"T1070.006::[3PARA RAT] has a command to set certain attributes such as creation/modification timestamps on files."
"T1071.001::[3PARA RAT] uses HTTP for command and control."
"T1083::[3PARA RAT] has a command to retrieve metadata for files on disk as well as a command to list the current working directory."
"T1573.001::[3PARA RAT] command and control commands are encrypted within the HTTP C2 channel using the DES algorithm in CBC mode with a key derived from the MD5 hash of the string HYF54&%9&jkMCXuiS. [3PARA RAT] will use an 8-byte XOR key derived from the string HYF54&%9&jkMCXuiS if the DES decoding fails"
"T1057::[4H RAT] has the capability to obtain a listing of running processes (including loaded modules)."
"T1059.003::[4H RAT] has the capability to create a remote shell."
"T1071.001::[4H RAT] uses HTTP for command and control."
"T1082::[4H RAT] sends an OS version identifier in its beacons."
"T1083::[4H RAT] has the capability to obtain file and directory listings."
"T1573.001::[4H RAT] obfuscates C2 communication using a 1-byte XOR with the key 0xBE."
"T1027.003::[ABK] can extract a malicious Portable Executable (PE) from a photo."
"T1055::[ABK] has the ability to inject shellcode into svchost.exe."
"T1059.003::[ABK] has the ability to use [cmd] to run a Portable Executable (PE) on the compromised host."
"T1071.001::[ABK] has the ability to use HTTP in communications with C2."
"T1105::[ABK] has the ability to download files from C2."
"T1140::[ABK] has the ability to decrypt AES encrypted payloads."
"T1518.001::[ABK] has the ability to identify the installed anti-virus product on the compromised host."
"T1005::[Action RAT] can collect local data from an infected machine."
"T1016::[Action RAT] has the ability to collect the MAC address of an infected host."
"T1027::[Action RAT]'s commands, strings, and domains can be Base64 encoded within the payload."
"T1033::[Action RAT] has the ability to collect the username from an infected host."
"T1047::[Action RAT] can use WMI to gather AV products installed on an infected host."
"T1059.003::[Action RAT] can use `cmd.exe` to execute commands on an infected host."
"T1071.001::[Action RAT] can use HTTP to communicate with C2 servers."
"T1082::[Action RAT] has the ability to collect the hostname, OS version, and OS architecture of an infected host."
"T1083::[Action RAT] has the ability to collect drive and file information on an infected machine."
"T1105::[Action RAT] has the ability to download additional payloads onto an infected machine."
"T1140::[Action RAT] can use Base64 to decode actor-controlled C2 server communications."
"T1518.001::[Action RAT] can identify AV products on an infected host using the following command: `cmd.exe WMIC /Node:localhost /Namespace:\\\\root\\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List`."
"T1059.003::[adbupd] can run a copy of cmd.exe."
"T1546.003::[adbupd] can use a WMI script to achieve persistence."
"T1573.002::[adbupd] contains a copy of the OpenSSL library to encrypt C2 traffic."
"T1012::[ADVSTORESHELL] can enumerate registry keys."
"T1027::Most of the strings in [ADVSTORESHELL] are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory."
"T1029::[ADVSTORESHELL] collects, compresses, encrypts, and exfiltrates data to the C2 server every 10 minutes."
"T1041::[ADVSTORESHELL] exfiltrates data over the same channel used for C2."
"T1056.001::[ADVSTORESHELL] can perform keylogging."
"T1057::[ADVSTORESHELL] can list running processes."
"T1059.003::[ADVSTORESHELL] can create a remote shell and run a given command."
"T1070.004::[ADVSTORESHELL] can delete files and directories."
"T1071.001::[ADVSTORESHELL] connects to port 80 of a C2 server using Wininet API. Data is exchanged via HTTP POSTs."
"T1074.001::[ADVSTORESHELL] stores output from command execution in a .dat file in the %TEMP% directory."
"T1082::[ADVSTORESHELL] can run [Systeminfo] to gather information about the victim."
"T1083::[ADVSTORESHELL] can list files and directories."
"T1106::[ADVSTORESHELL] is capable of starting a process using CreateProcess."
"T1112::[ADVSTORESHELL] is capable of setting and deleting Registry values."
"T1120::[ADVSTORESHELL] can list connected devices."
"T1132.001::C2 traffic from [ADVSTORESHELL] is encrypted, then encoded with Base64 encoding."
"T1218.011::[ADVSTORESHELL] has used rundll32.exe in a Registry value to establish persistence."
"T1546.015::Some variants of [ADVSTORESHELL] achieve persistence by registering the payload as a Shell Icon Overlay handler COM object."
"T1547.001::[ADVSTORESHELL] achieves persistence by adding itself to the HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Registry key."
"T1560.003::[ADVSTORESHELL] compresses output data generated by command execution with a custom implementation of the Lempel–Ziv–Welch (LZW) algorithm."
"T1560::[ADVSTORESHELL] encrypts with the 3DES algorithm and a hardcoded key prior to exfiltration."
"T1573.001::A variant of [ADVSTORESHELL] encrypts some C2 with 3DES."
"T1573.002::A variant of [ADVSTORESHELL] encrypts some C2 with RSA."
"T1016::[Agent Tesla] can collect the IP address of the victim machine and spawn instances of netsh.exe to enumerate wireless settings."
"T1027::[Agent Tesla] has had its code obfuscated in an apparent attempt to make analysis difficult."
"T1033::[Agent Tesla] can collect the username from the victim’s machine."
"T1047::[Agent Tesla] has used wmi queries to gather information from the system."
"T1048.003::[Agent Tesla] has routines for exfiltration over SMTP, FTP, and HTTP."
"T1053.005::[Agent Tesla]  has achieved persistence via scheduled tasks."
"T1055.012::[Agent Tesla] has used process hollowing to create and manipulate processes through sections of unmapped memory by reallocating that space with its malicious code."
"T1055::[Agent Tesla] can inject into known, vulnerable binaries on targeted hosts."
"T1056.001::[Agent Tesla] can log keystrokes on the victim’s machine."
"T1057::[Agent Tesla] can list the current running processes on the system."
"T1071.001::[Agent Tesla] has used HTTP for C2 communications."
"T1071.003::[Agent Tesla] has used SMTP for C2 communications."
"T1082::[Agent Tesla] can collect the system's computer name and also has the capability to collect information on the processor, memory, OS, and video card from the system."
"T1087.001::[Agent Tesla] can collect account information from the victim’s machine."
"T1105::[Agent Tesla] can download additional files for execution on the victim’s machine."
"T1112::[Agent Tesla] can achieve persistence by modifying Registry key entries."
"T1113::[Agent Tesla] can capture screenshots of the victim’s desktop."
"T1115::[Agent Tesla] can steal data from the victim’s clipboard."
"T1124::[Agent Tesla] can collect the timestamp from the victim’s machine."
"T1125::[Agent Tesla] can access the victim’s webcam and record video."
"T1140::[Agent Tesla] has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm."
"T1185::[Agent Tesla] has the ability to use form-grabbing to extract data from web data forms."
"T1203::[Agent Tesla] has exploited Office vulnerabilities such as CVE-2017-11882 and CVE-2017-8570 for execution during delivery."
"T1204.002::[Agent Tesla] has been executed through malicious e-mail attachments"
"T1218.009::[Agent Tesla] has dropped RegAsm.exe onto systems for performing malicious activity."
"T1497::[Agent Tesla] has he ability to perform anti-sandboxing and anti-virtualization checks."
"T1547.001::[Agent Tesla] can add itself to the Registry as a startup program to establish persistence."
"T1552.001::[Agent Tesla] has the ability to extract credentials from configuration or support files."
"T1552.002::[Agent Tesla] has the ability to extract credentials from the Registry."
"T1555.003::[Agent Tesla] can gather credentials from a number of browsers."
"T1555::[Agent Tesla] has the ability to steal credentials from FTP clients and wireless profiles."
"T1560::[Agent Tesla] can encrypt data with 3DES before sending it over to a C2 server."
"T1562.001::[Agent Tesla] has the capability to kill any running analysis processes and AV software."
"T1564.001::[Agent Tesla] has created hidden folders."
"T1564.003::[Agent Tesla] has used ProcessWindowStyle.Hidden to hide windows."
"T1566.001::The primary delivered mechaism for [Agent Tesla] is through email phishing messages."
"T1016::[Agent.btz] collects the network adapter’s IP and MAC address as well as IP addresses of the network adapter’s default gateway, primary/secondary WINS, DHCP, and DNS servers, and saves them into a log file."
"T1033::[Agent.btz] obtains the victim username and saves it to a file."
"T1052.001::[Agent.btz] creates a file named thumb.dd on all USB flash drives connected to the victim. This file contains information about the infected system and activity logs."
"T1091::[Agent.btz] drops itself onto removable media devices and creates an autorun.inf file with an instruction to run that file. When the device is inserted into another system, it opens autorun.inf and loads the malware."
"T1105::[Agent.btz] attempts to download an encrypted binary from a specified domain."
"T1560.003::[Agent.btz] saves system information into an XML file that is then XOR-encoded."
"T1005::[Amadey] can collect information from a compromised host."
"T1016::[Amadey] can identify the IP address of a victim machine."
"T1027::[Amadey] has obfuscated strings such as antivirus vendor names, domains, files, and others."
"T1033::[Amadey] has collected the user name from a compromised host using `GetUserNameA`."
"T1041::[Amadey] has sent victim data to its C2 servers."
"T1071.001::[Amadey] has used HTTP for C2 communications."
"T1082::[Amadey] has collected the computer name and OS version from a compromised machine."
"T1083::[Amadey] has searched for folders associated with antivirus software."
"T1105::[Amadey] can download and execute files to further infect a host machine with additional malware."
"T1106::[Amadey] has used a variety of Windows API calls, including `GetComputerNameA`, `GetUserNameA`, and `CreateProcessA`."
"T1112::[Amadey] has overwritten registry keys for persistence."
"T1140::[Amadey] has decoded antivirus name strings."
"T1518.001::[Amadey] has checked for a variety of antivirus products."
"T1547.001::[Amadey] has changed the Startup folder to the one containing its executable by overwriting the registry keys."
"T1553.005::[Amadey] has modified the `:Zone.Identifier` in the ADS area to zero."
"T1568.001::[Amadey] has used fast flux DNS for its C2."
"T1614::[Amadey] does not run any tasks or install additional malware if the victim machine is based in Russia."
"T1008::[Anchor] can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers."
"T1016::[Anchor] can determine the public IP and location of a compromised host."
"T1021.002::[Anchor] can support windows execution via SMB shares."
"T1027.002::[Anchor] has come with a packed payload."
"T1027::[Anchor] has obfuscated code with stack strings and string encryption."
"T1053.003::[Anchor] can install itself as a cron job."
"T1053.005::[Anchor] can create a scheduled task for persistence."
"T1059.003::[Anchor] has used cmd.exe to run its self deletion routine."
"T1059.004::[Anchor] can execute payloads via shell scripting."
"T1070.004::[Anchor] can self delete its dropper after the malware is successfully deployed."
"T1071.001::[Anchor] has used HTTP and HTTPS in C2 communications."
"T1071.004::Variants of [Anchor] can use DNS tunneling to communicate with C2."
"T1082::[Anchor] can determine the hostname and linux version on a compromised host."
"T1095::[Anchor] has used ICMP in C2 communications."
"T1105::[Anchor] can download additional payloads."
"T1480::[Anchor] can terminate itself if specific execution flags are not present."
"T1543.003::[Anchor] can establish persistence by creating a service."
"T1553.002::[Anchor] has been signed with valid certificates to evade detection by security tools."
"T1564.004::[Anchor] has used NTFS to hide files."
"T1569.002::[Anchor] can create and execute services to load its payload."
"T1027::[AppleJeus] has XOR-encrypted collected system information prior to sending to a C2. [AppleJeus] has also used the open source ADVObfuscation library for its components."
"T1041::[AppleJeus] has exfiltrated collected host information to a C2 server."
"T1053.005::[AppleJeus] has created a scheduled SYSTEM task that runs when a user logs in."
"T1059.004::[AppleJeus] has used shell scripts to execute commands after installation and set persistence mechanisms."
"T1070.004::[AppleJeus] has deleted the MSI file after installation."
"T1071.001::[AppleJeus] has sent data to its C2 server via POST requests."
"T1082::[AppleJeus] has collected the victim host information after infection."
"T1140::[AppleJeus] has decoded files received from a C2."
"T1204.001::[AppleJeus]'s spearphishing links required user interaction to navigate to the malicious website."
"T1204.002::[AppleJeus] has required user execution of a malicious MSI installer."
"T1218.007::[AppleJeus] has been installed via MSI installer."
"T1497.003::[AppleJeus] has waited a specified time before downloading a second stage payload."
"T1543.003::[AppleJeus] can install itself as a service."
"T1543.004::[AppleJeus] has placed a plist file within the LaunchDaemons folder and launched it manually."
"T1546.016::During [AppleJeus]'s installation process, it uses `postinstall` scripts to extract a hidden plist from the application's `/Resources` folder and execute the `plist` file as a [Launch Daemon] with elevated permissions."
"T1548.002::[AppleJeus] has presented the user with a UAC prompt to elevate privileges while installing."
"T1553.002::[AppleJeus] has used a valid digital signature from Sectigo to appear legitimate."
"T1564.001::[AppleJeus] has added a leading . to plist filenames, unlisting them from the Finder app and default Terminal directory listings."
"T1566.002::[AppleJeus] has been distributed via spearphishing link."
"T1569.001::[AppleJeus] has loaded a plist file using the launchctl command."
"T1005::[AppleSeed] can collect data on a compromised host."
"T1008::[AppleSeed] can use a second channel for C2 when the primary channel is in upload mode."
"T1016::[AppleSeed] can identify the IP of a targeted system."
"T1025::[AppleSeed] can find and collect data from removable media devices."
"T1027.002::[AppleSeed] has used UPX packers for its payload DLL."
"T1027::[AppleSeed] has the ability to Base64 encode its payload and custom encrypt API calls."
"T1030::[AppleSeed] has divided files if the size is 0x1000000 bytes or more."
"T1036.005::[AppleSeed] has the ability to rename its payload to ESTCommon.dll to masquerade as a DLL belonging to ESTsecurity."
"T1036::[AppleSeed] can disguise JavaScript files as PDFs."
"T1041::[AppleSeed] can exfiltrate files via the C2 channel."
"T1056.001::[AppleSeed] can use GetKeyState and GetKeyboardState to capture keystrokes on the victim’s machine."
"T1057::[AppleSeed] can enumerate the current process on a compromised host."
"T1059.001::[AppleSeed] has the ability to execute its payload via PowerShell."
"T1059.007::[AppleSeed] has the ability to use JavaScript to execute PowerShell."
"T1070.004::[AppleSeed] can delete files from a compromised host after they are exfiltrated."
"T1071.001::[AppleSeed] has the ability to communicate with C2 over HTTP."
"T1074.001::[AppleSeed] can stage files in a central location prior to exfiltration."
"T1082::[AppleSeed] can identify the OS version of a targeted system."
"T1083::[AppleSeed] has the ability to search for .txt, .ppt, .hwp, .pdf, and .doc files in specified directories."
"T1106::[AppleSeed] has the ability to use multiple dynamically resolved API calls."
"T1113::[AppleSeed] can take screenshots on a compromised host by calling a series of APIs."
"T1119::[AppleSeed] has automatically collected data from USB drives, keystrokes, and screen images before exfiltration."
"T1124::[AppleSeed] can pull a timestamp from the victim's machine."
"T1134::[AppleSeed] can gain system level privilege by passing SeDebugPrivilege to the AdjustTokenPrivilege API."
"T1140::[AppleSeed] can decode its payload prior to execution."
"T1204.002::[AppleSeed] can achieve execution through users running malicious file attachments distributed via email."
"T1218.010::[AppleSeed] can call regsvr32.exe for execution."
"T1547.001::[AppleSeed] has the ability to create the Registry key name EstsoftAutoUpdate at HKCU\\Software\\Microsoft/Windows\\CurrentVersion\\RunOnce to establish persistence."
"T1560.001::[AppleSeed] can zip and encrypt data collected on a target system."
"T1560::[AppleSeed] has compressed collected data before exfiltration."
"T1566.001::[AppleSeed] has been distributed to victims through malicious e-mail attachments."
"T1567::[AppleSeed] has exfiltrated files using web services."
"T1010::[Aria-body] has the ability to identify the titles of running windows on a compromised host."
"T1016::[Aria-body] has the ability to identify the location, public IP address, and domain name on a compromised host."
"T1025::[Aria-body] has the ability to collect data from USB devices."
"T1027::[Aria-body] has used an encrypted configuration file for its loader."
"T1033::[Aria-body] has the ability to identify the username on a compromised host."
"T1049::[Aria-body] has the ability to gather TCP and UDP table status listings."
"T1055.001::[Aria-body] has the ability to inject itself into another process such as rundll32.exe and dllhost.exe."
"T1057::[Aria-body] has the ability to enumerate loaded modules for a process.."
"T1070.004::[Aria-body] has the ability to delete files and directories on compromised hosts."
"T1071.001::[Aria-body] has used HTTP in C2 communications."
"T1082::[Aria-body] has the ability to identify the hostname, computer name, Windows version, processor speed, machine GUID, and disk information on a compromised host."
"T1083::[Aria-body] has the ability to gather metadata from a file and to search for file and directory names."
"T1090::[Aria-body] has the ability to use a reverse SOCKS proxy module."
"T1095::[Aria-body] has used TCP in C2 communications."
"T1105::[Aria-body] has the ability to download additional payloads from C2."
"T1106::[Aria-body] has the ability to launch files using ShellExecute."
"T1113::[Aria-body] has the ability to capture screenshots on compromised hosts."
"T1134.001::[Aria-body] has the ability to duplicate a token from ntprint.exe."
"T1134.002::[Aria-body] has the ability to execute a process using runas."
"T1140::[Aria-body] has the ability to decrypt the loader configuration and payload DLL."
"T1547.001::[Aria-body] has established persistence via the Startup folder or Run Registry key."
"T1560::[Aria-body] has used ZIP to compress data gathered on a compromised host."
"T1568.002::[Aria-body] has the ability to use a DGA for C2 communications."
"T1505.003::[ASPXSpy] is a Web shell. The ASPXTool version used by [Threat Group-3390] has been deployed to accessible servers running Internet Information Services (IIS)."
"T1016::[Astaroth] collects the external IP address from the system."
"T1027.002::[Astaroth] uses a software packer called Pe123\\RPolyCryptor."
"T1027::[Astaroth] obfuscates its JScript code, and has used an XOR-based algorithm to encrypt payloads twice with different keys."
"T1041::[Astaroth] exfiltrates collected information from its r1.log file to the external C2 server."
"T1047::[Astaroth] uses WMIC to execute payloads."
"T1055.012::[Astaroth] can create a new process in a suspended state from a targeted legitimate process in order to unmap its memory and replace it with malicious code."
"T1056.001::[Astaroth] logs keystrokes from the victim's machine."
"T1057::[Astaroth] searches for different processes on the system."
"T1059.003::[Astaroth] spawns a CMD process to execute commands."
"T1059.005::[Astaroth] has used malicious VBS e-mail attachments for execution."
"T1059.007::[Astaroth] uses JavaScript to perform its core functionalities."
"T1074.001::[Astaroth] collects data in a plaintext file named r1.log before exfiltration."
"T1082::[Astaroth] collects the machine name and keyboard language from the system."
"T1102.001::[Astaroth] can store C2 information on cloud hosting services such as AWS and CloudFlare and websites like YouTube and Facebook."
"T1105::[Astaroth] uses [certutil] and [BITSAdmin] to download additional malware."
"T1115::[Astaroth] collects information from the clipboard by using the OpenClipboard() and GetClipboardData() libraries."
"T1124::[Astaroth] collects the timestamp from the infected machine."
"T1129::[Astaroth] uses the LoadLibraryExW() function to load additional modules."
"T1132.001::[Astaroth] encodes data using Base64 before sending it to the C2 server."
"T1140::[Astaroth] uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code."
"T1204.002::[Astaroth] has used malicious files including VBS, LNK, and HTML for execution."
"T1218.001::[Astaroth] uses ActiveX objects for file execution and manipulation."
"T1218.010::[Astaroth] can be loaded through regsvr32.exe."
"T1220::[Astaroth] executes embedded JScript or VBScript in an XSL stylesheet located on a remote domain."
"T1497.001::[Astaroth] can check for Windows product ID's used by sandboxes and usernames and disk serial numbers associated with analyst environments."
"T1518.001::[Astaroth] checks for the presence of Avast antivirus in the C:\\Program\\Files\\ folder."
"T1547.001::[Astaroth] creates a startup item for persistence."
"T1547.009::[Astaroth]'s initial payload is a malicious .LNK file."
"T1552::[Astaroth] uses an external software known as NetPass to recover passwords."
"T1555::[Astaroth] uses an external software known as NetPass to recover passwords."
"T1564.003::[Astaroth] loads its module with the XSL script parameter vShow set to zero, which opens the application with a hidden window."
"T1564.004::[Astaroth] can abuse alternate data streams (ADS) to store content for malicious payloads."
"T1568.002::[Astaroth] has used a DGA in C2 communications."
"T1574.001::[Astaroth] can launch itself via DLL Search Order Hijacking."
"T1598.002::[Astaroth] has been delivered via malicious e-mail attachments."
"T1010::[Attor] can obtain application window titles and then determines which windows to perform Screen Capture on."
"T1012::[Attor] has opened the registry and performed query searches."
"T1020::[Attor] has a file uploader plugin that automatically exfiltrates the collected data and log files to the C2 server."
"T1027::Strings in [Attor]'s components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA."
"T1036.004::[Attor]'s dispatcher disguises itself as a legitimate task (i.e., the task name and description appear legitimate)."
"T1037.001::[Attor]'s dispatcher can establish persistence via adding a Registry key with a logon script HKEY_CURRENT_USER\\Environment \"UserInitMprLogonScript\" ."
"T1041::[Attor] has exfiltrated data over the C2 channel."
"T1053.005::[Attor]'s installer plugin can schedule a new task that loads the dispatcher on boot/logon."
"T1055.004::[Attor] performs the injection by attaching its code into the APC queue using NtQueueApcThread API."
"T1055::[Attor]'s dispatcher can inject itself into running processes to gain higher privileges and to evade detection."
"T1056.001::One of [Attor]'s plugins can collect user credentials via capturing keystrokes and can capture keystrokes pressed within the window of the injected process."
"T1070.004::[Attor]’s plugin deletes the collected files and log files after exfiltration."
"T1070.006::[Attor] has manipulated the time of last access to files and registry keys after they have been created or modified."
"T1071.002::[Attor] has used FTP protocol for C2 communication."
"T1074.001::[Attor] has staged collected data in a central upload directory prior to exfiltration."
"T1082::[Attor] monitors the free disk space on the system."
"T1083::[Attor] has a plugin that enumerates files with specific extensions on all hard disk drives and stores file information in encrypted log files."
"T1090.003::[Attor] has used Tor for C2 communication."
"T1105::[Attor] can download additional plugins, updates and other files."
"T1106::[Attor]'s dispatcher has used CreateProcessW API for execution."
"T1112::[Attor]'s dispatcher can modify the Run registry key."
"T1113::[Attor]'s has a plugin that captures screenshots of the target applications."
"T1115::[Attor] has a plugin that collects data stored in the Windows clipboard by using the OpenClipboard and GetClipboardData APIs."
"T1119::[Attor] has automatically collected data about the compromised system."
"T1120::[Attor] has a plugin that collects information about inserted storage devices, modems, and phone devices."
