Squared.'),
'T1553.002': ('Honeybee uses a dropper called MaoCheng that harvests a stolen digital signature from Adobe Systems.'),
'T1553.002': ('Janicab used a valid AppleDeveloperID to sign the code to get past security restrictions.'),
'T1553.002': ('Kimsuky has signed files with the name EGIS CO . Ltd..'),
'T1553.002': ('Leviathan has used stolen code signing certificates to sign malware.'),
'T1553.002': ('LockerGoga has been signed with stolen certificates in order to make it look more legitimate.'),
'T1553.002': ('Metamorfo has digitally signed executables using AVAST Software certificates.'),
'T1553.002': ('Molerats has used forged Microsoft code-signing certificates on malware.'),
'T1553.002': ('More_eggs has used a signed binary shellcode loader and a signed Dynamic Link Library (DLL) to create a reverse shell.'),
'T1553.002': ('Nerex drops a signed Microsoft DLL to disk.'),
'T1553.002': ('Patchwork has signed malware with self-signed certificates from fictitious and spoofed legitimate software companies.'),
'T1553.002': ('PipeMon its installer and tools are signed with stolen code-signing certificates.'),
'T1553.002': ('PROMETHIUM has signed code with self-signed certificates.'),
'T1553.002': ('A QuasarRAT .dll file is digitally signed by a certificate from AirVPN.'),
'T1553.002': ('RTM samples have been signed with a code-signing certificates.'),
'T1553.002': ('Silence has used a valid certificate to sign their primary loader Silence.Downloader (aka TrueBot).'),
'T1553.002': ('StrongPity has been signed with self-signed certificates.'),
'T1553.002': ('Suckfly has used stolen certificates to sign its malware.'),
'T1553.002': ('SUNBURST was digitally signed by SolarWinds from March - May 2020.'),
'T1553.002': 'TA505 has signed payloads with code signing certificates from Thawte and Sectigo.'),
'T1553.002': 'TrickBot has come with a signed downloader component.'),
'T1553.002': ('UNC2452 was able to get SUNBURST signed by SolarWinds code signing certificates by injecting the malware into the SolarWinds Orion software lifecycle.'),
'T1553.002': ('Winnti Group used stolen certificates to sign its malware.'),
'T1553.002': ('Wizard Spider has used Digicert code-signing certificates for some of its malware.'),
'T1552.002': ('Agent Tesla has the ability to extract credentials from the Registry.'),
'T1552.002': ('APT32 used Outlook Credential Dumper to harvest credentials stored in Windows registry.'),
'T1552.002': ('PowerSploit has several modules that search the Windows Registry for stored credentials: Get-UnattendedInstallFile Get-Webconfig Get-ApplicationHost Get-SiteListPassword Get-CachedGPPPassword and Get-RegistryAutoLogon.'),
'T1552.002': ('Reg may be used to find credentials in the Windows Registry.'),
'T1552.002': 'TrickBot has retrieved PuTTY credentials by querying the SoftwareSimonTathamPuttySessions registry key'),
'T1552.002': ('Valak can use the clientgrabber module to steal e-mail credentials from the Registry.'),
'T1552.003': ('Kinsing has searched bash_history for credentials.'),
'T1552.003': 'Tropic Trooper favors the tactic of harvesting credentials from a bash_history file.'),
'T1552.003': 'The ransomware Diavol contains functionality that allows it to search user  historical bash commands for usernames and passwords that were used as parameters.'),
'T1552.003': ('FIN13 can enumerate their user credentials via searching the bash_history file of users for insecurely stored passwords.'),
'T1552.003': 'The ~  .bash_history directory can contain credentials for APT groups to harvest if they are stored insecurely.'),
'T1027.002': ('Anchor has come with a packed payload.'),
'T1027.002': ('APT29 used UPX to pack files.'),
'T1027.002': ('APT3 has been known to pack their tools.'),
'T1027.002': ('APT38 has used several code packing methods such as Themida Enigma VMProtect and Obsidium to pack their implants.'),
'T1027.002': ('APT39 has packed tools with UPX and has repacked a modified version of Mimikatz to thwart anti-virus detection.'),
'T1027.002': ('Astaroth uses a software packer called Pe123RPolyCryptor.'),
'T1027.002': ('Bazar has a variant with a packed payload.'),
'T1027.002': ('BLINDINGCAN has been packed with the UPX packer.'),
'T1027.002': ('China Chopper  client component is packed with UPX.'),
'T1027.002': ('CSPY Downloader has been packed with UPX.'),
'T1027.002': ('Dark Caracal has used UPX to pack Bandook.'),
'T1027.002': ('DarkComet has the option to compress its payload using UPX or MPRESS.'),
'T1027.002': ('A version of Daserf uses the MPRESS packer.'),
'T1027.002': ('Dyre has been delivered with encrypted resources and must be unpacked for execution.'),
'T1027.002': ('Egregor  payloads are custom-packed archived and encrypted to prevent analysis.'),
'T1027.002': ('Elderwood has packed malware payloads before delivery to victims.'),