"T1123::[Attor]'s has a plugin that is capable of recording audio using available input sound devices."
"T1129::[Attor]'s dispatcher can execute additional plugins by loading the respective DLLs."
"T1218.011::[Attor]'s installer plugin can schedule rundll32.exe to load the dispatcher."
"T1497.001::[Attor] can detect whether it is executed in some virtualized or emulated environment by searching for specific artifacts, such as communication with I/O ports and using VM-specific instructions."
"T1543.003::[Attor]'s dispatcher can establish persistence by registering a new service."
"T1560.003::[Attor] encrypts collected data with a custom implementation of Blowfish and RSA ciphers."
"T1564.001::[Attor] can set attributes of log files and directories to HIDDEN, SYSTEM, ARCHIVE, or a combination of those."
"T1569.002::[Attor]'s dispatcher can be executed as a service."
"T1573.001::[Attor] has encrypted data symmetrically using a randomly generated Blowfish (OFB) key which is encrypted with a public RSA key."
"T1573.002::[Attor]'s Blowfish key is encrypted with a public RSA key."
"T1027::[AuditCred] encrypts the configuration."
"T1055::[AuditCred] can inject code from files to other running processes."
"T1059.003::[AuditCred] can open a reverse shell on the system to execute commands."
"T1070.004::[AuditCred] can delete files from the system."
"T1083::[AuditCred] can search through folders and files on the system."
"T1090::[AuditCred] can utilize proxy for communications."
"T1105::[AuditCred] can download files and additional malware."
"T1140::[AuditCred] uses XOR and RC4 to perform decryption on the code functions."
"T1543.003::[AuditCred] is installed as a new service on the system."
"T1005::[AuTo Stealer] can collect data such as PowerPoint files, Word documents, Excel files, PDF files, text files, database files, and image files from an infected machine."
"T1033::[AuTo Stealer] has the ability to collect the username from an infected host."
"T1041::[AuTo Stealer] can exfiltrate data over actor-controlled C2 servers via HTTP or TCP."
"T1059.003::[AuTo Stealer] can use `cmd.exe` to execute a created batch file."
"T1071.001::[AuTo Stealer] can use HTTP to communicate with its C2 servers."
"T1074.001::[AuTo Stealer] can store collected data from an infected host to a file named `Hostname_UserName.txt` prior to exfiltration."
"T1082::[AuTo Stealer] has the ability to collect the hostname and OS information from an infected host."
"T1095::[AuTo Stealer] can use TCP to communicate with command and control servers."
"T1518.001::[AuTo Stealer] has the ability to collect information about installed AV products from an infected host."
"T1547.001::[AuTo Stealer] can place malicious executables in a victim's AutoRun registry key or StartUp directory, depending on the AV product installed, to maintain persistence."
"T1059.001::[AutoIt backdoor] downloads a PowerShell script that decodes to a typical shellcode loader."
"T1083::[AutoIt backdoor] is capable of identifying documents on the victim with the following extensions: .doc; .pdf, .csv, .ppt, .docx, .pst, .xls, .xlsx, .pptx, and .jpeg."
"T1132.001::[AutoIt backdoor] has sent a C2 response that was base64-encoded."
"T1548.002::[AutoIt backdoor] attempts to escalate privileges by bypassing User Access Control."
"T1016::[Avaddon] can collect the external IP address of the victim."
"T1027::[Avaddon] has used encrypted strings."
"T1047::[Avaddon] uses wmic.exe to delete shadow copies."
"T1057::[Avaddon] has collected information about running processes."
"T1059.007::[Avaddon] has been executed through a malicious JScript downloader."
"T1083::[Avaddon] has searched for specific files prior to encryption."
"T1106::[Avaddon] has used the Windows Crypto API to generate an AES key."
"T1112::[Avaddon] modifies several registry keys for persistence and UAC bypass."
"T1135::[Avaddon] has enumerated shared folders and mapped volumes."
"T1140::[Avaddon] has decrypted encrypted strings."
"T1486::[Avaddon] encrypts the victim system using a combination of AES256 and RSA encryption schemes."
"T1489::[Avaddon] looks for and attempts to stop database processes."
"T1490::[Avaddon] deletes backups and shadow copies using native system tools."
"T1547.001::[Avaddon] uses registry run keys for persistence."
"T1548.002::[Avaddon] bypasses UAC using the CMSTPLUA COM interface."
"T1562.001::[Avaddon] looks for and attempts to stop anti-malware solutions."
"T1614.001::[Avaddon] checks for specific keyboard layouts and OS languages to avoid targeting Commonwealth of Independent States (CIS) entities."
"T1016::[Avenger] can identify the domain of the compromised host."
"T1027.003::[Avenger] can extract backdoor malware from downloaded images."
"T1027::[Avenger] has the ability to XOR encrypt files to be sent to C2."
"T1055::[Avenger] has the ability to inject shellcode into svchost.exe."
"T1057::[Avenger] has the ability to use [Tasklist] to identify running processes."
"T1071.001::[Avenger] has the ability to use HTTP in communication with C2."
"T1082::[Avenger] has the ability to identify the host volume ID and the OS architecture on a compromised host."
"T1083::[Avenger] has the ability to browse files in directories such as Program Files and the Desktop."
"T1105::[Avenger] has the ability to download files from C2 to a compromised host."
"T1140::[Avenger] has the ability to decrypt files downloaded from C2."
"T1518.001::[Avenger] has the ability to identify installed anti-virus products on a compromised host."
"T1012::[Azorult] can check for installed software on the system under the Registry key Software\\Microsoft\\Windows\\CurrentVersion\\Uninstall."
"T1016::[Azorult] can collect host IP information from the victim’s machine."
"T1033::[Azorult] can collect the username from the victim’s machine."
"T1055.012::[Azorult] can decrypt the payload into memory, create a new suspended process of itself, then inject a decrypted payload to the new process and resume new process execution."
"T1057::[Azorult] can collect a list of running processes by calling CreateToolhelp32Snapshot."
"T1070.004::[Azorult] can delete files from victim machines."
"T1082::[Azorult] can collect the machine information, system architecture, the OS version, computer name, Windows product name, the number of CPU cores, video card information, and the system language."
"T1083::[Azorult] can recursively search for files in folders and collects files from the desktop with certain extensions."
"T1105::[Azorult] can download and execute additional files. [Azorult] has also downloaded a ransomware payload called Hermes."
"T1113::[Azorult] can capture screenshots of the victim’s machines."
"T1124::[Azorult] can collect the time zone information from the system."
"T1134.002::[Azorult] can call WTSQueryUserToken and CreateProcessAsUser to start a new process with local system privileges."
"T1140::[Azorult] uses an XOR key to decrypt content and uses Base64 to decode the C2 address."
"T1552.001::[Azorult] can steal credentials in files belonging to common software such as Skype, Telegram, and Steam."
"T1555.003::[Azorult] can steal credentials from the victim's browser."
"T1573.001::[Azorult] can encrypt C2 traffic using XOR."
"T1007::[Babuk] can enumerate all services running on a compromised host."
"T1027.002::Versions of [Babuk] have been packed."
"T1049::[Babuk] can use “WNetOpenEnumW” and “WNetEnumResourceW” to enumerate files in network resources for encryption."
"T1057::[Babuk] has the ability to check running processes on a targeted system."
"T1059.003::[Babuk] has the ability to use the command line to control execution on compromised hosts."
"T1082::[Babuk] can enumerate disk volumes, get disk information, and query service status."
"T1083::[Babuk] has the ability to enumerate files on a targeted system."
"T1106::[Babuk] can use multiple Windows API calls for actions on compromised hosts including discovery and execution."
"T1135::[Babuk] has the ability to enumerate network shares."
"T1140::[Babuk] has the ability to unpack itself into memory using XOR."
"T1486::[Babuk] can use ChaCha8 and ECDH to encrypt data."
"T1489::[Babuk] can stop specific services related to backups."
"T1490::[Babuk] has the ability to delete shadow volumes using vssadmin.exe delete shadows /all /quiet."
"T1562.001::[Babuk] can stop anti-virus services on a compromised host."
"T1012::[BabyShark] has executed the reg query command for HKEY_CURRENT_USER\\Software\\Microsoft\\Terminal Server Client\\Default."
"T1016::[BabyShark] has executed the ipconfig /all command."
"T1033::[BabyShark] has executed the whoami command."
"T1053.005::[BabyShark] has used scheduled tasks to maintain persistence."
"T1056.001::[BabyShark] has a [PowerShell]-based remote administration ability that can implement a PowerShell or C# based keylogger."
"T1057::[BabyShark] has executed the tasklist command."
"T1059.003::[BabyShark] has used cmd.exe to execute commands."
"T1070.004::[BabyShark] has cleaned up all files associated with the secondary payload execution."
"T1082::[BabyShark] has executed the ver command."
"T1083::[BabyShark] has used dir to search for \"programfiles\" and \"appdata\"."
"T1105::[BabyShark] has downloaded additional files from the C2."
"T1132.001::[BabyShark] has encoded data using [certutil] before exfiltration."
"T1140::[BabyShark] has the ability to decode downloaded files prior to execution."
"T1218.005::[BabyShark] has used mshta.exe to download and execute applications from a remote server."
"T1547.001::[BabyShark] has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence."
"T1027::[BackConfig] has used compressed and decimal encoded VBS scripts."
"T1036.005::[BackConfig] has hidden malicious payloads in %USERPROFILE%\\Adobe\\Driver\\dwg\\ and mimicked the legitimate DHCP service binary."
"T1053.005::[BackConfig] has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host."
"T1059.003::[BackConfig] can download and run batch files to execute commands on a compromised host."
"T1059.005::[BackConfig] has used VBS to install its downloader component and malicious documents with VBA macro code."
"T1070.004::[BackConfig] has the ability to remove files and folders related to previous infections."
"T1071.001::[BackConfig] has the ability to use HTTPS for C2 communiations."
"T1082::[BackConfig] has the ability to gather the victim's computer name."
"T1083::[BackConfig] has the ability to identify folders and files related to previous infections."
"T1105::[BackConfig] can download and execute additional payloads on a compromised host."
"T1106::[BackConfig] can leverage API functions such as ShellExecuteA and HttpOpenRequestA in the process of downloading and executing files."
"T1137.001::[BackConfig] has the ability to use hidden columns in Excel spreadsheets to store executable files or commands for VBA macros."
"T1140::[BackConfig] has used a custom routine to decrypt strings."
"T1204.001::[BackConfig] has compromised victims via links to URLs hosting malicious content."
"T1553.002::[BackConfig] has been signed with self signed digital certificates mimicking a legitimate software company."
"T1564.001::[BackConfig] has the ability to set folders or files to be hidden from the Windows Explorer default view."
"T1016::[Backdoor.Oldrea] collects information about the Internet adapter configuration."
"T1018::[Backdoor.Oldrea] can enumerate and map ICS-specific systems in victim environments."
"T1033::[Backdoor.Oldrea] collects the current username from the victim."
"T1046::[Backdoor.Oldrea] can use a network scanning module to identify ICS-related ports."
"T1055::[Backdoor.Oldrea] injects itself into explorer.exe."
"T1057::[Backdoor.Oldrea] collects information about running processes."
"T1070.004::[Backdoor.Oldrea] contains a cleanup module that removes traces of itself from the victim."
"T1082::[Backdoor.Oldrea] collects information about the OS and computer name."
"T1083::[Backdoor.Oldrea] collects information about available drives, default browser, desktop file list, My Documents, Internet history, program files, and root of available drives. It also searches for ICS-related software files."
"T1087.003::[Backdoor.Oldrea] collects address book information from Outlook."
"T1105::[Backdoor.Oldrea] can download additional modules from C2."
"T1132.001::Some [Backdoor.Oldrea] samples use standard Base64 + bzip2, and some use standard Base64 + reverse XOR + RSA-2048 to decrypt data received from C2 servers."
"T1218.011::[Backdoor.Oldrea] can use rundll32 for execution on compromised hosts."
"T1547.001::[Backdoor.Oldrea] adds Registry Run keys to achieve persistence."
"T1555.003::Some [Backdoor.Oldrea] samples contain a publicly available Web browser password recovery tool."
"T1560::[Backdoor.Oldrea] writes collected data to a temporary file in an encrypted form before exfiltration to a C2 server."
"T1012::[BACKSPACE] is capable of enumerating and making modifications to an infected system's Registry."
"T1041::Adversaries can direct [BACKSPACE] to upload files to the C2 Server."
"T1057::[BACKSPACE] may collect information about running processes."
"T1059.003::Adversaries can direct [BACKSPACE] to execute from the command line on infected hosts, or have [BACKSPACE] create a reverse shell."
"T1071.001::[BACKSPACE] uses HTTP as a transport to communicate with its command server."
"T1082::During its initial execution, [BACKSPACE] extracts operating system information from the infected host."
"T1083::[BACKSPACE] allows adversaries to search for files."
"T1090.001::The \"ZJ\" variant of [BACKSPACE] allows \"ZJ link\" infections with Internet access to relay traffic from \"ZJ listen\" to a command server."
"T1104::[BACKSPACE] attempts to avoid detection by checking a first stage command and control server to determine if it should connect to the second stage server, which performs \"louder\" interactions with the malware."
"T1112::[BACKSPACE] is capable of deleting Registry keys, sub-keys, and values on a victim system."
"T1132.002::Newer variants of [BACKSPACE] will encode C2 communications with a custom system."
"T1547.001::[BACKSPACE] achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory."
"T1547.009::[BACKSPACE] achieves persistence by creating a shortcut to itself in the CSIDL_STARTUP directory."
"T1562.004::The \"ZR\" variant of [BACKSPACE] will check to see if known host-based firewalls are installed on the infected systems. [BACKSPACE] will attempt to establish a C2 channel, then will examine open windows to identify a pop-up from the firewall software and will simulate a mouse-click to allow the connection to proceed."
"T1003.001::[Bad Rabbit] has used [Mimikatz] to harvest credentials from the victim's machine."
"T1036.005::[Bad Rabbit] has masqueraded as a Flash Player installer through the executable file install_flash_player.exe."
"T1053.005::[Bad Rabbit]’s infpub.dat file creates a scheduled task to launch a malicious executable."
"T1057::[Bad Rabbit] can enumerate all running processes to compare hashes."
"T1106::[Bad Rabbit] has used various Windows API calls."
"T1110.003::[Bad Rabbit]’s infpub.dat file uses NTLM login credentials to brute force Windows machines."
"T1135::[Bad Rabbit] enumerates open SMB shares on internal victim networks."
"T1189::[Bad Rabbit] spread through watering holes on popular sites by injecting JavaScript into the HTML body or a .js file."
"T1204.002::[Bad Rabbit] has been executed through user installation of an executable disguised as a flash installer."
"T1210::[Bad Rabbit] used the EternalRomance SMB exploit to spread through victim networks."
"T1218.011::[Bad Rabbit] has used rundll32 to launch a malicious DLL as C:Windowsinfpub.dat."
"T1486::[Bad Rabbit] has encrypted files and disks using AES-128-CBC and RSA-2048."
"T1495::[Bad Rabbit] has used an executable that installs a modified bootloader to prevent normal boot-up."
"T1548.002::[Bad Rabbit] has attempted to bypass UAC and gain elevated administrative privileges."
"T1569.002::[Bad Rabbit] drops a file named infpub.datinto the Windows directory and is executed through SCManager and rundll.exe."
"T1001.003::[BADCALL] uses a FakeTLS method during C2."
"T1016::[BADCALL] collects the network adapter information."
"T1082::[BADCALL] collects the computer name and host name on the compromised system."
"T1090::[BADCALL] functions as a proxy server between the victim and C2 server."
"T1112::[BADCALL] modifies the firewall Registry key SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfileGloballyOpenPorts\\\\List."
"T1562.004::[BADCALL] disables the Windows firewall before binding to a port."
"T1571::[BADCALL] communicates on ports 443 and 8000 with a FakeTLS method."
"T1573.001::[BADCALL] encrypts C2 traffic using an XOR/ADD cipher."
"T1005::[BADFLICK] has uploaded files from victims' machines."
"T1016::[BADFLICK] has captured victim IP address details."
"T1082::[BADFLICK] has captured victim computer name, memory space, and CPU details."
"T1083::[BADFLICK] has searched for files on the infected host."
"T1105::[BADFLICK] has download files from its C2 server."
"T1140::[BADFLICK] can decode shellcode using a custom rotating XOR cipher."
"T1204.002::[BADFLICK] has relied upon users clicking on a malicious attachment delivered through spearphishing."
"T1497.003::[BADFLICK] has delayed communication to the actor-controlled IP address by 5 minutes."
"T1560.002::[BADFLICK] has compressed data using the aPLib compression library."
"T1566.001::[BADFLICK] has been distributed via spearphishing campaigns containing malicious Microsoft Word documents."
"T1005::When it first starts, [BADNEWS] crawls the victim's local drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt."
"T1025::[BADNEWS] copies files with certain extensions from USB devices to\na predefined directory."
"T1036.001::[BADNEWS] is sometimes signed with an invalid Authenticode certificate in an apparent effort to make it look more legitimate."
"T1036.005::[BADNEWS] attempts to hide its payloads using legitimate filenames."
"T1039::When it first starts, [BADNEWS] crawls the victim's mapped drives and collects documents with the following extensions: .doc, .docx, .pdf, .ppt, .pptx, and .txt."
"T1053.005::[BADNEWS] creates a scheduled task to establish by executing a malicious payload every subsequent minute."
"T1055.012::[BADNEWS] has a command to download an .exe and use process hollowing to inject it into a new process."
"T1056.001::When it first starts, [BADNEWS] spawns a new thread to log keystrokes."
"T1059.003::[BADNEWS] is capable of executing commands via cmd.exe."
"T1071.001::[BADNEWS] establishes a backdoor over HTTP."
"T1074.001::[BADNEWS] copies documents under 15MB found on the victim system to is the user's %temp%\\SMB\\ folder. It also copies files from USB devices to a predefined directory."
"T1083::[BADNEWS] identifies files with certain extensions from USB devices, then copies them to a predefined directory."
"T1102.001::[BADNEWS] collects C2 information via a dead drop resolver."
"T1102.002::[BADNEWS] can use multiple C2 channels, including RSS feeds, Github, forums, and blogs."
"T1105::[BADNEWS] is capable of downloading additional files through C2 channels, including a new version of itself."
"T1106::[BADNEWS] has a command to download an .exe and execute it via CreateProcess API. It can also run with ShellExecute."
"T1113::[BADNEWS] has a command to take a screenshot and send it to the C2 server."
"T1119::[BADNEWS] monitors USB devices and copies files with certain extensions to a predefined directory."
"T1120::[BADNEWS] checks for new hard drives on the victim, such as USB devices, by listening for the WM_DEVICECHANGE window message."
"T1132.001::[BADNEWS] encodes C2 traffic with base64."
"T1132::After encrypting C2 data, [BADNEWS] converts it into a hexadecimal representation and then encodes it into base64."
"T1547.001::[BADNEWS] installs a registry Run key to establish persistence."
"T1573.001::[BADNEWS] encrypts C2 data with a ROR by 3 and an XOR by 0x23."
"T1574.002::[BADNEWS] typically loads its DLL file into a legitimate signed Java or VMware executable."
"T1005::[BadPatch] collects files from the local system that have the following extensions, then prepares them for exfiltration: .xls, .xlsx, .pdf, .mdb, .rar, .zip, .doc, .docx."
"T1056.001::[BadPatch] has a keylogging capability."
"T1071.001::[BadPatch] uses HTTP for C2."
"T1071.003::[BadPatch] uses SMTP for C2."
"T1074.001::[BadPatch] stores collected data in log files before exfiltration."
"T1082::[BadPatch] collects the OS system, OS version, MAC address, and the computer name from the victim’s machine."
"T1083::[BadPatch] searches for files with specific file extensions."
"T1105::[BadPatch] can download and execute or update malware."
"T1113::[BadPatch] captures screenshots in .jpg format and then exfiltrates them."
"T1497.001::[BadPatch] attempts to detect if it is being run in a Virtual Machine (VM) using a WMI query for disk drive name, BIOS, and motherboard information."
"T1518.001::[BadPatch] uses WMI to enumerate installed security products in the victim’s environment."
"T1547.001::[BadPatch] establishes a foothold by adding a link to the malware executable in the startup folder."
"T1005::[Bandook] can collect local files from the system ."
"T1016::[Bandook] has a command to get the public IP address from a system."
"T1027.003::[Bandook] has used .PNG images within a zip file to build the executable."
"T1041::[Bandook] can upload files from a victim's machine over the C2 channel."
"T1055.012::[Bandook] has been launched by starting iexplore.exe and replacing it with [Bandook]'s payload."
"T1056.001::[Bandook] contains keylogging capabilities."
"T1059.001::[Bandook] has used PowerShell loaders as part of execution."
"T1059.003::[Bandook] is capable of spawning a Windows command shell."
"T1059.005::[Bandook] has used malicious VBA code against the target system."
"T1059.006::[Bandook] can support commands to execute Python-based payloads."
"T1059::[Bandook] can support commands to execute Java-based payloads."
"T1070.004::[Bandook] has a command to delete a file."
"T1082::[Bandook] can collect information about the drives available on the system."
"T1083::[Bandook] has a command to list files on a system."
"T1095::[Bandook] has a command built in to use a raw TCP socket."
"T1105::[Bandook] can download files to the system."
"T1106::[Bandook] has used the ShellExecuteW() function call."
"T1113::[Bandook] is capable of taking an image of and uploading the current desktop."
"T1120::[Bandook] can detect USB devices."
"T1123::[Bandook] has modules that are capable of capturing audio."
"T1125::[Bandook] has modules that are capable of capturing video from a victim's webcam."
"T1140::[Bandook] has decoded its PowerShell script."
"T1204.002::[Bandook] has used lure documents to convince the user to enable macros."
"T1553.002::[Bandook] was signed with valid Certum certificates."
"T1566.001::[Bandook] is delivered via a malicious Word document inside a zip file."
"T1573.001::[Bandook] has used AES encryption for C2 communication."
"T1001.003::[Bankshot] generates a false TLS handshake using a public certificate to disguise C2 network communications."
"T1005::[Bankshot] collects files from the local system."
"T1012::[Bankshot] searches for certain Registry keys to be configured before executing the payload."
"T1041::[Bankshot] exfiltrates data over its C2 channel."
"T1057::[Bankshot] identifies processes and collects the process ids."
"T1059.003::[Bankshot] uses the command-line interface to execute arbitrary commands."
"T1070.004::[Bankshot] marks files to be deleted upon the next system reboot and uninstalls and removes itself from the system."
"T1070.006::[Bankshot] modifies the time of a file as specified by the control server."
"T1070::[Bankshot] deletes all artifacts associated with the malware from the infected machine."
"T1071.001::[Bankshot] uses HTTP for command and control communication."
"T1082::[Bankshot] gathers system information, network addresses, disk type, disk free space, and the operation system version."
"T1083::[Bankshot] searches for files on the victim's machine."
"T1087.001::[Bankshot] gathers domain and account names/information through process monitoring."
"T1087.002::[Bankshot] gathers domain and account names/information through process monitoring."
"T1105::[Bankshot] uploads files and secondary payloads to the victim's machine."
"T1106::[Bankshot] creates processes using the Windows API calls: CreateProcessA() and CreateProcessAsUserA()."
"T1112::[Bankshot] writes data into the Registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Pniumj."
"T1119::[Bankshot] recursively generates a list of files within a directory and sends them back to the control server."
"T1132.002::[Bankshot] encodes commands from the control server using a range of characters and gzip."
"T1134.002::[Bankshot] grabs a user token using WTSQueryUserToken and then creates a process by impersonating a logged-on user."
"T1140::[Bankshot] decodes embedded XOR strings."
"T1203::[Bankshot] leverages a known zero-day vulnerability in Adobe Flash to execute the implant into the victims’ machines."
"T1543.003::[Bankshot] can terminate a specific process by its process id."
"T1571::[Bankshot] binds and listens on port 1058 for HTTP traffic while also utilizing a FakeTLS method."
"T1005::[Bazar] can retrieve information from the infected machine."
"T1008::[Bazar] has the ability to use an alternative C2 server if the primary server fails."
"T1012::[Bazar] can query Windows\\CurrentVersion\\Uninstall for installed applications."
"T1016::[Bazar] can collect the IP address and NetBIOS name of an infected machine."
"T1018::[Bazar] can enumerate remote systems using  Net View."
"T1027.002::[Bazar] has a variant with a packed payload."
"T1027.007::[Bazar] can hash then resolve API calls at runtime."
"T1027::[Bazar] has used XOR, RSA2, and RC4 encrypted files."
"T1033::[Bazar] can identify the username of the infected user."
"T1036.004::[Bazar] can create a task named to appear benign."
"T1036.005::The [Bazar] loader has named malicious shortcuts \"adobe\" and mimicked communications software."
"T1036.007::The [Bazar] loader has used dual-extension executable files such as PreviewReport.DOC.exe."
"T1047::[Bazar] can execute a WMI query to gather information about the installed antivirus engine."
"T1053.005::[Bazar] can create a scheduled task for persistence."
"T1055.012::[Bazar] can inject into a target process including Svchost, Explorer, and cmd using process hollowing."
"T1055.013::[Bazar] can inject into a target process using process doppelgänging."
"T1055::[Bazar] can inject code through calling VirtualAllocExNuma."
"T1057::[Bazar] can identity the current process on a compromised host."
"T1059.001::[Bazar] can execute a PowerShell script received from C2."
"T1059.003::[Bazar] can launch cmd.exe to perform reconnaissance commands."
"T1070.004::[Bazar] can delete its loader using a batch file in the Windows temporary folder."
"T1070.009::[Bazar]'s loader can delete scheduled tasks created by a previous instance of the malware."
"T1071.001::[Bazar] can use HTTP and HTTPS over ports 80 and 443 in C2 communications."
"T1082::[Bazar] can fingerprint architecture, computer name, and OS version on the compromised host. [Bazar] can also check if the Russian language is installed on the infected machine and terminate if it is found."
"T1083::[Bazar] can enumerate the victim's desktop."
"T1087.001::[Bazar] can identify administrator accounts on an infected host."
"T1087.002::[Bazar] has the ability to identify domain administrator accounts."
"T1102::[Bazar] downloads have been hosted on Google Docs."
"T1104::The [Bazar] loader is used to download and execute the [Bazar] backdoor."
"T1105::[Bazar] can download and deploy additional payloads, including ransomware and post-exploitation frameworks such as [Cobalt Strike]."
"T1106::[Bazar] can use various APIs to allocate memory and facilitate code execution/injection."
"T1124::[Bazar] can collect the time on the compromised host."
"T1135::[Bazar] can enumerate shared drives on the domain."
"T1140::[Bazar] can decrypt downloaded payloads. [Bazar] also resolves strings and other artifacts at runtime."
"T1197::[Bazar] has been downloaded via Windows BITS functionality."
"T1204.001::[Bazar] can gain execution after a user clicks on a malicious link to decoy landing pages hosted on Google Docs."
"T1482::[Bazar] can use [Nltest] tools to obtain information about the domain."
"T1497.003::[Bazar] can use a timer to delay execution of core functionality."
"T1497::[Bazar] can attempt to overload sandbox analysis by sending 1550 calls to printf."
"T1518.001::[Bazar] can identify the installed antivirus engine."
"T1518::[Bazar] can query the Registry for installed applications."
"T1547.001::[Bazar] can create or add files to Registry Run Keys to establish persistence."
"T1547.004::[Bazar] can use Winlogon Helper DLL to establish persistence."
"T1547.009::[Bazar] can establish persistence by writing shortcuts to the Windows Startup folder."
"T1553.002::[Bazar] has been signed with fake certificates including those appearing to be from VB CORPORATE PTY. LTD."
"T1562.001::[Bazar] has manually loaded ntdll from disk in order to identity and remove API hooks set by security products."
"T1566.002::[Bazar] has been spread via emails with embedded malicious links."
"T1568.002::[Bazar] can implement DGA using the current date as a seed variable."
"T1573.001::[Bazar] can send C2 communications with XOR encryption."
"T1573.002::[Bazar] can use TLS in C2 communications."
"T1614.001::[Bazar] can perform a check to ensure that the operating system's keyboard and language settings are not set to Russian."
"T1027.003::[BBK] can extract a malicious Portable Executable (PE) from a photo."
"T1055::[BBK] has the ability to inject shellcode into svchost.exe."
"T1059.003::[BBK] has the ability to use [cmd] to run a Portable Executable (PE) on the compromised host."
"T1071.001::[BBK] has the ability to use HTTP in communications with C2."
"T1105::[BBK] has the ability to download files from C2 to the infected host."
"T1106::[BBK] has the ability to use the CreatePipe API to add a sub-process for execution via [cmd]."
"T1140::[BBK] has the ability to decrypt AES encrypted payloads."
"T1007::[BBSRAT] can query service configuration information."
"T1055.012::[BBSRAT] has been seen loaded into msiexec.exe through process hollowing to hide its execution."
"T1057::[BBSRAT] can list running processes."
"T1070.004::[BBSRAT] can delete files and directories."
"T1071.001::[BBSRAT] uses GET and POST requests over HTTP or HTTPS for command and control to obtain commands and send ZLIB compressed data back to the C2 server."
"T1083::[BBSRAT] can list file and directory information."
"T1140::[BBSRAT] uses [Expand] to decompress a CAB file into executable content."
"T1543.003::[BBSRAT] can modify service configurations."
"T1546.015::[BBSRAT] has been seen persisting via COM hijacking through replacement of the COM object for MruPidlList {42aedc87-2188-41fd-b9a3-0c966feabec1} or Microsoft WBEM New Event Subsystem {F3130CDB-AA52-4C3A-AB32-85FFC23AF9C1} depending on the system's CPU architecture."
"T1547.001::[BBSRAT] has been loaded through DLL side-loading of a legitimate Citrix executable that is set to persist through the Registry Run key location HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ssonsvr.exe."
"T1560.002::[BBSRAT] can compress data with ZLIB prior to sending it back to the C2 server."
"T1569.002::[BBSRAT] can start, stop, or delete services."
"T1573.001::[BBSRAT] uses a custom encryption algorithm on data sent back to the C2 server over HTTP."
"T1574.002::DLL side-loading has been used to execute [BBSRAT] through a legitimate Citrix executable, ssonsvr.exe. The Citrix executable was dropped along with [BBSRAT] by the dropper."
"T1001.001::[BendyBear] has used byte randomization to obscure its behavior."
"T1012::[BendyBear] can query the host's Registry key at HKEY_CURRENT_USER\\Console\\QuickEdit to retrieve data."
"T1027::[BendyBear] has encrypted payloads using RC4 and XOR."
"T1105::[BendyBear] is designed to download an implant from a C2 server."
"T1106::[BendyBear] can load and execute modules and Windows Application Programming (API) calls using standard shellcode API hashing."
"T1124::[BendyBear] has the ability to determine local time on a compromised host."
"T1140::[BendyBear] has decrypted function blocks using a XOR key during runtime to evade detection."
"T1497.003::[BendyBear] can check for analysis environments and signs of debugging using the Windows API kernel32!GetTickCountKernel32 call."
"T1571::[BendyBear] has used a custom RC4 and XOR encrypted protocol over port 443 for C2."
"T1573.001::[BendyBear] communicates to a C2 server over port 443 using modified RC4 and XOR-encrypted chunks."
"T1008::[BISCUIT] malware contains a secondary fallback command and control server that is contacted after the primary command and control server."
"T1033::[BISCUIT] has a command to gather the username from the system."
"T1056.001::[BISCUIT] can capture keystrokes."
"T1057::[BISCUIT] has a command to enumerate running processes and identify their owners."
"T1059.003::[BISCUIT] has a command to launch a command shell on the system."
"T1082::[BISCUIT] has a command to collect the processor type, operation system, computer name, uptime, and whether the system is a laptop or PC."
"T1105::[BISCUIT] has a command to download a file from the C2 server."
"T1113::[BISCUIT] has a command to periodically take screenshots of the system."
"T1573.002::[BISCUIT] uses SSL for encrypting C2 communications."
"T1005::[Bisonal] has collected information from a compromised host."
"T1012::[Bisonal] has used the RegQueryValueExA function to retrieve proxy information in the Registry."
"T1016::[Bisonal] can execute ipconfig on the victim’s machine."
"T1027.001::[Bisonal] has appended random binary data to the end of itself to generate a large binary."
"T1027.002::[Bisonal] has used the MPRESS packer and similar tools for obfuscation."
"T1027::[Bisonal]'s DLL file and non-malicious decoy file are encrypted with RC4 and some function name strings are obfuscated."
"T1036.005::[Bisonal] has renamed malicious code to `msacm32.dll` to hide within a legitimate library; earlier versions were disguised as `winhelp`."
"T1036::[Bisonal] dropped a decoy payload with a .jpg extension that contained a malicious Visual Basic script."
"T1041::[Bisonal] has added the exfiltrated data to the URL over the C2 channel."
"T1057::[Bisonal] can obtain a list of running processes on the victim’s machine."
"T1059.003::[Bisonal] has launched cmd.exe and used the ShellExecuteW() API function to execute commands on the system."
"T1059.005::[Bisonal]'s dropper creates VBS scripts on the victim’s machine."
"T1070.004::[Bisonal] will delete its dropper and VBS scripts from the victim’s machine."
"T1071.001::[Bisonal] has used HTTP for C2 communications."
"T1082::[Bisonal] has used commands and API calls to gather system information."
"T1083::[Bisonal] can retrieve a file listing from the system."
"T1090::[Bisonal] has supported use of a proxy server."
"T1095::[Bisonal] has used raw sockets for network communication."
"T1105::[Bisonal] has the capability to download files to execute on the victim’s machine."
"T1106::[Bisonal] has used the Windows API to communicate with the Service Control Manager to execute a thread."
"T1112::[Bisonal] has deleted Registry keys to clean up its prior activity."
"T1124::[Bisonal] can check the system time set on the infected host."
"T1132.001::[Bisonal] has encoded binary data with Base64 and ASCII."
"T1137.006::[Bisonal] has been loaded through a `.wll` extension added to the ` %APPDATA%\\microsoft\\word\\startup\\` repository."
"T1140::[Bisonal] has decoded strings in the malware using XOR and RC4."
"T1204.002::[Bisonal] has relied on users to execute malicious file attachments delivered via spearphishing emails."
"T1218.011::[Bisonal] has used rundll32.exe to execute as part of the Registry Run key it adds: HKEY_CURRENT_USER \\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\”vert” = “rundll32.exe c:\\windows\\temp\\pvcu.dll , Qszdez”."
"T1497.003::[Bisonal] has checked if the malware is running in a virtual environment with the anti-debug function GetTickCount() to compare the timing."
"T1497::[Bisonal] can check to determine if the compromised system is running on VMware."
"T1543.003::[Bisonal] has been modified to be used as a Windows service."
"T1547.001::[Bisonal] has added itself to the Registry key HKEY_CURRENT_USER\\Software\\Microsoft\\CurrentVersion\\Run\\ for persistence."
"T1566.001::[Bisonal] has been delivered as malicious email attachments."
"T1568::[Bisonal] has used a dynamic DNS service for C2."
"T1573.001::[Bisonal] variants reported on in 2014 and 2015 used a simple XOR cipher for C2. Some [Bisonal] samples encrypt C2 communications with RC4."
"T1007::[BitPaymer] can enumerate existing Windows services on the host that are configured to run as LocalSystem."
"T1012::[BitPaymer] can use the RegEnumKeyW to iterate through Registry keys."
"T1018::[BitPaymer] can use net view to discover remote systems."
"T1027::[BitPaymer] has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary."
"T1070.006::[BitPaymer] can modify the timestamp of an executable so that it can be identified and restored by the decryption tool."
"T1087.001::[BitPaymer] can enumerate the sessions for each user logged onto the infected host."
"T1106::[BitPaymer] has used dynamic API resolution to avoid identifiable strings within the binary, including RegEnumKeyW."
"T1112::[BitPaymer] can set values in the Registry to help in execution."
"T1134.001::[BitPaymer] can use the tokens of users to create processes on infected systems."
"T1135::[BitPaymer] can search for network shares on the domain or workgroup using net view <host>."
"T1222.001::[BitPaymer] can use icacls /reset and takeown /F to reset a targeted executable's permissions and then take ownership."
"T1480::[BitPaymer] compares file names and paths to a list of excluded names and directory names during encryption."
"T1486::[BitPaymer] can import a hard-coded RSA 1024-bit public key, generate a 128-bit RC4 key for each file, and encrypt the file in place, appending .locked to the filename."
"T1490::[BitPaymer] attempts to remove the backup shadow files from the host using vssadmin.exe Delete Shadows /All /Quiet."
"T1543.003::[BitPaymer] has attempted to install itself as a service to maintain persistence."
"T1547.001::[BitPaymer] has set the run key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run for persistence."
"T1548.002::[BitPaymer] can suppress UAC prompts by setting the HKCU\\Software\\Classes\\ms-settings\\shell\\open\\command registry key on Windows 10 or HKCU\\Software\\Classes\\mscfile\\shell\\open\\command on Windows 7 and launching the eventvwr.msc process, which launches [BitPaymer] with elevated privileges."
"T1564.004::[BitPaymer] has copied itself to the :bin alternate data stream of a newly created file."
"T1057::[BLACKCOFFEE] has the capability to discover processes."
"T1059.003::[BLACKCOFFEE] has the capability to create a reverse shell."
"T1070.004::[BLACKCOFFEE] has the capability to delete files."
"T1083::[BLACKCOFFEE] has the capability to enumerate files."
"T1102.001::[BLACKCOFFEE] uses Microsoft’s TechNet Web portal to obtain a dead drop resolver containing an encoded tag with the IP address of a command and control server."
"T1102.002::[BLACKCOFFEE] has also obfuscated its C2 traffic as normal traffic to sites such as Github."
"T1104::[BLACKCOFFEE] uses Microsoft’s TechNet Web portal to obtain an encoded tag containing the IP address of a command and control server and then communicates separately with that IP address for C2. If the C2 server is discovered or shut down, the threat actors can update the encoded IP address on TechNet to maintain control of the victims’ machines."
"T1008::[BlackEnergy] has the capability to communicate over a backup channel via plus.google.com."
"T1016::[BlackEnergy] has gathered information about network IP configurations using [ipconfig].exe and about routing tables using [route].exe."
"T1021.002::[BlackEnergy] has run a plug-in on a victim to spread through the local network by using [PsExec] and accessing admin shares."
"T1046::[BlackEnergy] has conducted port scans on a host."
"T1047::A [BlackEnergy] 2 plug-in uses WMI to gather victim host details."
"T1049::[BlackEnergy] has gathered information about local network connections using [netstat]."
"T1055.001::[BlackEnergy] injects its DLL component into svchost.exe."
"T1056.001::[BlackEnergy] has run a keylogger plug-in on a victim."
"T1057::[BlackEnergy] has gathered a process list by using [Tasklist].exe."
"T1070.001::The [BlackEnergy] component KillDisk is capable of deleting Windows Event Logs."
"T1070::[BlackEnergy] has removed the watermark associated with enabling the TESTSIGNING boot configuration option by removing the relevant strings in the user32.dll.mui of the system."
"T1071.001::[BlackEnergy] communicates with its C2 server over HTTP."
"T1082::[BlackEnergy] has used [Systeminfo] to gather the OS version, as well as information on the system configuration, BIOS, the motherboard, and the processor."
"T1083::[BlackEnergy] gathers a list of installed apps from the uninstall program Registry. It also gathers registered mail, browser, and instant messaging clients from the Registry. [BlackEnergy] has searched for given file types."
"T1113::[BlackEnergy] is capable of taking screenshots."
"T1120::[BlackEnergy] can gather very specific information about attached USB devices, to include device instance ID and drive geometry."
"T1485::[BlackEnergy] 2 contains a \"Destroy\" plug-in that destroys data stored on victim hard drives by overwriting file contents."
"T1543.003::One variant of [BlackEnergy] creates a new service using either a hard-coded or randomly generated name."
"T1547.001::The [BlackEnergy] 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder."
"T1547.009::The [BlackEnergy] 3 variant drops its main DLL component and then creates a .lnk shortcut to that file in the startup folder."
"T1548.002::[BlackEnergy] attempts to bypass default User Access Control (UAC) settings by exploiting a backward-compatibility setting found in Windows 7 and later."
"T1552.001::[BlackEnergy] has used a plug-in to gather credentials stored in files on the host by various software programs, including The Bat! email client, Outlook, and Windows Credential Store."
"T1553.006::[BlackEnergy] has enabled the TESTSIGNING boot configuration option to facilitate loading of a driver component."
"T1555.003::[BlackEnergy] has used a plug-in to gather credentials from web browsers including FireFox, Google Chrome, and Internet Explorer."
"T1574.010::One variant of [BlackEnergy] locates existing driver services that have been disabled and drops its driver component into one of those service's paths, replacing the legitimate executable. The malware then sets the hijacked service to start automatically to establish persistence."
"T1005::[BlackMould] can copy files on a compromised host."
"T1059.003::[BlackMould] can run cmd.exe with parameters."
"T1071.001::[BlackMould] can send commands to C2 in the body of HTTP POST requests."
"T1082::[BlackMould] can enumerate local drives on a compromised host."
"T1083::[BlackMould] has the ability to find files on the targeted system."
"T1105::[BlackMould] has the ability to download files to the victim's machine."
"T1005::[BLINDINGCAN] has uploaded files from victim machines."
"T1016::[BLINDINGCAN] has collected the victim machine's local IP address information and MAC address."
"T1027.002::[BLINDINGCAN] has been packed with the UPX packer."
"T1027::[BLINDINGCAN] has obfuscated code using Base64 encoding."
"T1036.005::[BLINDINGCAN] has attempted to hide its payload by using legitimate file names such as \"iconcache.db\"."
"T1041::[BLINDINGCAN] has sent user and system information to a C2 server via HTTP POST requests."
"T1059.003::[BLINDINGCAN] has executed commands via cmd.exe."
"T1070.004::[BLINDINGCAN] has deleted itself and associated artifacts from victim machines."
"T1070.006::[BLINDINGCAN] has modified file and directory timestamps."
"T1071.001::[BLINDINGCAN] has used HTTPS over port 443 for command and control."
"T1082::[BLINDINGCAN] has collected from a victim machine the system name, processor information, OS version, and disk information, including type and free space available."
"T1083::[BLINDINGCAN] can search, read, write, move, and execute files."
"T1105::[BLINDINGCAN] has downloaded files to a victim machine."
"T1129::[BLINDINGCAN] has loaded and executed DLLs in memory during runtime on a victim machine."
"T1132.001::[BLINDINGCAN] has encoded its C2 traffic with Base64."
"T1140::[BLINDINGCAN] has used AES and XOR to decrypt its DLLs."
"T1204.002::[BLINDINGCAN] has lured victims into executing malicious macros embedded within Microsoft Office documents."
"T1218.011::[BLINDINGCAN] has used Rundll32 to load a malicious DLL."
"T1553.002::[BLINDINGCAN] has been signed with code-signing certificates such as CodeRipper."
"T1566.001::[BLINDINGCAN] has been delivered by phishing emails containing malicious Microsoft Office documents."
"T1573.001::[BLINDINGCAN] has encrypted its C2 traffic with RC4."
"T1016::[BLUELIGHT] can collect IP information from the victim’s machine."
"T1027::[BLUELIGHT] has a XOR-encoded payload."
"T1033::[BLUELIGHT] can collect the username on a compromised host."
"T1041::[BLUELIGHT] has exfiltrated data over its C2 channel."
"T1057::[BLUELIGHT] can collect process filenames and SID authority level."
"T1070.004::[BLUELIGHT] can uninstall itself."
"T1071.001::[BLUELIGHT] can use HTTP/S for C2 using the Microsoft Graph API."
"T1082::[BLUELIGHT] has collected the computer name and OS version from victim machines."
"T1083::[BLUELIGHT] can enumerate files and collect associated metadata."
"T1102.002::[BLUELIGHT] can use different cloud providers for its C2."
"T1105::[BLUELIGHT] can download additional files onto the host."
"T1113::[BLUELIGHT] has captured a screenshot of the display every 30 seconds for the first 5 minutes after initiating a C2 loop, and then once every five minutes thereafter."
"T1124::[BLUELIGHT] can collect the local time on a compromised host."
"T1497.001::[BLUELIGHT] can check to see if the infected machine has VM tools running."
"T1518.001::[BLUELIGHT] can collect a list of anti-virus products installed on a machine."
"T1539::[BLUELIGHT] can harvest cookies from Internet Explorer, Edge, Chrome, and Naver Whale browsers."
"T1555.003::[BLUELIGHT] can collect passwords stored in web browers, including Internet Explorer, Edge, Chrome, and Naver Whale."
"T1560.003::[BLUELIGHT] has encoded data into a binary blob using XOR."
"T1560::[BLUELIGHT] can zip files before exfiltration."
"T1016::[Bonadan] can find the external IP address of the infected host."
"T1033::[Bonadan] has discovered the username of the user running the backdoor."
"T1057::[Bonadan] can use the ps command to discover other cryptocurrency miners active on the system."
"T1059::[Bonadan] can create bind and reverse shells on the infected system."
"T1082::[Bonadan] has discovered the OS version, CPU model, and RAM size of the system it has been installed on."
"T1105::[Bonadan] can download additional modules from the C2 server."
"T1496::[Bonadan] can download an additional module which has a cryptocurrency mining extension."
"T1554::[Bonadan] has maliciously altered the OpenSSH binary on targeted systems to create a backdoor."
"T1573.001::[Bonadan] can XOR-encrypt C2 communications."
"T1053.005::[BONDUPDATER] persists using a scheduled task that executes every minute."
"T1059.001::[BONDUPDATER] is written in PowerShell."
"T1059.003::[BONDUPDATER] can read batch commands in a file sent from its C2 server and execute them with cmd.exe."
"T1071.004::[BONDUPDATER] can use DNS and TXT records within its DNS tunneling protocol for command and control."
"T1105::[BONDUPDATER] can download or upload files from its C2 server."
"T1564.003::[BONDUPDATER] uses -windowstyle hidden to conceal a [PowerShell] window that downloads a payload."
"T1568.002::[BONDUPDATER] uses a DGA to communicate with command and control servers."
"T1027::[BoomBox] can encrypt data using AES prior to exfiltration."
"T1033::[BoomBox] can enumerate the username on a compromised host."
"T1036::[BoomBox] has the ability to mask malicious data strings as PDF files."
"T1071.001::[BoomBox] has used HTTP POST requests for C2."
"T1082::[BoomBox] can enumerate the hostname, domain, and IP of a compromised host."
"T1083::[BoomBox] can search for specific files and directories on a machine."
"T1087.002::[BoomBox] has the ability to execute an LDAP query to enumerate the distinguished name, SAM account name, and display name for all domain users."
"T1087.003::[BoomBox] can execute an LDAP query to discover e-mail accounts for domain users."
"T1102::[BoomBox] can download files from Dropbox using a hardcoded access token."
"T1105::[BoomBox] has the ability to download next stage malware components to a compromised system."