'T1027.002': ('Emotet has used custom packers to protect its payloads.'),
'T1027.002': ('FatDuke has been regularly repacked by its operators to create large binaries and evade detection.'),
'T1027.002': ('A FinFisher variant uses a custom packer.'),
'T1027.002': ('GALLIUM packed some payloads using different types of packers both known and custom.'),
'T1027.002': ('GoldMax has been packed for obfuscation.'),
'T1027.002': ('GreyEnergy is packed for obfuscation.'),
'T1027.002': ('H1N1 uses a custom packing algorithm.'),
'T1027.002': ('Hildegard has packed ELF files into other binaries.'),
'T1027.002': ('HotCroissant has used the open source UPX executable packer.'),
'T1027.002': ('IcedID has packed and encrypted its loader module.'),
'T1027.002': ('jRAT payloads have been packed.'),
'T1027.002': ('Lazarus Group has used Themida to pack at least two separate backdoor implants.'),
'T1027.002': ('Lokibot has used several packing methods for obfuscation.'),
'T1027.002': ('Lucifer has used UPX packed binaries.'),
'T1027.002': ('Machete has been packed with NSIS.'),
'T1027.002': ('Melcoz has been packed with VMProtect and Themida.'),
'T1027.002': ('Metamorfo has used VMProtect to pack and protect files.'),
'T1027.002': ('NETWIRE has used .NET packer tools to evade detection.'),
'T1027.002': ('Night Dragon is known to use software packing in its tools.'),
'T1027.002': ('OopsIE uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2.'),
'T1027.002': ('OSX_OCEANLOTUS.D has a variant that is packed with UPX.'),
'T1027.002': ('A Patchwork payload was packed with UPX.'),
'T1027.002': ('Raindrop used a custom packer for its Cobalt Strike payload which was compressed using the LZMA algorithm.'),
'T1027.002': ('Rocke  miner has created UPX-packed files in the Windows Start Menu Folder.'),
'T1027.002': ('SDBbot has used a packed installer file.'),
'T1027.002': ('SeaDuke has been packed with the UPX packer.'),
'T1027.002': ('ShimRat  loader has been packed with the compressed ShimRat core DLL and the legitimate DLL for it to hijack.'),
'T1027.002': ('Spark has been packed with Enigma Protector to obfuscate its contents.'),
'T1027.002': 'TA505 has used UPX to obscure malicious code.'),
'T1027.002': 'The White Company has obfuscated their payloads through packing.'),
'T1027.002': 'TrickBot leverages a custom packer to obfuscate its functionality.'),
'T1027.002': 'Trojan.Karagany samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer.'),
'T1027.002': ('Uroburos uses a custom packer.'),
'T1027.002': ('Valak has used packed DLL payloads.'),
'T1027.002': ('VERMIN is initially packed.'),
'T1027.002': ('yty packs a plugin with UPX.'),
'T1027.002': ('Zebrocy  Delphi variant was packed with UPX.'),
'T1027.002': ('Some ZeroT DLL files have been packed with UPX.'),
'T1027.002': ('ZIRCONIUM has used multi-stage packers for exploit code.'),
'T1547.007': 'The hostwriter campaign utilised malware that edited plist files so that data could be exfiltrated on startup.'),
'T1547.007': ('APT29 CozyBear modify startup files so that upon booting a machine malicious activity is executed.'),
'T1547.007': ('Ryuk ransomeware has the ability to launch it  encryption program upon booting up the infected machine.'),
'T1547.007': ('REvil ransomware performs a variety of malicious activity after startup having modified the infected machine to do so.'),
'T1547.007': 'The threat actor FIN13 often modifies plist files with the aim to run malicious code upon startup.'),
'T1547.010': ('REvil can escalate it  privileges by loading a dll file before startup allowing it to run with SYSTEM level privileges.'),
'T1547.010': ('Ransomeware can achieve persistence by abusing port monitors for code execution upon startup.'),
'T1547.010': ('QakBot malware can send a .dll file to be executed during system boot.'),
'T1547.010': ('Malware such as Emotet can achieve persistence through executing code during startup often via dll injection via port monitors during startup.'),
'T1547.010': ('Russian threat actors deploy a variety of techniques to achieve persistence sometimes involving the abuse of port monitors to execute arbitrary code during the boot process.'),
'T1546.001': ('Kimsuky has a HWP document stealer module which changes the default program association in the registry to open HWP documents.'),
'T1546.001': ('Cring Ransomware can escalate privileges via changes to the default handlers.'),
'T1546.001': 'Through manipulation of the registry FIN13 can achieve persistence by changing the file association to allow for malicious code execution.'),
'T1546.001': ('CobaltStrike contains modules that can modify default file associations.'),
'T1546.001': ('Neurevt trojan persists itself via executing arbitrary code often achieved by modifying default file associations.'),]