"T1140::[BoomBox] can decrypt AES-encrypted files downloaded from C2."
"T1204.002::[BoomBox] has gained execution through user interaction with a malicious file."
"T1218.011::[BoomBox] can use RunDLL32 for execution."
"T1480::[BoomBox] can check its current working directory and for the presence of a specific file and terminate if specific values are not found."
"T1547.001::[BoomBox] can establish persistence by writing the Registry value MicroNativeCacheSvc to HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run."
"T1567.002::[BoomBox] can upload data to dedicated per-victim folders in Dropbox."
"T1027::[BOOSTWRITE] has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection."
"T1129::[BOOSTWRITE] has used the DWriteCreateFactory() function to load additional modules."
"T1140::[BOOSTWRITE] has used a a 32-byte long multi-XOR key to decode data inside its payload."
"T1553.002::[BOOSTWRITE] has been signed by a valid CA."
"T1574.001::[BOOSTWRITE] has exploited the loading of the legitimate Dwrite.dll file by actually loading the gdi library, which then loads the gdiplus library and ultimately loads the local Dwrite dll."
"T1542.003::[BOOTRASH] is a Volume Boot Record (VBR) bootkit that uses the VBR to maintain persistence."
"T1564.005::[BOOTRASH] has used unallocated disk space between partitions for a hidden file system that stores components of the Nemesis bootkit."
"T1005::[BoxCaon] can upload files from a compromised host."
"T1016::[BoxCaon] can collect the victim's MAC address by using the GetAdaptersInfo API."
"T1027::[BoxCaon] used the \"StackStrings\" obfuscation technique to hide malicious functionalities."
"T1041::[BoxCaon] uploads files and data from a compromised host over the existing C2 channel."
"T1059.003::[BoxCaon] can execute arbitrary commands and utilize the \"ComSpec\" environment variable."
"T1074.001::[BoxCaon] has created a working folder for collected files that it sends to the C2 server."
"T1083::[BoxCaon] has searched for files on the system, such as documents located in the desktop folder."
"T1102.002::[BoxCaon] has used DropBox for C2 communications."
"T1105::[BoxCaon] can download files."
"T1106::[BoxCaon] has used Windows API calls to obtain information about the compromised host."
"T1547::[BoxCaon] established persistence by setting the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load registry key to point to its executable."
"T1567.002::[BoxCaon] has the capability to download folders' contents on the system and upload the results back to its Dropbox drive."
"T1012::[Brave Prince] gathers information about the Registry."
"T1016::[Brave Prince] gathers network configuration information as well as the ARP cache."
"T1048.003::Some [Brave Prince] variants have used South  Korea's Daum email service to exfiltrate information, and later variants have posted the data to a web server via an HTTP post command."
"T1057::[Brave Prince] lists the running processes."
"T1082::[Brave Prince] collects hard drive content and system configuration information."
"T1083::[Brave Prince] gathers file and directory information from the victim’s machine."
"T1562.001::[Brave Prince] terminates antimalware processes."
"T1105::[Briba] downloads files onto infected hosts."
"T1218.011::[Briba] uses rundll32 within [Registry Run Keys / Startup Folder] entries to execute malicious DLLs."
"T1543.003::[Briba] installs a service pointing to a malicious DLL dropped to disk."
"T1547.001::[Briba] creates run key Registry entries pointing to malicious DLLs dropped to disk."
"T1132.001::[BS2005] uses Base64 encoding for communication in the message body of an HTTP request."
"T1071.001::[BUBBLEWRAP] can communicate using HTTP or HTTPS."
"T1082::[BUBBLEWRAP] collects system information, including the operating system version and hostname."
"T1095::[BUBBLEWRAP] can communicate using SOCKS."
"T1005::[Bumblebee] can capture and compress stolen credentials from the Registry and volume shadow copies."
"T1008::[Bumblebee] can use backup C2 servers if the primary server fails."
"T1012::[Bumblebee] can check the Registry for specific keys."
"T1027::[Bumblebee] has been delivered as password-protected zipped ISO files and used control-flow-flattening to obfuscate the flow of functions."
"T1033::[Bumblebee] has the ability to identify the user name."
"T1036.005::[Bumblebee] has named component DLLs \"RapportGP.dll\" to match those used by the security company Trusteer."
"T1041::[Bumblebee] can send collected data in JSON format to C2."
"T1047::[Bumblebee] can use WMI to gather system information and to spawn processes for code injection."
"T1053.005::[Bumblebee] can achieve persistence by copying its DLL to a subdirectory of %APPDATA% and creating a Visual Basic Script that will load the DLL via a scheduled task."
"T1055.001::The [Bumblebee] loader can support the `Dij` command which gives it the ability to inject DLLs into the memory of other processes."
"T1055.004::[Bumblebee] can use asynchronous procedure call (APC) injection to execute commands received from C2."
"T1055::[Bumblebee] can inject code into multiple processes on infected endpoints."
"T1057::[Bumblebee] can identify processes associated with analytical tools."
"T1059.001::[Bumblebee] can use PowerShell for execution."
"T1059.003::[Bumblebee] can use `cmd.exe` to drop and run files."
"T1059.005::[Bumblebee] can create a Visual Basic script to enable persistence."
"T1070.004::[Bumblebee] can uninstall its loader through the use of a `Sdl` command."
"T1082::[Bumblebee] can enumerate the OS version and domain on a targeted system."
"T1102::[Bumblebee] has been downloaded to victim's machines from OneDrive."
"T1105::[Bumblebee] can download and execute additional payloads including through the use of a `Dex` command."
"T1106::[Bumblebee] can use multiple Native APIs."
"T1129::[Bumblebee] can use `LoadLibrary` to attempt to execute GdiPlus.dll."
"T1132.001::[Bumblebee] has the ability to base64 encode C2 server responses."
"T1140::[Bumblebee] can deobfuscate C2 server responses and unpack its code on targeted hosts."
"T1204.001::[Bumblebee] has relied upon a user downloading a file from a OneDrive link for execution."
"T1204.002::[Bumblebee] has relied upon a user opening an ISO file to enable execution of malicious shortcut files and DLLs."
"T1218.008::[Bumblebee] can use `odbcconf.exe` to run DLLs on targeted hosts."
"T1218.011::[Bumblebee] has used `rundll32` for execution of the loader component."
"T1497.001::[Bumblebee] has the ability to search for designated file paths and Registry keys that indicate a virtualized environment from multiple products."
"T1497.003::[Bumblebee] has the ability to set a hardcoded and randomized sleep interval."
"T1497::[Bumblebee] has the ability to perform anti-virtualization checks."
"T1518.001::[Bumblebee] can identify specific analytical tools based on running processes."
"T1548.002::[Bumblebee] has the ability to bypass UAC to deploy post exploitation tools with elevated privileges."
"T1559.001::[Bumblebee] can use a COM object to execute queries to gather system information."
"T1560::[Bumblebee] can compress data stolen from the Registry and volume shadow copies prior to exfiltration."
"T1566.001::[Bumblebee] has gained execution through luring users into opening malicious attachments."
"T1566.002::[Bumblebee] has been spread through e-mail campaigns with malicious links."
"T1573.001::[Bumblebee] can encrypt C2 requests and responses with RC4"
"T1622::[Bumblebee] can search for tools used in static analysis."
"T1027::[Bundlore] has obfuscated data with base64, AES, RC4, and bz2."
"T1036.005::[Bundlore] has disguised a malicious .app file as a Flash Player update."
"T1048::[Bundlore] uses the curl -s -L -o command to exfiltrate archived data to a URL."
"T1056.002::[Bundlore] prompts the user for their credentials."
"T1057::[Bundlore] has used the ps command to list processes."
"T1059.002::[Bundlore] can use AppleScript to inject malicious JavaScript into a browser."
"T1059.004::[Bundlore] has leveraged /bin/sh and /bin/bash to execute commands on the victim machine."
"T1059.006::[Bundlore] has used Python scripts to execute payloads."
"T1059.007::[Bundlore] can execute JavaScript by injecting it into the victim's browser."
"T1071.001::[Bundlore] uses HTTP requests for C2."
"T1082::[Bundlore] will enumerate the macOS version to determine which follow-on behaviors to execute using /usr/bin/sw_vers -productVersion."
"T1098.004::[Bundlore] creates a new key pair with ssh-keygen and drops the newly created user key in authorized_keys to enable remote login."
"T1105::[Bundlore] can download and execute new versions of itself."
"T1140::[Bundlore] has used openssl to decrypt AES encrypted payload data. [Bundlore] has also used base64 and RC4 with a hardcoded key to deobfuscate data."
"T1176::[Bundlore] can install malicious browser extensions that are used to hijack user searches."
"T1189::[Bundlore] has been spread through malicious advertisements on websites."
"T1204.002::[Bundlore] has attempted to get users to execute a malicious .app file that looks like a Flash Player update."
"T1222.002::[Bundlore] changes the permissions of a payload using the command chmod -R 755."
"T1518::[Bundlore] has the ability to enumerate what browser is being used as well as version information for Safari."
"T1543.001::[Bundlore] can persist via a LaunchAgent."
"T1543.004::[Bundlore] can persist via a LaunchDaemon."
"T1562.001::[Bundlore] can change browser security settings to enable extensions to be installed. [Bundlore] uses the pkill cfprefsd command to prevent users from inspecting processes."
"T1564::[Bundlore] uses the mktemp utility to make unique file and directory names for payloads, such as TMP_DIR=`mktemp -d -t x."
"T1057::[CaddyWiper] can obtain a list of current processes."
"T1082::[CaddyWiper] can use `DsRoleGetPrimaryDomainInformation` to determine the role of the infected machine. [CaddyWiper] can also halt execution if the compromised host is identified as a domain controller."
"T1083::[CaddyWiper] can enumerate all files and directories on a compromised host."
"T1106::[CaddyWiper] has the ability to dynamically resolve and use APIs, including `SeTakeOwnershipPrivilege`."
"T1222.001::[CaddyWiper] can modify ACL entries to take ownership of files."
"T1485::[CaddyWiper] can work alphabetically through drives on a compromised system to take ownership of and overwrite all files."
"T1561.002::[CaddyWiper] has the ability to destroy information about a physical drive's partitions including the MBR, GPT, and partition entries."
"T1010::[Cadelspy] has the ability to identify open windows on the compromised host."
"T1056.001::[Cadelspy] has the ability to log keystrokes on the compromised host."
"T1082::[Cadelspy] has the ability to discover information about the compromised host."
"T1113::[Cadelspy] has the ability to capture screenshots and webcam photos."
"T1115::[Cadelspy] has the ability to steal data from the clipboard."
"T1120::[Cadelspy] has the ability to steal information about printers and the documents sent to printers."
"T1123::[Cadelspy] has the ability to record audio from the compromised host."
"T1560::[Cadelspy] has the ability to compress stolen data into a .cab file."
"T1059.003::[CALENDAR] has a command to run cmd.exe to execute commands."
"T1102.002::The [CALENDAR] malware communicates through the use of events in Google Calendar."
"T1005::[Calisto] can collect data from user directories."
"T1016::[Calisto] runs the ifconfig command to obtain the IP address from the victim’s machine."
"T1036.005::[Calisto]'s installation file is an unsigned DMG image under the guise of Intego’s security solution for mac."
"T1056.002::[Calisto] presents an input prompt asking for the user's login and password."
"T1070.004::[Calisto] has the capability to use rm -rf to remove folders and files from the victim's machine."
"T1074.001::[Calisto] uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration."
"T1098::[Calisto] adds permissions and remote logins to all users."
"T1105::[Calisto] has the capability to upload and download files to the victim's machine."
"T1136.001::[Calisto] has the capability to add its own account to the victim's machine."
"T1217::[Calisto] collects information on bookmarks from Google Chrome."
"T1543.001::[Calisto] adds a .plist file to the /Library/LaunchAgents folder to maintain persistence."
"T1555.001::[Calisto] collects Keychain storage data and copies those passwords/tokens to a file."
"T1560.001::[Calisto] uses the zip -r command to compress the data collected on the local system."
"T1564.001::[Calisto] uses a hidden directory named .calisto to store data from the victim’s machine before exfiltration."
"T1569.001::[Calisto] uses launchctl to enable screen sharing on the victim’s machine."
"T1041::[CallMe] exfiltrates data to its C2 server over the same protocol as C2 communications."
"T1059.004::[CallMe] has the capability to create a reverse shell on victims."
"T1105::[CallMe] has the capability to download a file to the victim from the C2 server."
"T1573.001::[CallMe] uses AES to encrypt C2 traffic."
"T1033::[Cannon] can gather the username from the system."
"T1041::[Cannon] exfiltrates collected data over email via SMTP/S and POP3/S C2 channels."
"T1057::[Cannon] can obtain a list of processes running on the system."
"T1071.003::[Cannon] uses SMTP/S and POP3/S for C2 communications by sending and receiving emails."
"T1082::[Cannon] can gather system information from the victim’s machine such as the OS version, machine name, and drive information."
"T1083::[Cannon] can obtain victim drive information as well as a list of folders in C:\\Program Files."
"T1105::[Cannon] can download a payload for execution."
"T1113::[Cannon] can take a screenshot of the desktop."
"T1124::[Cannon] can collect the current time zone information from the victim’s machine."
"T1547.004::[Cannon] adds the Registry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon to establish persistence."
"T1036.004::[Carbanak] has copied legitimate service names to use for malicious services."
"T1036.005::[Carbanak] has named malware \"svchost.exe,\" which is the name of the Windows shared service host program."
"T1078::[Carbanak] actors used legitimate credentials of banking employees to perform operations that sent them millions of dollars."
"T1102.002::[Carbanak] has used a VBScript named \"ggldr\" that uses Google Apps Script, Sheets, and Forms services for C2."
"T1218.011::[Carbanak] installs VNC server software that executes through rundll32."
"T1219::[Carbanak] used legitimate programs such as AmmyyAdmin and Team Viewer for remote interactive C2 to target systems."
"T1543.003::[Carbanak] malware installs itself as a service to provide persistence and SYSTEM privileges."
"T1562.004::[Carbanak] may use [netsh] to add local firewall rule exceptions."
"T1588.002::[Carbanak] has obtained and used open-source tools such as [PsExec] and [Mimikatz]."
"T1012::[Carberp] has searched the Image File Execution Options registry key for \"Debugger\" within every subkey."
"T1014::[Carberp] has used user mode rootkit techniques to remain hidden on the system."
"T1021.005::[Carberp] can start a remote VNC session by downloading a new plugin."
"T1027::[Carberp] has used XOR-based encryption to mask C2 server locations within the trojan."
"T1036.005::[Carberp] has masqueraded as Windows system file names, as well as \"chkntfs.exe\" and \"syscron.exe\"."
"T1041::[Carberp] has exfiltrated data via HTTP to already established C2 servers."
"T1055.001::[Carberp]'s bootkit can inject a malicious DLL into the address space of running processes."
"T1055.004::[Carberp] has queued an APC routine to explorer.exe by calling ZwQueueApcThread."
"T1056.004::[Carberp] has hooked several Windows API functions to steal credentials."
"T1057::[Carberp] has collected a list of running processes."
"T1068::[Carberp] has exploited multiple Windows vulnerabilities (CVE-2010-2743, CVE-2010-3338, CVE-2010-4398, CVE-2008-1084) and a .NET Runtime Optimization vulnerability for privilege escalation."
"T1071.001::[Carberp] has connected to C2 servers via HTTP."
"T1082::[Carberp] has collected the operating system version from the infected system."
"T1105::[Carberp] can download and execute new plugins from the C2 server."
"T1106::[Carberp] has used the NtQueryDirectoryFile and ZwQueryDirectoryFile functions to hide files and directories."
"T1113::[Carberp] can capture display screenshots with the screens_dll.dll plugin."
"T1185::[Carberp] has captured credentials when a user performs login through a SSL session."
"T1497::[Carberp] has removed various hooks before installing the trojan or bootkit to evade sandbox analysis or other analysis software."
"T1518.001::[Carberp] has queried the infected system's registry searching for specific registry keys associated with antivirus products."
"T1542.003::[Carberp] has installed a bootkit on the system to maintain persistence."
"T1547.001::[Carberp] has maintained persistence by placing itself inside the current user's startup folder."
"T1555.003::[Carberp]'s passw.plug plugin can gather passwords saved in Opera, Internet Explorer, Safari, Firefox, and Chrome."
"T1555::[Carberp]'s passw.plug plugin can gather account information from multiple instant messaging, email, and social media services, as well as FTP, VNC, and VPN clients."
"T1562.001::[Carberp] has attempted to disable security software by creating a suspended process for the security software and injecting code to delete antivirus core files when the process is resumed."
"T1564.001::[Carberp] has created a hidden file in the Startup folder of the current user."
"T1012::[Carbon] enumerates values in the Registry."
"T1016::[Carbon] can collect the IP address of the victims and other computers on the network using the commands: ipconfig -all nbtstat -n, and nbtstat -s."
"T1018::[Carbon] uses the net view command."
"T1027::[Carbon] encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm."
"T1048.003::[Carbon] uses HTTP to send data to the C2 server."
"T1049::[Carbon] uses the netstat -r and netstat -an commands."
"T1053.005::[Carbon] creates several tasks for later execution to continue persistence on the victim’s machine."
"T1055.001::[Carbon] has a command to inject code into a process."
"T1057::[Carbon] can list the processes on the victim’s machine."
"T1069::[Carbon] uses the net group command."
"T1071.001::[Carbon] can use HTTP in C2 communications."
"T1074.001::[Carbon] creates a base directory that contains the files and folders that are collected."
"T1095::[Carbon] uses TCP and UDP for C2."
"T1102::[Carbon] can use Pastebin to receive C2 commands."
"T1124::[Carbon] uses the command net time \\\\127.0.0.1 to get information the system’s time."
"T1140::[Carbon] decrypts task and configuration files for execution."
"T1543.003::[Carbon] establishes persistence by creating a service and naming it based off the operating system version running on the current machine."
"T1573.002::[Carbon] has used RSA encryption for C2 communications."
"T1008::[Cardinal RAT] can communicate over multiple C2 host and port combinations."
"T1012::[Cardinal RAT] contains watchdog functionality that periodically ensures HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load is set to point to its executable."
"T1027.004::[Cardinal RAT] and its watchdog component are compiled and executed after being delivered to victims as embedded, uncompiled source code."
"T1027::[Cardinal RAT] encodes many of its artifacts and is encrypted (AES-128) when downloaded."
"T1033::[Cardinal RAT] can collect the username from a victim machine."
"T1055::[Cardinal RAT] injects into a newly spawned process created from a native Windows executable."
"T1056.001::[Cardinal RAT] can log keystrokes."
"T1057::[Cardinal RAT] contains watchdog functionality that ensures its process is always running, else spawns a new instance."
"T1059.003::[Cardinal RAT] can execute commands."
"T1070.004::[Cardinal RAT] can uninstall itself, including deleting its executable."
"T1071.001::[Cardinal RAT] is downloaded using HTTP over port 443."
"T1082::[Cardinal RAT] can collect the hostname, Microsoft Windows version, and processor architecture from a victim machine."
"T1083::[Cardinal RAT] checks its current working directory upon execution and also contains watchdog functionality that ensures its executable is located in the correct path (else it will rewrite the payload)."
"T1090::[Cardinal RAT] can act as a reverse proxy."
"T1105::[Cardinal RAT] can download and execute additional payloads."
"T1112::[Cardinal RAT] sets HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load to point to its executable."
"T1113::[Cardinal RAT] can capture screenshots."
"T1140::[Cardinal RAT] decodes many of its artifacts and is decrypted (AES-128) after being downloaded."
"T1204.002::[Cardinal RAT] lures victims into executing malicious macros embedded within Microsoft Excel documents."
"T1547.001::[Cardinal RAT] establishes Persistence by setting the  HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\Load Registry key to point to its executable."
"T1560.002::[Cardinal RAT] applies compression to C2 traffic using the ZLIB library."
"T1573.001::[Cardinal RAT] uses a secret key with a series of XOR and addition operations to encrypt C2 traffic."
"T1027::[CARROTBAT] has the ability to download a base64 encoded payload and execute obfuscated commands on the infected host."
"T1059.003::[CARROTBAT] has the ability to execute command line arguments on a compromised host."
"T1070.004::[CARROTBAT] has the ability to delete downloaded files from a compromised host."
"T1082::[CARROTBAT] has the ability to determine the operating system of the compromised host and whether Windows is being run with x86 or x64 architecture."
"T1105::[CARROTBAT] has the ability to download and execute a remote file via [certutil]."
"T1010::[Catchamas] obtains application windows titles and then determines which windows to perform [Screen Capture] on."
"T1016::[Catchamas] gathers the Mac address, IP address, and the network adapter information from the victim’s machine."
"T1036.004::[Catchamas] adds a new service named NetAdapter in an apparent attempt to masquerade as a legitimate service."
"T1056.001::[Catchamas] collects keystrokes from the victim’s machine."
"T1074.001::[Catchamas] stores the gathered data from the machine in .db files and .bmp files under four separate locations."
"T1112::[Catchamas] creates three Registry keys to establish persistence by adding a [Windows Service]."
"T1113::[Catchamas] captures screenshots based on specific keywords in the window’s title."
"T1115::[Catchamas] steals data stored in the clipboard."
"T1543.003::[Catchamas] adds a new service named NetAdapter to establish persistence."
"T1005::[Caterpillar WebShell] has a module to collect information from the local database."
"T1007::[Caterpillar WebShell] can obtain a list of the services from a system."
"T1014::[Caterpillar WebShell] has a module to use a rootkit on a system."
"T1016::[Caterpillar WebShell] can gather the IP address from the victim's machine using the IP config command."
"T1033::[Caterpillar WebShell] can obtain a list of user accounts from a victim's machine."
"T1041::[Caterpillar WebShell] can upload files over the C2 channel."
"T1046::[Caterpillar WebShell] has a module to use a port scanner on a system."
"T1057::[Caterpillar WebShell] can gather a list of processes running on the machine."
"T1059.003::[Caterpillar WebShell] can run commands on the compromised asset with CMD functions."
"T1069.001::[Caterpillar WebShell] can obtain a list of local groups of users from a system."
"T1082::[Caterpillar WebShell] has a module to gather information from the compromrised asset, including the computer version, computer name, IIS version, and more."
"T1083::[Caterpillar WebShell] can search for files in directories."
"T1105::[Caterpillar WebShell] has a module to download and upload files to the system."
"T1110::[Caterpillar WebShell] has a module to perform brute force attacks on a system."
"T1112::[Caterpillar WebShell] has a command to modify a Registry key."
"T1195.002::[CCBkdr] was added to a legitimate, signed version 5.33 of the CCleaner software and distributed on CCleaner's distribution site."
"T1568.002::[CCBkdr] can use a DGA for [Fallback Channels] if communications with the primary command and control server are lost."
"T1005::[ccf32] can collect files from a compromised host."
"T1048.003::[ccf32] can upload collected data and files to an FTP server."
"T1053.005::[ccf32] can run on a daily basis using a scheduled task."
"T1059.003::[ccf32] has used `cmd.exe` for archiving data and deleting files."
"T1070.004::[ccf32] can delete files and folders from compromised machines."
"T1074.001::[ccf32] can temporarily store files in a hidden directory on the local host."
"T1074.002::[ccf32] has copied files to a remote machine infected with [Chinoxy] or another backdoor."
"T1083::[ccf32] can parse collected files to identify specific file extensions."
"T1119::[ccf32] can be used to automatically collect files from a compromised host."
"T1124::[ccf32] can determine the local time on targeted machines."
"T1560.001::[ccf32] has used `xcopy \\\\<target_host>\\c$\\users\\public\\path.7z c:\\users\\public\\bin\\<target_host>.7z /H /Y` to archive collected files."
"T1564.001::[ccf32] has created a hidden directory on targeted systems, naming it after the current local time (year, month, and day)."
"T1033::[Chaes] has collected the username and UID from the infected machine."
"T1036.005::[Chaes] has used an unsigned, crafted DLL module named hha.dll that was designed to look like a legitimate 32-bit Windows DLL."
"T1048::[Chaes] has exfiltrated its collected data from the infected machine to the C2, sometimes using the MIME protocol."
"T1056::[Chaes] has a module to perform any API hooking it desires."
"T1059.003::[Chaes] has used [cmd] to execute tasks on the system."
"T1059.005::[Chaes] has used VBscript to execute malicious code."
"T1059.006::[Chaes] has used Python scripts for execution and the installation of additional files."
"T1059.007::[Chaes] has used JavaScript and Node.Js information stealer script that exfiltrates data using the node process."
"T1071.001::[Chaes] has used HTTP for C2 communications."
"T1082::[Chaes] has collected system information, including the machine name and OS version."
"T1105::[Chaes] can download additional files onto an infected machine."
"T1106::[Chaes] used the CreateFileW() API function with read permissions to access downloaded payloads."
"T1112::[Chaes] stored its instructions in a config file in the Registry."
"T1113::[Chaes] can capture screenshots of the infected machine."
"T1132.001::[Chaes] has used Base64 to encode C2 communications."
"T1140::[Chaes] has decrypted an AES encrypted binary file to trigger the download of other files."
"T1185::[Chaes] has used the Puppeteer module to hook and monitor the Chrome web browser to collect user information from infected hosts."
"T1204.002::[Chaes] requires the user to click on the malicious Word document to execute the next part of the attack."
"T1218.004::[Chaes] has used Installutill to download content."
"T1218.007::[Chaes] has used .MSI files as an initial way to start the infection chain."
"T1221::[Chaes] changed the template target of the settings.xml file embedded in the Word document and populated that field with the downloaded URL of the next payload."
"T1539::[Chaes] has used a script that extracts the web session cookie and sends it to the C2 server."
"T1547.001::[Chaes] has added persistence via the Registry key software\\microsoft\\windows\\currentversion\\run\\microsoft windows html help."
"T1555.003::[Chaes] can steal login credentials and stored financial information from the browser."
"T1566.001::[Chaes] has been delivered by sending victims a phishing email containing a malicious .docx file."
"T1573::[Chaes] has used encryption for its C2 channel."
"T1574.001::[Chaes] has used search order hijacking to load a malicious DLL."
"T1059.004::[Chaos] provides a reverse shell connection on 8338/TCP, encrypted via AES."
"T1104::After initial compromise, [Chaos] will download a second stage to establish a more permanent presence on the affected system."
"T1110::[Chaos] conducts brute force attacks against SSH services to gain initial access."
"T1205::[Chaos] provides a reverse shell is triggered upon receipt of a packet with a special string, sent to any port."
"T1573.001::[Chaos] provides a reverse shell connection on 8338/TCP, encrypted via AES."
"T1005::[CharmPower] can collect data and files from a compromised host."
"T1008::[CharmPower] can change its C2 channel once every 360 loops by retrieving a new domain from the actors’ S3 bucket."
"T1012::[CharmPower] has the ability to enumerate `Uninstall` registry values."
"T1016::[CharmPower] has the ability to use ipconfig to enumerate system network settings."
"T1041::[CharmPower] can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST."
"T1047::[CharmPower] can use `wmic` to gather information from a system."
"T1048.003::[CharmPower] can send victim data via FTP with credentials hardcoded in the script."
"T1049::[CharmPower] can use `netsh wlan show profiles` to list specific Wi-Fi profile details."
"T1057::[CharmPower] has the ability to list running processes through the use of `tasklist`."
"T1059.001::[CharmPower] can use PowerShell for payload execution and C2 communication."
"T1059.003::The C# implementation of  the [CharmPower] command execution module can use cmd."
"T1070.004::[CharmPower] can delete created files from a compromised system."
"T1071.001::[CharmPower] can use HTTP to communicate with C2."
"T1082::[CharmPower] can enumerate the OS version and computer name on a targeted system."
"T1083::[CharmPower] can enumerate drives and list the contents of the C: drive on a victim's computer."
"T1102.001::[CharmPower] can retrieve C2 domain information from actor-controlled S3 buckets."
"T1102::[CharmPower] can download additional modules from actor-controlled Amazon S3 buckets."
"T1105::[CharmPower] has the ability to download additional modules to a compromised host."
"T1112::[CharmPower] can remove persistence-related artifacts from the Registry."
"T1113::[CharmPower] has the ability to capture screenshots."
"T1132.001::[CharmPower] can send additional modules over C2 encoded with base64."
"T1140::[CharmPower] can decrypt downloaded modules prior to execution."
"T1518::[CharmPower] can list the installed applications on a compromised host."
"T1573.001::[CharmPower] can send additional modules over C2 encrypted with a simple substitution cipher."
"T1036.005::[ChChes] copies itself to an .exe file with a filename that is likely intended to imitate Norton Antivirus but has several letters reversed (e.g. notron.exe)."
"T1057::[ChChes] collects its process identifier (PID) on the victim."
"T1071.001::[ChChes] communicates to its C2 server over HTTP and embeds data within the Cookie HTTP header."
"T1082::[ChChes] collects the victim hostname, window resolution, and Microsoft Windows version."
"T1083::[ChChes] collects the victim's %TEMP% directory path and version of Internet Explorer."
"T1105::[ChChes] is capable of downloading files, including additional modules."
"T1132.001::[ChChes] can encode C2 data with a custom technique that utilizes Base64."
"T1547.001::[ChChes] establishes persistence by adding a Registry Run key."
"T1553.002::[ChChes] samples were digitally signed with a certificate originally used by Hacking Team that was later leaked and subsequently revoked."
"T1555.003::[ChChes] steals credentials stored inside Internet Explorer."
"T1562.001::[ChChes] can alter the victim's proxy configuration."
"T1573.001::[ChChes] can encrypt C2 traffic with AES or RC4."
"T1048.003::[Cherry Picker] exfiltrates files over FTP."
"T1070.004::Recent versions of [Cherry Picker] delete files and registry keys created by the malware."
"T1546.010::Some variants of [Cherry Picker] use AppInit_DLLs to achieve persistence by creating the following Registry key: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Windows \"AppInit_DLLs\"=\"pserver32.dll\""
"T1005::[China Chopper]'s server component can upload local files."
"T1027.002::[China Chopper]'s client component is packed with UPX."
"T1046::[China Chopper]'s server component can spider authentication portals."
"T1059.003::[China Chopper]'s server component is capable of opening a command terminal."
"T1070.006::[China Chopper]'s server component can change the timestamp of files."
"T1071.001::[China Chopper]'s server component executes code sent via HTTP POST commands."
"T1083::[China Chopper]'s server component can list directory contents."
"T1105::[China Chopper]'s server component can download remote files."
"T1110.001::[China Chopper]'s server component can perform brute force password guessing against authentication portals."
"T1505.003::[China Chopper]'s server component is a Web Shell payload."
"T1027::[Chinoxy] has encrypted its configuration file."
"T1036.005::[Chinoxy] has used the name `eoffice.exe` in attempt to appear as a legitimate file."
"T1140::The [Chinoxy] dropping function can initiate decryption of its config file."
"T1547.001::[Chinoxy] has established persistence via the `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` registry key and by loading a dropper to `(%COMMON_ STARTUP%\\\\eoffice.exe)`."
"T1574.002::[Chinoxy] can use a digitally signed binary (\"Logitech Bluetooth Wizard Host Process\") to load its dll into memory."
"T1008::[CHOPSTICK] can switch to a new C2 channel if the current one is broken."
"T1012::[CHOPSTICK] provides access to the Windows Registry, which can be used to gather information."
"T1056.001::[CHOPSTICK] is capable of performing keylogging."
"T1059::[CHOPSTICK] is capable of performing remote command execution."
"T1071.001::Various implementations of [CHOPSTICK] communicate with C2 over HTTP."
"T1071.003::Various implementations of [CHOPSTICK] communicate with C2 over SMTP and POP3."
"T1083::An older version of [CHOPSTICK] has a module that monitors all mounted volumes for files with the extensions .doc, .docx, .pgp, .gpg, .m2f, or .m2o."
"T1090.001::[CHOPSTICK] used a proxy server between victims and the C2 server."
"T1091::Part of [APT28]'s operation involved using [CHOPSTICK] modules to copy itself to air-gapped machines and using files written to USB sticks to transfer data and command traffic."
"T1092::Part of [APT28]'s operation involved using [CHOPSTICK] modules to copy itself to air-gapped machines, using files written to USB sticks to transfer data and command traffic."
"T1105::[CHOPSTICK] is capable of performing remote file transmission."
"T1112::[CHOPSTICK] may store RC4 encrypted configuration information in the Windows Registry."
"T1113::[CHOPSTICK] has the capability to capture screenshots."
"T1497::[CHOPSTICK]  includes runtime checks to identify an analysis environment and prevent execution on it."
"T1518.001::[CHOPSTICK] checks for antivirus and forensics software."
"T1568.002::[CHOPSTICK] can use a DGA for [Fallback Channels], domains are generated by concatenating words from lists."
"T1573.001::[CHOPSTICK] encrypts C2 communications with RC4."
"T1573.002::[CHOPSTICK] encrypts C2 communications with TLS."
"T1005::[Chrommme] can collect data from a local system."
"T1016::[Chrommme] can enumerate the IP address of a compromised host."
"T1027::[Chrommme] can encrypt sections of its code to evade detection."
"T1029::[Chrommme] can set itself to sleep before requesting a new command from C2."
"T1033::[Chrommme] can retrieve the username from a targeted system."
"T1041::[Chrommme] can exfiltrate collected data via C2."
"T1074.001::[Chrommme] can store captured system information locally prior to exfiltration."
"T1082::[Chrommme] has the ability to list drives and obtain the computer name of a compromised host."
"T1105::[Chrommme] can download its code from C2."
"T1106::[Chrommme] can use Windows API including `WinExec` for execution."
"T1113::[Chrommme] has the ability to capture screenshots."
"T1140::[Chrommme] can decrypt its encrypted internal code."
"T1560::[Chrommme] can encrypt and store on disk collected data before exfiltration."
"T1005::[Clambling] can collect information from a compromised host."
"T1012::[Clambling] has the ability to enumerate Registry keys, including KEY_CURRENT_USER\\Software\\Bitcoin\\Bitcoin-Qt\\strDataDir to search for a bitcoin wallet."
"T1016::[Clambling] can enumerate the IP address of a compromised machine."
"T1027::The [Clambling] executable has been obfuscated when dropped on a compromised host."
"T1033::[Clambling] can identify the username on a compromised host."
"T1055.012::[Clambling] can execute binaries through process hollowing."
"T1055::[Clambling] can inject into the `svchost.exe` process for execution."
"T1056.001::[Clambling] can capture keystrokes on a compromised host."
"T1057::[Clambling] can enumerate processes on a targeted system."
"T1059.001::The [Clambling] dropper can use PowerShell to download the malware."
"T1059.003::[Clambling] can use cmd.exe for command execution."
"T1071.001::[Clambling] has the ability to communicate over HTTP."
"T1071::[Clambling] has the ability to use Telnet for communication."
"T1082::[Clambling] can discover the hostname, computer name, and Windows version of a targeted machine."
"T1083::[Clambling] can browse directories on a compromised host."
"T1095::[Clambling] has the ability to use TCP and UDP for communication."
"T1102.002::[Clambling] can use Dropbox to download malicious payloads, send commands, and receive information."
"T1112::[Clambling] can set and delete Registry keys."
"T1113::[Clambling] has the ability to capture screenshots."
"T1115::[Clambling] has the ability to capture and store clipboard data."
"T1124::[Clambling] can determine the current time."
"T1125::[Clambling] can record screen content in AVI format."
"T1135::[Clambling] has the ability to enumerate network shares."
"T1140::[Clambling] can deobfuscate its payload prior to execution."
"T1204.002::[Clambling] has gained execution through luring victims into opening malicious files."
"T1497.003::[Clambling] can wait 30 minutes before initiating contact with C2."
"T1543.003::[Clambling] can register itself as a system service to gain persistence."
"T1547.001::[Clambling] can establish persistence by adding a Registry run key."
"T1548.002::[Clambling] has the ability to bypass UAC using a `passuac.dll` file."
"T1564.001::[Clambling] has the ability to set its file attributes to hidden."
"T1566.001::[Clambling] has been delivered to victim's machines through malicious e-mail attachments."
"T1567.002::[Clambling] can send files from a victim's machine to Dropbox."
"T1569.002::[Clambling] can create and start services on a compromised host."
"T1574.002::[Clambling] can store a file named `mpsvc.dll`, which opens a malicious `mpsvc.mui` file, in the same folder as the legitimate Microsoft executable `MsMpEng.exe` to gain execution."
"T1027.002::[Clop] has been packed to help avoid detection."
"T1057::[Clop] can enumerate all processes on the victim's machine."
"T1059.003::[Clop] can use cmd.exe to help execute commands on the system."
"T1083::[Clop] has searched folders and subfolders for files to encrypt."
"T1106::[Clop] has used built-in API functions such as WNetOpenEnumW(), WNetEnumResourceW(), WNetCloseEnum(), GetProcAddress(), and VirtualAlloc()."
"T1112::[Clop] can make modifications to Registry keys."
"T1135::[Clop] can enumerate network shares."
"T1140::[Clop] has used a simple XOR operation to decrypt strings."
"T1218.007::[Clop] can use msiexec.exe to disable security tools on the system."
"T1486::[Clop] can encrypt files using AES, RSA, and RC4 and will add the \".clop\" extension to encrypted files."
"T1489::[Clop] can kill several processes and services related to backups and security solutions."
"T1490::[Clop] can delete the shadow volumes with vssadmin Delete Shadows /all /quiet and can use bcdedit to disable recovery options."
"T1497.003::[Clop] has used the sleep command to avoid sandbox detection."
"T1518.001::[Clop] can search for processes with antivirus and antimalware product names."
"T1553.002::[Clop] can use code signing to evade detection."
"T1562.001::[Clop] can uninstall or disable security products."
"T1614.001::[Clop] has checked the keyboard language using the GetKeyboardLayout() function to avoid installation on Russian-language or other Commonwealth of Independent States-language machines; it will also check the GetTextCharset function."
"T1071.001::One variant of [CloudDuke] uses HTTP and HTTPS for C2."
"T1102.002::One variant of [CloudDuke] uses a Microsoft OneDrive account to exchange commands and stolen data with its operators."
"T1105::[CloudDuke] downloads and executes additional malware from either a Web address or a Microsoft OneDrive account."
"T1001.003::[Cobalt Strike] can mimic the HTTP protocol for C2 communication, while hiding the actual data in either an HTTP header, URI parameter, the transaction body, or appending it to the URI."
"T1003.001::[Cobalt Strike] can spawn a job to inject into LSASS memory and dump password hashes."
"T1003.002::[Cobalt Strike] can recover hashed passwords."
"T1005::[Cobalt Strike] can collect data from a local system."
"T1007::[Cobalt Strike] can enumerate services on compromised hosts."
"T1012::[Cobalt Strike] can query HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\<Excel Version>\\Excel\\Security\\AccessVBOM\\  to determine if the security setting for restricting default programmatic access is enabled."
"T1016::[Cobalt Strike] can determine the NetBios name and  the IP addresses of targets machines including domain controllers."
"T1018::[Cobalt Strike] uses the native Windows Network Enumeration APIs to interrogate and discover targets in a Windows Active Directory network."
"T1021.001::[Cobalt Strike] can start a VNC-based remote desktop server and tunnel the connection through the already established C2 channel."
"T1021.002::[Cobalt Strike] can use Window admin shares (C$ and ADMIN$) for lateral movement."
"T1021.003::[Cobalt Strike] can deliver Beacon payloads for lateral movement by leveraging remote COM execution."
"T1021.004::[Cobalt Strike] can SSH to a remote service."
"T1021.006::[Cobalt Strike] can use WinRM to execute a payload on a remote host."
"T1027.005::[Cobalt Strike] includes a capability to modify the Beacon payload to eliminate known signatures or unpacking methods."
"T1027::[Cobalt Strike] can hash functions to obfuscate calls to the Windows API and use a public/private key pair to encrypt Beacon session metadata."
"T1029::[Cobalt Strike] can set its Beacon payload to reach out to the C2 server on an arbitrary and random interval."
"T1030::[Cobalt Strike] will break large data sets into smaller chunks for exfiltration."
"T1046::[Cobalt Strike] can perform port scans from an infected host."
"T1047::[Cobalt Strike] can use WMI to deliver a payload to a remote host."
"T1049::[Cobalt Strike] can produce a sessions report from compromised hosts."
"T1055.001::[Cobalt Strike] has the ability to load DLLs via reflective injection."
"T1055.012::[Cobalt Strike] can use process hollowing for execution."
"T1055::[Cobalt Strike] can inject a variety of payloads into processes dynamically chosen by the adversary."
"T1056.001::[Cobalt Strike] can track key presses with a keylogger module."
"T1057::[Cobalt Strike]'s Beacon payload can collect information on process details."
"T1059.001::[Cobalt Strike] can execute a payload on a remote host with PowerShell. This technique does not write any data to disk."
"T1059.003::[Cobalt Strike] uses a command-line interface to interact with systems."
"T1059.005::[Cobalt Strike] can use VBA to perform execution."
"T1059.006::[Cobalt Strike] can use Python to perform execution."
"T1059.007::The [Cobalt Strike] System Profiler can use JavaScript to perform reconnaissance actions."
"T1068::[Cobalt Strike] can exploit vulnerabilities such as MS14-058."
"T1069.001::[Cobalt Strike] can use net localgroup to list local groups on a system."
"T1069.002::[Cobalt Strike] can identify targets by querying account groups on a domain contoller."
"T1070.006::[Cobalt Strike] can timestomp any files or payloads placed on a target machine to help them blend in."
"T1071.001::[Cobalt Strike] can use a custom command and control protocol that can be encapsulated in HTTP or HTTPS. All protocols use their standard assigned ports."
"T1071.004::[Cobalt Strike] can use a custom command and control protocol that can be encapsulated in DNS. All protocols use their standard assigned ports."
"T1071::[Cobalt Strike] can conduct peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports."
"T1078.002::[Cobalt Strike] can use known credentials to run commands and spawn processes as a domain user account."
"T1078.003::[Cobalt Strike] can use known credentials to run commands and spawn processes as a local user account."
"T1083::[Cobalt Strike] can explore files on a compromised system."
"T1087.002::[Cobalt Strike] can determine if the user on an infected machine is in the admin or domain admin group."
"T1090.001::[Cobalt Strike] can be configured to have commands relayed over a peer-to-peer network of infected hosts. This can be used to limit the number of egress points, or provide access to a host without direct internet access."
"T1090.004::[Cobalt Strike] has the ability to accept a value for HTTP Host Header to enable domain fronting."
"T1095::[Cobalt Strike] can be configured to use TCP, ICMP, and UDP for C2 communications."
"T1105::[Cobalt Strike] can deliver additional payloads to victim machines."
"T1106::[Cobalt Strike]'s Beacon payload is capable of running shell commands without cmd.exe and PowerShell commands without powershell.exe"
"T1112::[Cobalt Strike] can modify Registry values within HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\<Excel Version>\\Excel\\Security\\AccessVBOM\\ to enable the execution of additional code."
"T1113::[Cobalt Strike]'s Beacon payload is capable of capturing screenshots."
"T1132.001::[Cobalt Strike] can use Base64, URL-safe Base64, or NetBIOS encoding in its C2 traffic."
"T1134.001::[Cobalt Strike] can steal access tokens from exiting processes."
"T1134.003::[Cobalt Strike] can make tokens from known credentials."
"T1134.004::[Cobalt Strike] can spawn processes with alternate PPIDs."
"T1135::[Cobalt Strike] can query shared drives on the local system."
"T1137.001::[Cobalt Strike] has the ability to use an Excel Workbook to execute additional code by enabling Office to trust macros and execute code without user permission."
"T1140::[Cobalt Strike] can deobfuscate shellcode using a rolling XOR and decrypt metadata from Beacon sessions."
"T1185::[Cobalt Strike] can perform browser pivoting and inject into a user's browser to inherit cookies, authenticated HTTP sessions, and client SSL certificates."
"T1197::[Cobalt Strike] can download a hosted \"beacon\" payload using [BITSAdmin]."
"T1203::[Cobalt Strike] can exploit Oracle Java vulnerabilities for execution, including CVE-2011-3544, CVE-2013-2465, CVE-2012-4681, and CVE-2013-2460."
"T1218.011::[Cobalt Strike] can use `rundll32.exe` to load DLL from the command line."
"T1518::The [Cobalt Strike] System Profiler can discover applications through the browser and identify the version of Java the target has."
"T1543.003::[Cobalt Strike] can install a new service."
"T1548.002::[Cobalt Strike] can use a number of known techniques to bypass Windows UAC."
"T1548.003::[Cobalt Strike] can use sudo to run a command."
"T1550.002::[Cobalt Strike] can perform pass the hash."
"T1553.002::[Cobalt Strike] can use self signed Java applets to execute signed applet attacks."
"T1562.001::[Cobalt Strike] has the ability to use Smart Applet attacks to disable the Java SecurityManager sandbox."
"T1564.010::[Cobalt Strike] can use spoof arguments in spawned processes that execute beacon commands."
"T1569.002::[Cobalt Strike] can use [PsExec] to execute a payload on a remote host. It can also use Service Control Manager to start new services."
"T1572::[Cobalt Strike] uses a custom command and control protocol that is encapsulated in HTTP, HTTPS, or DNS. In addition, it conducts peer-to-peer communication over Windows named pipes encapsulated in the SMB protocol. All protocols use their standard assigned ports."
"T1573.001::[Cobalt Strike] has the ability to use AES-256 symmetric encryption in CBC mode with HMAC-SHA-256 to encrypt task commands and XOR to encrypt shell code and configuration data."
"T1573.002::[Cobalt Strike] can use RSA asymmetric encryption with PKCS1 padding to encrypt data sent to the C2 server."
"T1620::[Cobalt Strike]'s execute-assembly command can run a .NET executable within the memory of a sacrificial process by loading the CLR."
"T1056.001::[Cobian RAT] has a feature to perform keylogging on the victim’s machine."
"T1059.003::[Cobian RAT] can launch a remote command shell interface for executing commands."
"T1071.004::[Cobian RAT] uses DNS for C2."
"T1113::[Cobian RAT] has a feature to perform screen capture."
"T1123::[Cobian RAT] has a feature to perform voice recording on the victim’s machine."
"T1125::[Cobian RAT] has a feature to access the webcam on the victim’s machine."
"T1132.001::[Cobian RAT] obfuscates communications with the C2 server using Base64 encoding."
"T1547.001::[Cobian RAT] creates an autostart Registry key to ensure persistence."
"T1027::[CoinTicker] initially downloads a hidden encoded file."
"T1059.003::[CoinTicker] executes a bash script to establish a reverse shell."
"T1059.004::[CoinTicker] executes a bash script to establish a reverse shell."
"T1059.006::[CoinTicker] executes a Python script to download its second stage."
"T1105::[CoinTicker] executes a Python script to download its second stage."
"T1140::[CoinTicker] decodes the initially-downloaded hidden encoded file using OpenSSL."
"T1543.001::[CoinTicker] creates user launch agents named .espl.plist and com.apple.[random string].plist to establish persistence."
"T1553.001::[CoinTicker] downloads the EggShell mach-o binary using curl, which does not set the quarantine flag."
"T1564.001::[CoinTicker] downloads the following hidden files to evade detection and maintain persistence: /private/tmp/.info.enc, /private/tmp/.info.py, /private/tmp/.server.sh, ~/Library/LaunchAgents/.espl.plist, ~/Library/Containers/.[random string]/[random string]."
"T1007::[Comnie] runs the command: net start >> %TEMP%\\info.dat on a victim."
"T1016::[Comnie] uses ipconfig /all and route PRINT to identify network adapter and interface information."
"T1018::[Comnie] runs the net view command"
"T1027.001::[Comnie] appends a total of 64MB of garbage data to a file to deter any security products in place that may be scanning files on disk."
"T1027::[Comnie] uses RC4 and Base64 to obfuscate strings."
"T1049::[Comnie] executes the netstat -ano command."
"T1057::[Comnie] uses the tasklist to view running processes on the victim’s machine."
"T1059.003::[Comnie] executes BAT scripts."
"T1059.005::[Comnie] executes VBS scripts."
"T1071.001::[Comnie] uses HTTP for C2 communication."
"T1082::[Comnie] collects the hostname of the victim machine."
"T1087.001::[Comnie] uses the net user command."
"T1102.002::[Comnie] uses blogs and third-party sites (GitHub, tumbler, and BlogSpot) to avoid DNS-based blocking of their communication to the command and control server."
"T1119::[Comnie] executes a batch script to store discovery information in %TEMP%\\info.dat and then uploads the temporarily file to the remote C2 server."
"T1218.011::[Comnie] uses Rundll32 to load a malicious DLL."
"T1518.001::[Comnie] attempts to detect several anti-virus products."
"T1547.001::[Comnie] achieves persistence by adding a shortcut of itself to the startup path in the Registry."
"T1547.009::[Comnie] establishes persistence via a .lnk file in the victim’s startup path."
"T1573.001::[Comnie] encrypts command and control communications with RC4."
"T1012::[ComRAT] can check the default browser by querying HKCR\\http\\shell\\open\\command."
"T1027.009::[ComRAT] has embedded a XOR encrypted communications module inside the orchestrator module."
"T1027::[ComRAT] has used encryption and base64 to obfuscate its orchestrator code in the Registry. [ComRAT] has encrypted its virtual file system using AES-256 in XTS mode and has encoded PowerShell scripts."
"T1029::[ComRAT] has been programmed to sleep outside local business hours (9 to 5, Monday to Friday)."
"T1036.004::[ComRAT] has used a task name associated with Windows SQM Consolidator."
"T1053.005::[ComRAT] has used a scheduled task to launch its PowerShell loader."
"T1055.001::[ComRAT] has injected its orchestrator DLL into explorer.exe. [ComRAT] has also injected its communications module into the victim's default browser to make C2 connections appear less suspicious as all network connections will be initiated by the browser process."
"T1059.001::[ComRAT] has used PowerShell to load itself every time a user logs in to the system. [ComRAT] can execute PowerShell scripts loaded into memory or from the file system."
"T1059.003::[ComRAT] has used cmd.exe to execute commands."
"T1071.001::[ComRAT] has used HTTP requests for command and control."
"T1071.003::[ComRAT] can use email attachments for command and control."
"T1102.002::[ComRAT] has the ability to use the Gmail web UI to receive commands and exfiltrate information."
"T1106::[ComRAT] can load a PE file from memory or the file system and execute it with CreateProcessW."
"T1112::[ComRAT] has encrypted and stored its orchestrator code in the Registry as well as a PowerShell script into the WsqmCons Registry key."
"T1124::[ComRAT] has checked the victim system's date and time to perform tasks during business hours (9 to 5, Monday to Friday)."
"T1140::[ComRAT] has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. [ComRAT] has also used a unique password to decrypt the file used for its hidden file system."
"T1518::[ComRAT] can check the victim's default browser to determine which process to inject its communications module into."
"T1546.015::[ComRAT] samples have been seen which hijack COM objects for persistence by replacing the path to shell32.dll in registry location HKCU\\Software\\Classes\\CLSID\\{42aedc87-2188-41fd-b9a3-0c966feabec1}\\InprocServer32."
"T1564.005::[ComRAT] has used a portable FAT16 partition image placed in %TEMP% as a hidden file system."
"T1573.002::[ComRAT] can use SSL/TLS encryption for its HTTP-based C2 channel. [ComRAT] has used public key cryptography with RSA and AES encrypted email attachments for its Gmail C2 channel."
"T1021.002::[Conficker] variants spread through NetBIOS share propagation."
"T1027::[Conficker] has obfuscated its code to prevent its removal from host machines."
"T1046::[Conficker] scans for other machines to infect."
"T1091::[Conficker] variants used the Windows AUTORUN feature to spread through USB propagation."
"T1105::[Conficker] downloads an HTTP server to the infected machine."
"T1112::[Conficker] adds keys to the Registry at HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services and various other Registry locations."
"T1124::[Conficker] uses the current UTC victim system date for domain generation and connects to time servers to determine the current date."
"T1210::[Conficker] exploited the MS08-067 Windows vulnerability for remote code execution through a crafted RPC request."
"T1490::[Conficker] resets system restore points and deletes backup files."
"T1543.003::[Conficker] copies itself into the %systemroot%\\system32 directory and registers as a service."
"T1547.001::[Conficker] adds Registry Run keys to establish persistence."
"T1562.001::[Conficker] terminates various services related to system security and Windows."
"T1568.002::[Conficker] has used a DGA that seeds with the current UTC victim system date to generate domains."
"T1016::[Conti] can retrieve the ARP cache from the local system by using the GetIpNetTable() API call and check to ensure IP addresses it connects to are for local, non-Internet, systems."
"T1018::[Conti] has the ability to discover hosts on a target network."
"T1021.002::[Conti] can spread via SMB and encrypts files on different hosts, potentially compromising an entire network."
"T1027::[Conti] can use compiler-based obfuscation for its code, encrypt DLLs, and hide Windows API calls."
"T1049::[Conti] can enumerate routine network connections from a compromised host."
"T1055.001::[Conti] has loaded an encrypted DLL into memory and then executes it."
"T1057::[Conti] can enumerate through all open processes to search for any that have the string “sql” in their process name."
"T1059.003::[Conti] can utilize command line options to allow an attacker control over how it scans and encrypts files."
"T1080::[Conti] can spread itself by infecting other remote machines via network shared drives."
"T1083::[Conti] can discover files on a local system."
"T1106::[Conti] has used API calls during execution."
"T1135::[Conti] can enumerate remote open SMB network shares using NetShareEnum()."
"T1140::[Conti] has decrypted its payload using a hardcoded AES-256 key."
"T1486::[Conti] can use CreateIoCompletionPort(), PostQueuedCompletionStatus(), and GetQueuedCompletionPort() to rapidly encrypt files, excluding those with the extensions of .exe, .dll, and .lnk. It has used a different AES-256 encryption key per file with a bundled RAS-4096 public encryption key that is unique for each victim. [Conti] can use “Windows Restart Manager” to ensure files are unlocked and open for encryption."
"T1489::[Conti] can stop up to 146 Windows services related to security, backup, database, and email solutions through the use of net stop."
"T1490::[Conti] can delete Windows Volume Shadow Copies using vssadmin."
"T1005::[CookieMiner] has retrieved iPhone text messages from iTunes phone backup files."
"T1027::[CookieMiner] has used base64 encoding to obfuscate scripts on the system."
"T1048.003::[CookieMiner] has used the curl --upload-file command to exfiltrate data over HTTP."
"T1059.004::[CookieMiner] has used a Unix shell script to run a series of commands targeting macOS."
"T1059.006::[CookieMiner] has used python scripts on the user’s system, as well as the Python variant of the [Empire] agent, EmPyre."
"T1083::[CookieMiner] has looked for files in the user's home directory with \"wallet\" in their name using find."
"T1105::[CookieMiner] can download additional scripts from a web server."
"T1140::[CookieMiner] has used Google Chrome's decryption and extraction operations."
"T1496::[CookieMiner] has loaded coinmining software onto systems to mine for Koto cryptocurrency."
"T1518.001::[CookieMiner] has checked for the presence of \"Little Snitch\", macOS network monitoring and application firewall software, stopping and exiting if it is found."
"T1539::[CookieMiner] can steal Google Chrome and Apple Safari browser cookies from the victim’s machine."
"T1543.001::[CookieMiner] has installed multiple new Launch Agents in order to maintain persistence for cryptocurrency mining software."
"T1555.003::[CookieMiner] can steal saved usernames and passwords in Chrome as well as credit card credentials."
"T1562.004::[CookieMiner] has checked for the presence of \"Little Snitch\", macOS network monitoring and application firewall software, stopping and exiting if it is found."
"T1048.003::[CORALDECK] has exfiltrated data in HTTP POST headers."
"T1083::[CORALDECK] searches for specified files."
"T1560.001::[CORALDECK] has created password-protected RAR, WinImage, and zip archives to be exfiltrated."
"T1027.001::[CORESHELL] contains unused machine instructions in a likely attempt to hinder analysis."
"T1027::[CORESHELL] obfuscates strings using a custom stream cipher."
"T1071.001::[CORESHELL] can communicate over HTTP for C2."
"T1071.003::[CORESHELL] can communicate over SMTP and POP3 for C2."
"T1082::[CORESHELL] collects hostname, volume serial number and OS version data from the victim and sends the information to its C2 server."
"T1105::[CORESHELL] downloads another dropper from its C2 server."
"T1132.001::[CORESHELL] C2 messages are Base64-encoded."
"T1218.011::[CORESHELL] is installed via execution of rundll32 with an export named \"init\" or \"InitW.\""
"T1547.001::[CORESHELL] has established persistence by creating autostart extensibility point (ASEP) Registry entries in the Run key and other Registry keys, as well as by creating shortcuts in the Internet Explorer Quick Start folder."
"T1573.001::[CORESHELL] C2 messages are encrypted with custom stream ciphers using six-byte or eight-byte keys."
"T1003.002::[CosmicDuke] collects Windows account hashes."
"T1003.004::[CosmicDuke] collects LSA secrets."
"T1005::[CosmicDuke] steals user files from local hard drives with file extensions that match a predefined list."
"T1020::[CosmicDuke] exfiltrates collected files automatically over FTP to remote servers."
"T1025::[CosmicDuke] steals user files from removable media with file extensions and keywords that match a predefined list."
"T1039::[CosmicDuke] steals user files from network shared drives with file extensions and keywords that match a predefined list."
"T1048.003::[CosmicDuke] exfiltrates collected files over FTP or WebDAV. Exfiltration servers can be separately configured from C2 servers."
"T1053.005::[CosmicDuke] uses scheduled tasks typically named \"Watchmon Service\" for persistence."
"T1056.001::[CosmicDuke] uses a keylogger."
"T1068::[CosmicDuke] attempts to exploit privilege escalation vulnerabilities CVE-2010-0232 or CVE-2010-4398."
"T1071.001::[CosmicDuke] can use HTTP or HTTPS for command and control to hard-coded C2 servers."
"T1083::[CosmicDuke] searches attached and mounted drives for file extensions and keywords that match a predefined list."
"T1113::[CosmicDuke] takes periodic screenshots and exfiltrates them."
"T1114.001::[CosmicDuke] searches for Microsoft Outlook data files with extensions .pst and .ost for collection and exfiltration."
"T1115::[CosmicDuke] copies and exfiltrates the clipboard contents every 30 seconds."
"T1543.003::[CosmicDuke] uses Windows services typically named \"javamtsup\" for persistence."
"T1555.003::[CosmicDuke] collects user credentials, including passwords, for various programs including Web browsers."
"T1555::[CosmicDuke] collects user credentials, including passwords, for various programs including popular instant messaging applications and email clients as well as WLAN keys."
"T1573.001::[CosmicDuke] contains a custom version of the RC4 algorithm that includes a programming error."
"T1027.001::[CostaBricks] has added the entire unobfuscated code of the legitimate open source application Blink to its code."
"T1027.002::[CostaBricks] can implement a custom-built virtual machine mechanism to obfuscate its code."
"T1055::[CostaBricks] can inject a payload into the memory of a compromised host."
"T1105::[CostaBricks] has been used to load [SombRAT] onto a compromised host."
"T1106::[CostaBricks] has used a number of API calls, including `VirtualAlloc`, `VirtualFree`, `LoadLibraryA`, `GetProcAddress`, and `ExitProcess`."
"T1140::[CostaBricks] has the ability to use bytecode to decrypt embedded payloads."
"T1003.001::[CozyCar] has executed [Mimikatz] to harvest stored credentials from the victim and further victim penetration."
"T1003.002::Password stealer and NTLM stealer modules in [CozyCar] harvest stored credentials from the victim, including credentials used as part of Windows NTLM user authentication."
"T1027::The payload of [CozyCar] is encrypted with simple XOR with a rotating key. The [CozyCar] configuration file has been encrypted with RC4 keys."
"T1036.003::The [CozyCar] dropper has masqueraded a copy of the infected system's rundll32.exe executable that was moved to the malware's install directory and renamed according to a predefined configuration file."
"T1053.005::One persistence mechanism used by [CozyCar] is to register itself as a scheduled task."
"T1059.003::A module in [CozyCar] allows arbitrary commands to be executed by invoking C:\\Windows\\System32\\cmd.exe."
"T1071.001::[CozyCar]'s main method of communicating with its C2 servers is using HTTP or HTTPS."
"T1082::A system info module in [CozyCar] gathers information on the victim host’s configuration."
"T1102.002::[CozyCar] uses Twitter as a backup C2 channel to Twitter accounts specified in its configuration file."
"T1218.011::The [CozyCar] dropper copies the system file rundll32.exe to the install location for the malware, then uses the copy of rundll32.exe to load and execute the main [CozyCar] component."
"T1497::Some versions of [CozyCar] will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. If it detects that it is, it will exit."
"T1518.001::The main [CozyCar] dropper checks whether the victim has an anti-virus product installed. If the installed product is on a predetermined list, the dropper will exit."
"T1543.003::One persistence mechanism used by [CozyCar] is to register itself as a Windows service."
"T1547.001::One persistence mechanism used by [CozyCar] is to set itself to be executed at system startup by adding a Registry value under one of the following Registry keys: <br>HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ <br>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ <br>HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run <br>HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run"
"T1005::[CreepyDrive] can upload files to C2 from victim machines."
"T1059.001::[CreepyDrive] can use Powershell for execution, including the cmdlets `Invoke-WebRequest` and `Invoke-Expression`."
"T1071.001::[CreepyDrive] can use HTTPS for C2 using the Microsoft Graph API."
"T1083::[CreepyDrive] can specify the local file path to upload files from."
"T1102.002::[CreepyDrive] can use OneDrive for C2."
"T1105::[CreepyDrive] can download files to the compromised host."
"T1550.001::[CreepyDrive] can use legitimate OAuth refresh tokens to authenticate with OneDrive."
"T1567.002::[CreepyDrive] can use cloud services including OneDrive for data exfiltration."
"T1016::[CreepySnail] can use `getmac` and `Get-NetIPAddress` to enumerate network settings."
"T1033::[CreepySnail] can execute `getUsername` on compromised systems."
"T1041::[CreepySnail] can connect to C2 for data exfiltration."
"T1059.001::[CreepySnail] can use PowerShell for execution, including the cmdlets `Invoke-WebRequst` and `Invoke-Expression`."
"T1071.001::[CreepySnail] can use HTTP for C2."
"T1078.002::[CreepySnail] can use stolen credentials to authenticate on target networks."
"T1132.001::[CreepySnail] can use Base64 to encode its C2 traffic."
"T1005::[Crimson] can collect information from a compromised host."
"T1012::[Crimson] can check the Registry for the presence of HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\last_edate to determine how long it has been installed on a host."
"T1016::[Crimson] contains a command to collect the victim MAC address and LAN IP."
"T1025::[Crimson] contains a module to collect data from removable drives."
"T1033::[Crimson] can identify the user on a targeted system."
"T1041::[Crimson] can exfiltrate stolen information over its C2."
"T1056.001::[Crimson] can use a module to perform keylogging on compromised hosts."
"T1057::[Crimson] contains a command to list processes."
"T1059.003::[Crimson] has the ability to execute commands with the COMSPEC environment variable."
"T1070.004::[Crimson] has the ability to delete files from a compromised host."
"T1071.001::[Crimson] can use a HTTP GET request to download its final payload."
"T1082::[Crimson] contains a command to collect the victim PC name, disk drive information, and operating system."
"T1083::[Crimson] contains commands to list files and directories, as well as search for files matching certain extensions from a defined list."
"T1091::[Crimson] can spread across systems by infecting removable media."
"T1095::[Crimson] uses a custom TCP protocol for C2."
"T1105::[Crimson] contains a command to retrieve files from its C2 server."
"T1112::[Crimson] can set a Registry key to determine how long it has been installed and possibly to indicate the version number."
"T1113::[Crimson] contains a command to perform screen captures."
"T1114.001::[Crimson] contains a command to collect and exfiltrate emails from Outlook."
"T1120::[Crimson] has the ability to discover pluggable/removable drives to extract files from."
"T1123::[Crimson] can perform audio surveillance using microphones."
"T1124::[Crimson] has the ability to determine the date and time on a compromised host."
"T1125::[Crimson] can capture webcam video on targeted systems."
"T1140::[Crimson] can decode its encoded PE file prior to execution."
"T1497.003::[Crimson] can determine when it has been installed on a host for at least 15 days before downloading the final payload."
"T1518.001::[Crimson] contains a command to collect information about anti-virus software on the victim."
"T1547.001::[Crimson] can add Registry run keys for persistence."
"T1555.003::[Crimson] contains a module to steal credentials from Web browsers on the victim machine."
"T1614::[Crimson] can identify the geographical location of a victim host."
"T1083::[CrossRAT] can list all files on a system."
"T1113::[CrossRAT] is capable of taking screen captures."
"T1543.001::[CrossRAT] creates a Launch Agent on macOS."
"T1547.001::[CrossRAT] uses run keys for persistence on Windows"
"T1005::[Crutch] can exfiltrate files from compromised systems."
"T1008::[Crutch] has used a hardcoded GitHub repository as a fallback channel."
"T1020::[Crutch] has automatically exfiltrated stolen files to Dropbox."
"T1025::[Crutch] can monitor removable drives and exfiltrate files matching a given extension list."
"T1036.004::[Crutch] has established persistence with a scheduled task impersonating the Outlook item finder."
"T1041::[Crutch] can exfiltrate data over the primary C2 channel (Dropbox HTTP API)."
"T1053.005::[Crutch] has the ability to persist using scheduled tasks."
"T1071.001::[Crutch] has conducted C2 communications with a Dropbox account using the HTTP API."
"T1074.001::[Crutch] has staged stolen files in the C:\\AMD\\Temp directory."
"T1102.002::[Crutch] can use Dropbox to receive commands and upload stolen data."
"T1119::[Crutch] can automatically monitor removable drives in a loop and copy interesting files."
"T1120::[Crutch] can monitor for removable drives being plugged into the compromised machine."
"T1560.001::[Crutch] has used the WinRAR utility to compress and encrypt stolen files."
"T1567.002::[Crutch] has exfiltrated stolen data to Dropbox."
"T1574.001::[Crutch] can persist via DLL search order hijacking on Google Chrome, Mozilla Firefox, or Microsoft OneDrive."
"T1005::[Cryptoistic] can retrieve files from the local file system."
"T1033::[Cryptoistic] can gather data on the user of a compromised host."
"T1070.004::[Cryptoistic] has the ability delete files from a compromised host."
"T1083::[Cryptoistic] can scan a directory to identify files for deletion."
"T1095::[Cryptoistic] can use TCP in communications with C2."
"T1105::[Cryptoistic] has the ability to send and receive files."
"T1573::[Cryptoistic] can engage in encrypted communications with C2."
"T1007::[Cuba] can query service status using QueryServiceStatusEx function."
"T1016::[Cuba] can retrieve the ARP cache from the local system by using GetIpNetTable."
"T1027.002::[Cuba] has a packed payload when delivered."
"T1027::[Cuba] has used multiple layers of obfuscation to avoid analysis, including its Base64 encoded payload."
"T1036.005::[Cuba] has been disguised as legitimate 360 Total Security Antivirus and OpenVPN programs."
"T1049::[Cuba] can use the function GetIpNetTable to recover the last connections to the victim's machine."
"T1056.001::[Cuba] logs keystrokes via polling by using GetKeyState and VkKeyScan functions."
"T1057::[Cuba] can enumerate processes running on a victim's machine."
"T1059.001::[Cuba] has been dropped onto systems and used for lateral movement via obfuscated PowerShell scripts."
"T1059.003::[Cuba] has used cmd.exe /c and batch files for execution."
"T1070.004::[Cuba] can use the command cmd.exe /c del to delete its artifacts from the system."
"T1082::[Cuba] can enumerate local drives, disk type, and disk free space."
"T1083::[Cuba] can enumerate files by using a variety of functions."
"T1105::[Cuba] can download files from its C2 server."
"T1106::[Cuba] has used several built-in API functions for discovery like GetIpNetTable and NetShareEnum."
"T1134::[Cuba] has used SeDebugPrivilege and AdjustTokenPrivileges to elevate privileges."
"T1135::[Cuba] can discover shared resources using the NetShareEnum API call."
"T1486::[Cuba] has the ability to encrypt system data and add the \".cuba\" extension to encrypted files."
"T1489::[Cuba] has a hardcoded list of services and processes to terminate."
"T1543.003::[Cuba] can modify services by using the OpenService and ChangeServiceConfig functions."
"T1564.003::[Cuba] has executed hidden PowerShell windows."
"T1614.001::[Cuba] can check if Russian language is installed on the infected machine by using the function GetKeyboardLayoutList."
"T1620::[Cuba] loaded the payload into memory using PowerShell."
"T1005::[Cyclops Blink] can upload files from a compromised host."
"T1016::[Cyclops Blink] can use the Linux API `if_nameindex` to gather network interface names."
"T1036.005::[Cyclops Blink] can rename its running process to [kworker:0/1] to masquerade as a Linux kernel thread. [Cyclops Blink] has also named RC scripts used for persistence after WatchGuard artifacts."
"T1037.004::[Cyclops Blink] has the ability to execute on device startup, using a modified RC script named S51armled."
"T1041::[Cyclops Blink] has the ability to upload exfiltrated files to a C2 server."
"T1057::[Cyclops Blink] can enumerate the process it is currently running under."
"T1070.006::[Cyclops Blink] has the ability to use the Linux API function `utime` to change the timestamps of modified firmware update images."
"T1071.001::[Cyclops Blink] can download files via HTTP and HTTPS."
"T1082::[Cyclops Blink] has the ability to query device information."
"T1083::[Cyclops Blink] can use the Linux API `statvfs` to enumerate the current working directory."
"T1090.003::[Cyclops Blink] has used [Tor] nodes for C2 traffic."
"T1105::[Cyclops Blink] has the ability to download files to target systems."
"T1106::[Cyclops Blink] can use various Linux API functions including those for execution and discovery."
"T1132.002::[Cyclops Blink] can use a custom binary scheme to encode messages with specific commands and parameters to be executed."
"T1140::[Cyclops Blink] can decrypt and parse instructions sent from C2."
"T1542.002::[Cyclops Blink] has maintained persistence by patching legitimate device firmware when it is downloaded, including that of WatchGuard devices."
"T1559::[Cyclops Blink] has the ability to create a pipe to enable inter-process communication."
"T1562.004::[Cyclops Blink] can modify the Linux iptables firewall to enable C2 communication via a stored list of port numbers."
"T1571::[Cyclops Blink] can use non-standard ports for C2 not typically associated with HTTP or HTTPS traffic."
"T1572::[Cyclops Blink] can use DNS over HTTPS (DoH) to resolve C2 nodes."
"T1573.002::[Cyclops Blink] can encrypt C2 messages with AES-256-CBC sent underneath TLS. OpenSSL library functions are also used to encrypt each message using a randomly generated key and IV, which are then encrypted using a hard-coded RSA public key."
"T1027::[Dacls] can encrypt its configuration file with AES CBC."
"T1036::The [Dacls] Mach-O binary has been disguised as a .nib file."
"T1057::[Dacls] can collect data on running and parent processes."
"T1071.001::[Dacls] can use HTTPS in C2 communications."
"T1083::[Dacls] can scan directories on a compromised host."
"T1105::[Dacls] can download its payload from a C2 server."
"T1543.001::[Dacls] can establish persistence via a LaunchAgent."
"T1543.004::[Dacls] can establish persistence via a Launch Daemon."
"T1564.001::[Dacls] has had its payload named with a dot prefix to make it hidden from view in the Finder application."
"T1005::[DanBot] can upload files from compromised hosts."
"T1021.005::[DanBot] can use VNC for remote access to targeted systems."
"T1027::[DanBot] can Base64 encode its payload."
"T1036.005::[DanBot] files have been named `UltraVNC.exe` and `WINVNC.exe` to appear as legitimate VNC tools."
"T1053.005::[DanBot] can use a scheduled task for installation."
"T1059.003::[DanBot] has the ability to execute arbitrary commands via `cmd.exe`."
"T1059.005::[DanBot] can use a VBA macro embedded in an Excel file to drop the payload."
"T1070.004::[DanBot] can delete its configuration file after installation."
"T1071.001::[DanBot] can use HTTP in C2 communication."
"T1071.004::[DanBot] can use use IPv4 A records and IPv6 AAAA DNS records in C2 communications."
"T1105::[DanBot] can download additional files to a targeted system."
"T1140::[DanBot] can use a VBA macro to decode its payload prior to installation and execution."
"T1204.002::[DanBot] has relied on victims' opening a malicious file for initial execution."
"T1566.001::[DanBot] has been distributed within a malicious Excel attachment via spearphishing emails."
"T1021.001::[DarkComet] can open an active screen of the victim’s machine and take control of the mouse and keyboard."
"T1027.002::[DarkComet] has the option to compress its payload using UPX or MPRESS."
"T1033::[DarkComet] gathers the username from the victim’s machine."
"T1036.005::[DarkComet] has dropped itself onto victim machines with file names such as WinDefender.Exe and winupdate.exe in an apparent attempt to masquerade as a legitimate file."
"T1056.001::[DarkComet] has a keylogging capability."
"T1057::[DarkComet] can list active processes running on the victim’s machine."
"T1059.003::[DarkComet] can launch a remote shell to execute commands on the victim’s machine."
"T1059::[DarkComet] can execute various types of scripts on the victim’s machine."
"T1071.001::[DarkComet] can use HTTP for C2 communications."
"T1082::[DarkComet] can collect the computer name, RAM used, and operating system version from the victim’s machine."
"T1105::[DarkComet] can load any files onto the infected machine to execute."
"T1112::[DarkComet] adds a Registry value for its installation routine to the Registry Key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System Enable LUA=”0” and HKEY_CURRENT_USER\\Software\\DC3_FEXEC."
"T1115::[DarkComet] can steal data from the clipboard."
"T1123::[DarkComet] can listen in to victims' conversations through the system’s microphone."
"T1125::[DarkComet] can access the victim’s webcam to take pictures."
"T1547.001::[DarkComet] adds several Registry entries to enable automatic execution at every system startup."
"T1562.001::[DarkComet] can disable Security Center functions like anti-virus."
"T1562.004::[DarkComet] can disable Security Center functions like the Windows Firewall."
"T1005::[DarkWatchman] can collect files from a compromised host."
"T1010::[DarkWatchman] reports window names along with keylogger information to provide application context."
"T1012::[DarkWatchman] can query the Registry to determine if it has already been installed on the system."
"T1027.004::[DarkWatchman] has used the csc.exe tool to compile a C# executable."
"T1027::[DarkWatchman] has used Base64 to encode PowerShell commands. [DarkWatchman] has been delivered as compressed RAR payloads in ZIP files to victims."
"T1033::[DarkWatchman] has collected the username from a victim machine."
"T1036::[DarkWatchman] has used an icon mimicking a text file to mask a malicious executable."
"T1047::[DarkWatchman] can use WMI to execute commands."
"T1053.005::[DarkWatchman] has created a scheduled task for persistence."
"T1056.001::[DarkWatchman] can track key presses with a keylogger module."
"T1059.001::[DarkWatchman] can execute PowerShell commands and has used PowerShell to execute a keylogger."
"T1059.003::[DarkWatchman] can use `cmd.exe` to execute commands."
"T1059.007::[DarkWatchman] uses JavaScript to perform its core functionalities."
"T1070.004::[DarkWatchman] has been observed deleting its original launcher after installation."
"T1070::[DarkWatchman] can uninstall malicious components from the Registry, stop processes, and clear the browser history."
"T1071.001::[DarkWatchman] uses HTTPS for command and control."
"T1074.001::[DarkWatchman] can stage local data in the Windows Registry."
"T1082::[DarkWatchman] can collect the OS version, system architecture, uptime, and computer name."
"T1083::[DarkWatchman] has the ability to enumerate file and folder names."
"T1112::[DarkWatchman] can store configuration strings, keylogger, and output of components in the Registry."
"T1120::[DarkWatchman] can list signed PnP drivers for smartcard readers."
"T1124::[DarkWatchman] can collect the time zone information from the system."
"T1129::[DarkWatchman] can load DLLs."
"T1132.001::[DarkWatchman] encodes data using hexadecimal representation before sending it to the C2 server."
"T1140::[DarkWatchman] has the ability to self-extract as a RAR archive."
"T1217::[DarkWatchman] can retrieve browser history."
"T1490::[DarkWatchman] can delete shadow volumes using vssadmin.exe."
"T1518.001::[DarkWatchman] can search for anti-virus products on the system."
"T1566.001::[DarkWatchman] has been delivered via spearphishing emails that contain a malicious zip file."
"T1568.002::[DarkWatchman] has used a DGA to generate a domain name for C2."
"T1573.002::[DarkWatchman] can use TLS to encrypt its C2 channel."
"T1614::[DarkWatchman] can identity the OS locale of a compromised host."
"T1001.002::[Daserf] can use steganography to hide malicious code downloaded to the victim."
"T1003.001::[Daserf] leverages [Mimikatz] and [Windows Credential Editor] to steal credentials."
"T1027.002::A version of [Daserf] uses the MPRESS packer."
"T1027.005::Analysis of [Daserf] has shown that it regularly undergoes technical improvements to evade anti-virus detection."
"T1027::[Daserf] uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher."
"T1036.005::[Daserf] uses file and folder names related to legitimate programs in order to blend in, such as HP, Intel, Adobe, and perflogs."
"T1056.001::[Daserf] can log keystrokes."
"T1059.003::[Daserf] can execute shell commands."
"T1071.001::[Daserf] uses HTTP for C2."
"T1105::[Daserf] can download remote files."
"T1113::[Daserf] can take screenshots."
"T1132.001::[Daserf] uses custom base64 encoding to obfuscate HTTP traffic."
"T1553.002::Some [Daserf] samples were signed with a stolen digital certificate."
"T1560.001::[Daserf] hides collected data in password-protected .rar archives."
"T1560::[Daserf] hides collected data in password-protected .rar archives."
"T1573.001::[Daserf] uses RC4 encryption to obfuscate HTTP traffic."
"T1027::[DCSrv]'s configuration is encrypted."
"T1036.004::[DCSrv] has masqueraded its service as a legitimate svchost.exe process."
"T1106::[DCSrv] has used various Windows API functions, including `DeviceIoControl`, as part of its encryption process."
"T1112::[DCSrv] has created Registry keys for persistence."
"T1124::[DCSrv] can compare the current time on an infected host with a configuration value to determine when to start the encryption process."
"T1486::[DCSrv] has encrypted drives using the core encryption mechanism from DiskCryptor."
"T1529::[DCSrv] has a function to sleep for two hours before rebooting the system."
"T1543.003::[DCSrv] has created new services for persistence by modifying the Registry."
"T1083::[DDKONG] lists files on the victim’s machine."
"T1105::[DDKONG] downloads and uploads files on the victim’s machine."
"T1140::[DDKONG] decodes an embedded configuration using XOR."
"T1218.011::[DDKONG] uses Rundll32 to ensure only a single instance of itself is running at once."
"T1059.003::[DealersChoice] makes modifications to open-source scripts from GitHub and executes them on the victim’s machine."
"T1071.001::[DealersChoice] uses HTTP for communication with the C2 server."
"T1203::[DealersChoice] leverages vulnerable versions of Flash to perform execution."
"T1047::[DEATHRANSOM] has the ability to use WMI to delete volume shadow copies."
"T1071.001::[DEATHRANSOM] can use HTTPS to download files."
"T1082::[DEATHRANSOM] can enumerate logical drives on a target system."
"T1083::[DEATHRANSOM] can use loop operations to enumerate directories on a compromised host."
"T1105::[DEATHRANSOM] can download files to a compromised host."
"T1135::[DEATHRANSOM] has the ability to use loop operations to enumerate network resources."
"T1486::[DEATHRANSOM] can use public and private key pair encryption to encrypt files for ransom payment."
"T1490::[DEATHRANSOM] can delete volume shadow copies on compromised hosts."
"T1614.001::Some versions of [DEATHRANSOM] have performed language ID and keyboard layout checks; if either of these matched Russian, Kazakh, Belarusian, Ukrainian or Tatar [DEATHRANSOM] would exit."
"T1012::[Denis] queries the Registry for keys and values."
"T1016::[Denis] uses ipconfig to gather the IP address from the system."
"T1027::[Denis] obfuscates its code and encrypts the API names. [Denis] also encodes its payload in Base64."
"T1033::[Denis] enumerates and collects the username from the victim’s machine."
"T1055.012::[Denis] performed process hollowing through the API calls CreateRemoteThread, ResumeThread, and Wow64SetThreadContext."
"T1059.001::[Denis] has a version written in PowerShell."
"T1059.003::[Denis] can launch a remote shell to execute arbitrary commands on the victim’s machine."
"T1070.004::[Denis] has a command to delete files from the victim’s machine."
"T1071.004::[Denis] has used DNS tunneling for C2 communications."
"T1082::[Denis] collects OS information and the computer name from the victim’s machine."
"T1083::[Denis] has several commands to search directories for files."
"T1105::[Denis] deploys additional backdoors and hacking tools to the system."
"T1106::[Denis] used the IsDebuggerPresent, OutputDebugString, and SetLastError APIs to avoid debugging. [Denis] used GetProcAddress and LoadLibrary to dynamically resolve APIs. [Denis] also used the Wow64SetThreadContext API as part of a process hollowing process."
"T1132.001::[Denis] encodes the data sent to the server in Base64."
"T1140::[Denis] will decrypt important strings used for C&C communication."
"T1497.001::[Denis] ran multiple system checks, looking for processor and register characteristics, to evade emulation and analysis."
"T1560.002::[Denis] compressed collected data using zlib."
"T1574.002::[Denis] exploits a security vulnerability to load a fake DLL and execute its code."
"T1574::[Denis] replaces the nonexistent Windows DLL \"msfte.dll\" with its own malicious version, which is loaded by the SearchIndexer.exe and SearchProtocolHost.exe."
"T1008::[Derusbi] uses a backup communication method with an HTTP beacon."
"T1012::[Derusbi] is capable of enumerating Registry keys and values."
"T1033::A Linux version of [Derusbi] checks if the victim user ID is anything other than zero (normally used for root), and the malware will not execute if it does not have root privileges. [Derusbi] also gathers the username of the victim."
"T1055.001::[Derusbi] injects itself into the secure shell (SSH) process."
"T1056.001::[Derusbi] is capable of logging keystrokes."
"T1057::[Derusbi] collects current and parent process IDs."
"T1059.004::[Derusbi] is capable of creating a remote Bash shell and executing commands."
"T1070.004::[Derusbi] is capable of deleting files. It has been observed loading a Linux Kernel Module (LKM) and then deleting it from the hard disk as well as overwriting the data with null bytes."
"T1070.006::The [Derusbi] malware supports timestomping."
"T1082::[Derusbi] gathers the name of the local host, version of GNU Compiler Collection (GCC), and the system information about the CPU, machine, and operating system."
"T1083::[Derusbi] is capable of obtaining directory, file, and drive listings."
"T1095::[Derusbi] binds to a raw socket on a random source port between 31800 and 31900 for C2."
"T1113::[Derusbi] is capable of performing screen captures."
"T1123::[Derusbi] is capable of performing audio captures."
"T1125::[Derusbi] is capable of capturing video."
"T1218.010::[Derusbi] variants have been seen that use Registry persistence to proxy execution through regsvr32.exe."
"T1571::[Derusbi] has used unencrypted HTTP on port 443 for C2."
"T1573.001::[Derusbi] obfuscates C2 traffic with variable 4-byte XOR keys."
"T1016::[Diavol] can enumerate victims' local and external IPs when registering with C2."
"T1018::[Diavol] can use the ARP table to find remote hosts to scan."
"T1021.002::[Diavol] can spread throughout a network via SMB prior to encryption."
"T1027.003::[Diavol] has obfuscated its main code routines within bitmap images as part of its anti-analysis techniques."
"T1027::[Diavol] has Base64 encoded the RSA public key used for encrypting files."
"T1033::[Diavol] can collect the username from a compromised host."
"T1057::[Diavol] has used `CreateToolhelp32Snapshot`, `Process32First`, and `Process32Next` API calls to enumerate the running processes in the system."
"T1071.001::[Diavol] has used HTTP GET and POST requests for C2."
"T1082::[Diavol] can collect the computer name and OS version from the system."
"T1083::[Diavol] has a command to traverse the files and directories in a given path."
"T1105::[Diavol] can receive configuration updates and additional payloads including wscpy.exe from C2."
"T1106::[Diavol] has used several API calls like `GetLogicalDriveStrings`, `SleepEx`, `SystemParametersInfoAPI`, `CryptEncrypt`, and others to execute parts of its attack."
"T1135::[Diavol] has a `ENMDSKS` command to enumerates available network shares."
"T1485::[Diavol] can delete specified files from a targeted system."
"T1486::[Diavol] has encrypted files using an RSA key though the `CryptEncrypt` API and has appended filenames with \".lock64\"."
"T1489::[Diavol] will terminate services using the Service Control Manager (SCM) API."
"T1490::[Diavol] can delete shadow copies using the `IVssBackupComponents` COM object to call the `DeleteSnapshots` method."
"T1491.001::After encryption, [Diavol] will capture the desktop background window, set the background color to black, and change the desktop wallpaper to a newly created bitmap image with the text “All your files are encrypted! For more information see “README-FOR-DECRYPT.txt\"."
"T1562.001::[Diavol] can attempt to stop security software."
"T1029::[Dipsind] can be configured to only run during normal working hours, which would make its communications harder to distinguish from normal traffic."
"T1059.003::[Dipsind] can spawn remote shells."
"T1071.001::[Dipsind] uses HTTP for C2."
"T1105::[Dipsind] can download remote files."
"T1132.001::[Dipsind] encodes C2 traffic with base64."
"T1547.004::A [Dipsind] variant registers as a Winlogon Event Notify DLL to establish persistence."
"T1573.001::[Dipsind] encrypts C2 data with AES256 in ECB mode."
"T1005::[DnsSystem] can upload files from infected machines after receiving a command with `uploaddd` in the string."
"T1033::[DnsSystem] can use the Windows user name to create a unique identification for infected users and systems."
"T1041::[DnsSystem] can exfiltrate collected data to its C2 server."
"T1059.003::[DnsSystem] can use `cmd.exe` for execution."
"T1071.004::[DnsSystem]  can direct queries to custom DNS servers and return C2 commands using TXT records."
"T1105::[DnsSystem] can download files to compromised systems after receiving a command with the string `downloaddd`."
"T1132.001::[DnsSystem] can Base64 encode data sent to C2."
"T1204.002::[DnsSystem] has lured victims into opening macro-enabled Word documents for execution."
"T1547.001::[DnsSystem] can write itself to the Startup folder to gain persistence."
"T1027::[DOGCALL] is encrypted using single-byte XOR."
"T1056.001::[DOGCALL] is capable of logging keystrokes."
"T1102.002::[DOGCALL] is capable of leveraging cloud storage APIs such as Cloud, Box, Dropbox, and Yandex for C2."
"T1105::[DOGCALL] can download and execute additional payloads."
"T1113::[DOGCALL] is capable of capturing screenshots of the victim's machine."
"T1123::[DOGCALL] can capture microphone data from the victim's machine."
"T1027.002::[Dok] is packed with an UPX executable packer."
"T1048.003::[Dok] exfiltrates logs of its execution stored in the /tmp folder over FTP using the curl command."
"T1056.002::[Dok] prompts the user for credentials."
"T1059.002::[Dok] uses AppleScript to create a login item for persistence."
"T1090.003::[Dok] downloads and installs [Tor] via homebrew."
"T1222.002::[Dok] gives all users execute permissions for the application using the command chmod +x /Users/Shared/AppStore.app."
"T1543.001::[Dok] installs two LaunchAgents to redirect all network traffic with a randomly generated name for each plist file maintaining the format com.random.name.plist."
"T1547.015::[Dok] uses AppleScript to install a login Item by sending Apple events to the System Events process."
"T1548.003::[Dok] adds admin  ALL=(ALL) NOPASSWD: ALL to the /etc/sudoers file."
"T1553.004::[Dok] installs a root certificate to aid in [Adversary-in-the-Middle] actions using the command add-trusted-cert -d -r trustRoot -k /Library/Keychains/System.keychain /tmp/filename."
"T1557::[Dok] proxies web traffic to potentially monitor and alter victim HTTP(S) traffic."
"T1020::[Doki] has used a script that gathers information from a hardcoded list of IP addresses and uploads to an Ngrok URL."
"T1036.005::[Doki] has disguised a file as a Linux kernel module."
"T1041::[Doki] has used Ngrok to establish C2 and exfiltrate data."
"T1057::[Doki] has searched for the current process’s PID."
"T1059.004::[Doki] has executed shell scripts with /bin/sh."
"T1071.001::[Doki] has communicated with C2 over HTTPS."
"T1083::[Doki] has resolved the path of a process PID to use as a script argument."
"T1102::[Doki] has used the dogechain.info API to generate a C2 address."
"T1105::[Doki] has downloaded scripts from C2."
"T1133::[Doki] was executed through an open Docker daemon API port."
"T1568.002::[Doki] has used the DynDNS service and a DGA based on the Dogecoin blockchain to generate C2 domains."
"T1573.002::[Doki] has used the embedTLS library for network communications."
"T1610::[Doki] was run through a deployed container."
"T1611::[Doki]’s container was configured to bind the host root directory."
"T1001.001::[Downdelph] inserts pseudo-random characters between each original character during encoding of C2 network requests, making it difficult to write signatures on them."
"T1105::After downloading its main config file, [Downdelph] downloads multiple payloads from C2 servers."
"T1548.002::[Downdelph] bypasses UAC to escalate privileges by using a custom “RedirectEXE” shim database."
"T1573.001::[Downdelph] uses RC4 to encrypt C2 responses."
"T1574.001::[Downdelph] uses search order hijacking of the Windows executable sysprep.exe to escalate privileges."
"T1012::[DownPaper] searches and reads the value of the Windows Update Registry Run key."
"T1033::[DownPaper] collects the victim username and sends it to the C2 server."
"T1059.001::[DownPaper] uses PowerShell for execution."
"T1059.003::[DownPaper] uses the command line."
"T1071.001::[DownPaper] communicates to its C2 server over HTTP."
"T1082::[DownPaper] collects the victim host name and serial number, and then sends the information to the C2 server."
"T1547.001::[DownPaper] uses PowerShell to add a Registry Run key in order to establish persistence."
"T1005::[DRATzarus] can collect information from a compromised host."
"T1018::[DRATzarus] can search for other machines connected to compromised host and attempt to map the network."
"T1027.002::[DRATzarus]'s dropper can be packed with UPX."
"T1027::[DRATzarus] can be partly encrypted with XOR."
"T1033::[DRATzarus] can obtain a list of users from an infected machine."
"T1036.005::[DRATzarus] has been named `Flash.exe`, and its dropper has been named `IExplorer`."
"T1057::[DRATzarus] can enumerate and examine running processes to determine if a debugger is present."
"T1071.001::[DRATzarus] can use HTTP or HTTPS for C2 communications."
"T1105::[DRATzarus] can deploy additional tools onto an infected machine."
"T1106::[DRATzarus] can use various API calls to see if it is running in a sandbox."
"T1124::[DRATzarus] can use the `GetTickCount` and `GetSystemTimeAsFileTime` API calls to inspect system time."
"T1497.003::[DRATzarus] can use the `GetTickCount` and `GetSystemTimeAsFileTime` API calls to measure function timing. can also remotely shut down into sleep mode under specific conditions to evade \ndetection."
"T1622::[DRATzarus] can use `IsDebuggerPresent` to detect whether a debugger is present on a victim."
"T1027::[Dridex]'s strings are obfuscated using RC4."
"T1071.001::[Dridex] has used POST requests and HTTPS for C2 communications."
"T1082::[Dridex] has collected the computer name and OS architecture information from the system."
"T1090.003::[Dridex] can use multiple layers of proxy servers to hide terminal nodes in its infrastructure."
"T1090::[Dridex] contains a backconnect module for tunneling network traffic through a victim's computer. Infected computers become part of a P2P botnet that can relay C2 traffic to other infected peers."
"T1106::[Dridex] has used the OutputDebugStringW function to avoid malware analysis as part of its anti-debugging technique."
"T1185::[Dridex] can perform browser attacks via web injects to steal information such as credentials, certificates, and cookies."
"T1204.002::[Dridex] has relied upon users clicking on a malicious attachment delivered through spearphishing."
"T1219::[Dridex] contains a module for VNC."
"T1518::[Dridex] has collected a list of installed software on the system."
"T1573.001::[Dridex] has encrypted traffic with RC4."
"T1573.002::[Dridex] has encrypted traffic with RSA."
"T1059.003::[DropBook] can execute arbitrary shell commands on the victims' machines."
"T1059.006::[DropBook] is a Python-based backdoor compiled with PyInstaller."
"T1082::[DropBook] has checked for the presence of Arabic language in the infected machine's settings."
"T1083::[DropBook] can collect the names of all files and folders in the Program Files directories."
"T1102::[DropBook] can communicate with its operators by exploiting the Simplenote, DropBox, and the social media platform, Facebook, where it can create fake accounts to control the backdoor and receive instructions."
"T1105::[DropBook] can download and execute additional files."
"T1140::[DropBook] can unarchive data downloaded from the C2 to obtain the payload and persistence modules."
"T1567::[DropBook] has used legitimate web services to exfiltrate data."
"T1614.001::[DropBook] has checked for the presence of Arabic language in the infected machine's settings."
"T1005::[Drovorub] can transfer files from the victim machine."
"T1014::[Drovorub] has used a kernel module rootkit to hide processes, files, executables, and network artifacts from user space view."
"T1027::[Drovorub] has used XOR encrypted payloads in WebSocket client to server messages."
"T1041::[Drovorub] can exfiltrate files over C2 infrastructure."
"T1059.004::[Drovorub] can execute arbitrary commands as root on a compromised system."
"T1070.004::[Drovorub] can delete specific files from a compromised host."
"T1071.001::[Drovorub] can use the WebSocket protocol and has initiated communication with C2 servers with an HTTP Upgrade request."
"T1090.001::[Drovorub] can use a port forwarding rule on its agent module to relay network traffic through the client module to a remote host on the same network."
"T1095::[Drovorub] can use TCP to communicate between its agent and client modules."
"T1105::[Drovorub] can download files to a compromised host."
"T1140::[Drovorub] has de-obsfuscated XOR encrypted payloads in WebSocket messages."
"T1547.006::[Drovorub] can use kernel modules to establish persistence."
"T1005::[Dtrack] can collect a variety of information from victim machines."
"T1012::[Dtrack] can collect the RegisteredOwner, RegisteredOrganization, and InstallDate registry values."
"T1016::[Dtrack] can collect the host's IP addresses using the ipconfig command."
"T1027.009::[Dtrack] has used a dropper that embeds an encrypted payload as extra data."
"T1036.005::One of [Dtrack] can hide in replicas of legitimate programs like OllyDbg, 7-Zip, and FileZilla."
"T1049::[Dtrack] can collect network and active connection information."
"T1055.012::[Dtrack] has used process hollowing shellcode to target a predefined list of processes from %SYSTEM32%."
"T1056.001::[Dtrack]’s dropper contains a keylogging executable."
"T1057::[Dtrack]’s dropper can list all running processes."
"T1059.003::[Dtrack] has used cmd.exe to add a persistent service."
"T1070.004::[Dtrack] can remove its persistence and delete itself."
"T1074.001::[Dtrack] can save collected data to disk, different file formats, and network shares."
"T1078::[Dtrack] used hard-coded credentials to gain access to a network share."
"T1082::[Dtrack] can collect the victim's computer name, hostname and adapter information to create a unique identifier."
"T1083::[Dtrack] can list files on available disk volumes."
"T1105::[Dtrack]’s can download and upload a file to the victim’s computer."
"T1129::[Dtrack] contains a function that calls LoadLibrary and GetProcAddress."
"T1140::[Dtrack] has used a decryption routine that is part of an executable physical patch."
"T1217::[Dtrack] can retrieve browser history."
"T1543.003::[Dtrack] can add a service called WBService to establish persistence."
"T1547::[Dtrack]’s RAT makes a persistent target file with auto execution on the host start."
"T1560::[Dtrack] packs collected data into a password protected archive."
"T1574::One of [Dtrack] can replace the normal flow of a program execution with malicious code."
"T1001.002::When the [Duqu] command and control is operating over HTTP or HTTPS, Duqu uploads data to its controller by appending it to a blank JPG file."
"T1010::The discovery modules used with [Duqu] can collect information on open windows."
"T1016::The reconnaissance modules used with [Duqu] can collect information on network configuration."
"T1021.002::Adversaries can instruct [Duqu] to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware."
"T1049::The discovery modules used with [Duqu] can collect information on network connections."
"T1053.005::Adversaries can instruct [Duqu] to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware."
"T1055.001::[Duqu] will inject itself into different processes to evade detection. The selection of the target process is influenced by the security software that is installed on the system (Duqu will inject into different processes depending on which security suite is installed on the infected host)."
"T1055.012::[Duqu] is capable of loading executable code via process hollowing."
"T1056.001::[Duqu] can track key presses with a keylogger module."
"T1057::The discovery modules used with [Duqu] can collect information on process details."
"T1071::[Duqu] uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols."
"T1074.001::Modules can be pushed to and executed by [Duqu] that copy data to a staging area, compress it, and XOR encrypt it."
"T1078::Adversaries can instruct [Duqu] to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware."
"T1087.001::The discovery modules used with [Duqu] can collect information on accounts and permissions."
"T1090.001::[Duqu] can be configured to have commands relayed over a peer-to-peer network of infected hosts if some of the hosts do not have Internet access."
"T1134::[Duqu] examines running system processes for tokens that have specific system privileges. If it finds one, it will copy the token and store it for later use. Eventually it will start new processes with the stored token attached. It can also steal tokens to acquire administrative privileges."
"T1218.007::[Duqu] has used msiexec to execute malicious Windows Installer packages. Additionally, a PROPERTY=VALUE pair containing a 56-bit encryption key has been used to decrypt the main payload from the installer packages."
"T1543.003::[Duqu] creates a new service that loads a malicious driver when the system starts. When Duqu is active, the operating system believes that the driver is legitimate, as it has been signed with a valid private key."
"T1560.003::Modules can be pushed to and executed by [Duqu] that copy data to a staging area, compress it, and XOR encrypt it."
"T1572::[Duqu] uses a custom command and control protocol that communicates over commonly used ports, and is frequently encapsulated by application layer protocols."
"T1573.001::The [Duqu] command and control protocol's data stream can be encrypted with AES-CBC."
"T1008::[DustySky] has two hard-coded domains for C2 servers; if the first does not respond, it will try the second."
"T1027::The [DustySky] dropper uses a function to obfuscate the name of functions and other parts of the malware."
"T1041::[DustySky] has exfiltrated data to the C2 server."
"T1047::The [DustySky] dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active."
"T1056.001::[DustySky] contains a keylogger."
"T1057::[DustySky] collects information about running processes from victims."
"T1070.004::[DustySky] can delete files it creates from the infected system."
"T1071.001::[DustySky] has used both HTTP and HTTPS for C2."
"T1074.001::[DustySky] created folders in temp directories to host collected files before exfiltration."
"T1082::[DustySky] extracts basic information about the operating system."
"T1083::[DustySky] scans the victim for files that contain certain keywords and document types including PDF, DOC, DOCX, XLS, and XLSX, from a list that is obtained from the C2 as a text file. It can also identify logical drives for the infected machine."
"T1091::[DustySky] searches for removable media and duplicates itself onto it."
"T1113::[DustySky] captures PNG screenshots of the main screen."
"T1120::[DustySky] can detect connected USB devices."
"T1518.001::[DustySky] checks for the existence of anti-virus."
"T1518::[DustySky] lists all installed software for the infected machine."
"T1547.001::[DustySky] achieves persistence by creating a Registry entry in HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run."
"T1560.001::[DustySky] can compress files via RAR while staging data to be exfiltrated."
"T1570::[DustySky] searches for network drives and removable media and duplicates itself onto them."
"T1007::[Dyre] has the ability to identify running services on a compromised host."
"T1016::[Dyre] has the ability to identify network settings on a compromised host."
"T1027.002::[Dyre] has been delivered with encrypted resources and must be unpacked for execution."
"T1033::[Dyre] has the ability to identify the users on a compromised host."
"T1041::[Dyre] has the ability to send information staged on a compromised host externally to C2."
"T1053.005::[Dyre] has the ability to achieve persistence by adding a new task in the task scheduler to run every minute."
"T1055.001::[Dyre] injects into other processes to load modules."
"T1055::[Dyre] has the ability to directly inject its code into the web browser process."
"T1071.001::[Dyre] uses HTTPS for C2 communications."
"T1074.001::[Dyre] has the ability to create files in a TEMP folder to act as a database to store information."
"T1082::[Dyre] has the ability to identify the computer name, OS version, and hardware configuration on a compromised host."
"T1105::[Dyre] has a command to download and executes additional files."
"T1140::[Dyre] decrypts resources needed for targeting the victim."
"T1497.001::[Dyre] can detect sandbox analysis environments by inspecting the process list and Registry."
"T1518::[Dyre] has the ability to identify installed programs on a compromised host."
"T1543.003::[Dyre] registers itself as a service by adding several Registry keys."
"T1008::[Ebury] has implemented a fallback mechanism to begin using a DGA when the attacker hasn't connected to the infected system for three days."
"T1014::[Ebury] has used user mode rootkit techniques to remain hidden on the system."
"T1020::[Ebury] can automatically exfiltrate gathered SSH credentials."
"T1027::[Ebury] has obfuscated its strings with a simple XOR encryption with a static key."
"T1041::[Ebury] can exfiltrate SSH credentials through custom DNS queries."
"T1059.006::[Ebury] has used Python to implement its DGA."
"T1071.004::[Ebury] has used DNS requests over UDP port 53 for C2."
"T1083::[Ebury] can list directory entries."
"T1132.001::[Ebury] has encoded C2 traffic in hexadecimal format."
"T1140::[Ebury] has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key."
"T1552.004::[Ebury] has intercepted unencrypted private keys as well as private key pass-phrases."
"T1553.002::[Ebury] has installed a self-signed RPM package mimicking the original system package on RPM based systems."
"T1554::[Ebury] has been embedded into modified OpenSSH binaries to gain persistent access to SSH credential information."
"T1556.003::[Ebury] can deactivate PAM modules to tamper with the sshd configuration."
"T1556::[Ebury] can intercept private keys using a trojanized ssh-add function."
"T1562.001::[Ebury] can disable SELinux Role-Based Access Control and deactivate PAM modules."
"T1562.006::[Ebury] can hook logging functions so that nothing from the backdoor gets sent to the logging facility."
"T1568.002::[Ebury] has used a DGA to generate a domain name for C2."
"T1573.001::[Ebury] has encrypted C2 traffic using the client IP address, then encoded it as a hexadecimal string."
"T1574.006::[Ebury] has injected its dynamic library into descendent processes of sshd via LD_PRELOAD."
"T1027::[ECCENTRICBANDWAGON] has encrypted strings with RC4."
"T1056.001::[ECCENTRICBANDWAGON] can capture and store keystrokes."
"T1059.003::[ECCENTRICBANDWAGON] can use [cmd] to execute commands on a victim’s machine."
"T1070.004::[ECCENTRICBANDWAGON] can delete log files generated from the malware stored at C:\\windows\\temp\\tmp0207."
"T1074.001::[ECCENTRICBANDWAGON] has stored keystrokes and screenshots within the %temp%\\GoogleChrome, %temp%\\Downloads, and %temp%\\TrendMicroUpdate directories."
"T1113::[ECCENTRICBANDWAGON] can capture screenshots and store them locally."
"T1027::[Ecipekac] can use XOR, AES, and DES to encrypt loader shellcode."
"T1105::[Ecipekac] can download additional payloads to a compromised host."
"T1140::[Ecipekac] has the ability to decrypt fileless loader modules."
"T1553.002::[Ecipekac] has used a valid, legitimate digital signature to evade detection."
"T1574.002::[Ecipekac] can abuse the legitimate application policytool.exe to load a malicious DLL."
"T1027.002::[Egregor]'s payloads are custom-packed, archived and encrypted to prevent analysis."
"T1033::[Egregor] has used tools to gather information about users."
"T1036.004::[Egregor] has masqueraded the svchost.exe process to exfiltrate data."
"T1039::[Egregor] can collect any files found in the enumerated drivers before sending it to its C2 channel."
"T1049::[Egregor] can enumerate all connected drives."
"T1055::[Egregor] can inject its payload into iexplore.exe process."
"T1059.001::[Egregor] has used an encoded PowerShell command by a service created by [Cobalt Strike] for lateral movement."
"T1059.003::[Egregor] has used batch files for execution and can launch Internet Explorer from cmd.exe."
"T1069.002::[Egregor] can conduct Active Directory reconnaissance using tools such as Sharphound or [AdFind]."
"T1071.001::[Egregor] has communicated with its C2 servers via HTTPS protocol."
"T1082::[Egregor] can perform a language check of the infected system and can query the CPU information (cupid)."
"T1105::[Egregor] has the ability to download files from its C2 server."
"T1106::[Egregor] has used the Windows API to make detection more difficult."
"T1124::[Egregor] contains functionality to query the local/system time."
"T1140::[Egregor] has been decrypted before execution."
"T1197::[Egregor] has used BITSadmin to download and execute malicious DLLs."
"T1218.010::[Egregor] has used regsvr32.exe to execute malicious DLLs."
"T1218.011::[Egregor] has used rundll32 during execution."
"T1219::[Egregor] has checked for the LogMein event log in an attempt to encrypt files in remote machines."
"T1484.001::[Egregor] can modify the GPO to evade detection."
"T1486::[Egregor] can encrypt all non-system files using a hybrid AES-RSA algorithm prior to displaying a ransom note."
"T1497.003::[Egregor] can perform a  long sleep (greater than or equal to 3 minutes) to evade detection."
"T1497::[Egregor] has used multiple anti-analysis and anti-sandbox techniques to prevent automated analysis by sandboxes."
"T1562.001::[Egregor] has disabled Windows Defender to evade protections."
"T1574.002::[Egregor] has used DLL side-loading to execute its payload."
"T1016::[EKANS] can determine the domain of a compromised host."
"T1027::[EKANS] uses encoded strings in its process kill list."
"T1036.005::[EKANS] has been disguised as update.exe to appear as a valid executable."
"T1047::[EKANS] can use Windows Mangement Instrumentation (WMI) calls to execute operations."
"T1057::[EKANS] looks for processes from a hard-coded list."
"T1486::[EKANS] uses standard encryption library functions to encrypt files."
"T1489::[EKANS] stops database, data backup solution, antivirus, and ICS-related processes."
"T1490::[EKANS] removes backups of Volume Shadow Copies to disable any restoration capabilities."
"T1562.001::[EKANS] stops processes related to security and management software."
"T1007::[Elise] executes net start after initial communication is made to the remote server."
"T1016::[Elise] executes ipconfig /all after initial communication is made to the remote server."
"T1027::[Elise] encrypts several of its files, including configuration files."
"T1036.005::If installing itself as a service fails, [Elise] instead writes itself as a file named svchost.exe saved in %APPDATA%\\Microsoft\\Network."
"T1055.001::[Elise] injects DLL files into iexplore.exe."
"T1057::[Elise] enumerates processes via the tasklist command."
"T1070.004::[Elise] is capable of launching a remote shell on the host to delete itself."
"T1070.006::[Elise] performs timestomping of a CAB file it creates."
"T1071.001::[Elise] communicates over HTTP or HTTPS for C2."
"T1074.001::[Elise] creates a file in AppData\\Local\\Microsoft\\Windows\\Explorer and stores all harvested data in that file."
"T1082::[Elise] executes systeminfo after initial communication is made to the remote server."
"T1083::A variant of [Elise] executes dir C:\\progra~1 when initially run."
"T1087.001::[Elise] executes net user after initial communication is made to the remote server."
"T1105::[Elise] can download additional files from the C2 server for execution."
"T1132.001::[Elise] exfiltrates data using cookie values that are Base64-encoded."
"T1218.011::After copying itself to a DLL file, a variant of [Elise] calls the DLL file using rundll32.exe."
"T1543.003::[Elise] configures itself as a service."
"T1547.001::If establishing persistence by installation as a new service fails, one variant of [Elise] establishes persistence for the created .exe file by setting the following Registry key: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\svchost : %APPDATA%\\Microsoft\\Network\\svchost.exe. Other variants have set the following Registry keys for persistence: HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\imejp : [self] and HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\IAStorD."
"T1573.001::[Elise] encrypts exfiltrated data with RC4."
"T1057::[ELMER] is capable of performing process listings."
"T1071.001::[ELMER] uses HTTP for command and control."
"T1083::[ELMER] is capable of performing directory listings."
"T1007::[Emissary] has the capability to execute the command net start to interact with services."
"T1016::[Emissary] has the capability to execute the command ipconfig /all."
"T1027.001::A variant of [Emissary] appends junk data to the end of its DLL file to create a large file that may exceed the maximum size that anti-virus programs can scan."
"T1027::Variants of [Emissary] encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the \"srand\" and \"rand\" functions."
"T1055.001::[Emissary] injects its DLL file into a newly spawned Internet Explorer process."
"T1059.003::[Emissary] has the capability to create a remote shell and execute specified commands."
"T1069.001::[Emissary] has the capability to execute the command net localgroup administrators."
"T1071.001::[Emissary] uses HTTP or HTTPS for C2."
"T1082::[Emissary] has the capability to execute ver and systeminfo commands."
"T1105::[Emissary] has the capability to download files from the C2 server."
"T1218.011::Variants of [Emissary] have used rundll32.exe in Registry values added to establish persistence."
"T1543.003::[Emissary] is capable of configuring itself as a service."
"T1547.001::Variants of [Emissary] have added Run Registry keys to establish persistence."
"T1573.001::The C2 server response to a beacon sent by a variant of [Emissary] contains a 36-character GUID value that is used as an encryption key for subsequent network communications. Some variants of [Emissary] use various XOR operations to encrypt C2 data."
"T1615::[Emissary] has the capability to execute gpresult."
"T1003.001::[Emotet] has been observed dropping password grabber modules including [Mimikatz]."
"T1021.002::[Emotet] leverages the Admin$ share for lateral movement once the local admin password has been brute forced."
"T1027.002::[Emotet] has used custom packers to protect its payloads."
"T1027::[Emotet] has obfuscated macros within malicious documents to hide the URLs hosting the malware,  CMD.exe arguments, and PowerShell scripts."
"T1040::[Emotet] has been observed to hook network APIs to monitor network traffic."
"T1041::[Emotet] has been seen exfiltrating system information stored within cookies sent within an HTTP GET request back to its C2 servers."
"T1047::[Emotet] has used WMI to execute powershell.exe."
"T1053.005::[Emotet] has maintained persistence through a scheduled task."
"T1055.001::[Emotet] has been observed injecting in to Explorer.exe and other processes."
"T1057::[Emotet] has been observed enumerating local processes."
"T1059.001::[Emotet] has used Powershell to retrieve the malicious payload and download additional resources like [Mimikatz]."
"T1059.003::[Emotet] has used cmd.exe to run a PowerShell script."
"T1059.005::[Emotet] has sent Microsoft Word documents with embedded macros that will invoke scripts to download additional payloads."
"T1078.003::[Emotet] can brute force a local admin password, then use it to facilitate lateral movement."
"T1087.003::[Emotet] has been observed leveraging a module that can scrape email addresses from Outlook."
"T1110.001::[Emotet] has been observed using a hard coded list of passwords to brute force user accounts."
"T1114.001::[Emotet] has been observed leveraging a module that scrapes email data from Outlook."
"T1204.001::[Emotet] has relied upon users clicking on a malicious link delivered through spearphishing."
"T1204.002::[Emotet] has relied upon users clicking on a malicious attachment delivered through spearphishing."
"T1210::[Emotet] has been seen exploiting SMB via a vulnerability exploit like EternalBlue (MS17-010) to achieve lateral movement and propagation."
"T1543.003::[Emotet] has been observed creating new services to maintain persistence."
"T1547.001::[Emotet] has been observed adding the downloaded payload to the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key to maintain persistence."
"T1552.001::[Emotet] has been observed leveraging a module that retrieves passwords stored on a system for the current logged-on user."
"T1555.003::[Emotet] has been observed dropping browser password grabber modules."
"T1560::[Emotet] has been observed encrypting the data it collects before sending it to the C2 server."
"T1566.001::[Emotet] has been delivered by phishing emails containing attachments."
"T1566.002::[Emotet] has been delivered by phishing emails containing links."
"T1571::[Emotet] has used HTTP over ports such as 20, 22, 7080, and 50000, in addition to using ports commonly associated with HTTP/S."
"T1573.002::[Emotet] is known to use RSA keys for encrypting C2 traffic."
"T1005::[EnvyScout] can collect sensitive NTLM material from a compromised host."
"T1027.006::[EnvyScout] contains JavaScript code that can extract an encoded blob from its HTML body and write it to disk."
"T1027::[EnvyScout] can Base64 encode payloads."
"T1036::[EnvyScout] has used folder icons for malicious files to lure victims into opening them."
"T1059.003::[EnvyScout] can use cmd.exe to execute malicious files on compromised hosts."
"T1059.007::[EnvyScout] can write files to disk with JavaScript using a modified version of the open-source tool FileSaver."
"T1082::[EnvyScout] can determine whether the ISO payload was received by a Windows or iOS device."
"T1140::[EnvyScout] can deobfuscate and write malicious ISO files to disk."
"T1187::[EnvyScout] can use protocol handlers to coax the operating system to send NTLMv2 authentication responses to attacker-controlled infrastructure."
"T1204.002::[EnvyScout] has been executed through malicious files attached to e-mails."
"T1218.011::[EnvyScout] has the ability to proxy execution of malicious files with Rundll32."
"T1480::[EnvyScout] can call window.location.pathname to ensure that embedded files are being executed from the C: drive, and will terminate if they are not."
"T1564.001::[EnvyScout] can use hidden directories and files to hide malicious executables."
"T1566.001::[EnvyScout] has been distributed via spearphishing as an email attachment."
"T1007::[Epic] uses the tasklist /svc command to list the services on the system."
"T1012::[Epic] uses the rem reg query command to obtain values from Registry keys."
"T1016::[Epic] uses the nbtstat -n and nbtstat -s commands on the victim’s machine."
"T1018::[Epic] uses the net view command on the victim’s machine."
"T1027::[Epic] heavily obfuscates its code to make analysis more difficult."
"T1033::[Epic] collects the user name from the victim’s machine."
"T1049::[Epic] uses the net use, net session, and netstat commands to gather information on network connections."
"T1055.011::[Epic] has overwritten the function pointer in the extra window memory of Explorer's Shell_TrayWnd in order to execute malicious code in the context of the explorer.exe process."
"T1057::[Epic] uses the tasklist /v command to obtain a list of processes."
"T1069.001::[Epic] gathers information on local group names."
"T1070.004::[Epic] has a command to delete a file from the machine."
"T1071.001::[Epic] uses HTTP and HTTPS for C2 communications."
"T1082::[Epic] collects the OS version, hardware information, computer name, available system memory status, disk space information, and system and user language settings."
"T1083::[Epic] recursively searches for all .doc files on the system and collects a directory listing of the Desktop, %TEMP%, and %WINDOWS%\\Temp directories."
"T1087.001::[Epic] gathers a list of all user accounts, privilege classes, and time of last logon."
"T1124::[Epic] uses the net time command  to get the system time from the machine and collect the current date and time zone information."
"T1518.001::[Epic] searches for anti-malware services running on the victim’s machine and terminates itself if it finds them."
"T1553.002::[Turla] has used valid digital certificates from Sysprint AG to sign its [Epic] dropper."
"T1560.002::[Epic] compresses the collected data with bzip2 before sending it to the C2 server."
"T1560::[Epic] encrypts collected data using a public key framework before sending it over the C2 channel."
"T1573.001::[Epic] encrypts commands from the C2 server using a hardcoded key."
"T1047::[EvilBunny] has used WMI to gather information about the system."
"T1053.005::[EvilBunny] has executed commands via scheduled tasks."
"T1057::[EvilBunny] has used EnumProcesses() to identify how many process are running in the environment."
"T1059.003::[EvilBunny] has an integrated scripting engine to download and execute Lua scripts."
"T1070.004::[EvilBunny] has deleted the initial dropper after running through the environment checks."
"T1071.001::[EvilBunny] has executed C2 commands directly via HTTP."
"T1105::[EvilBunny] has downloaded additional Lua scripts from the C2."
"T1106::[EvilBunny] has used various API calls as part of its checks to see if the malware is running in a sandbox."
"T1124::[EvilBunny] has used the API calls NtQuerySystemTime, GetSystemTimeAsFileTime, and GetTickCount to gather time metrics as part of its checks to see if the malware is running in a sandbox."
"T1203::[EvilBunny] has exploited CVE-2011-4369, a vulnerability in the PRC component in Adobe Reader."
"T1497.001::[EvilBunny]'s dropper has checked the number of processes and the length and strings of its own file name to identify if the malware is in a sandbox environment."
"T1497.003::[EvilBunny] has used time measurements from 3 different APIs before and after performing sleep operations to check and abort if the malware is running in a sandbox."
"T1518.001::[EvilBunny] has been observed querying installed antivirus software."
"T1547.001::[EvilBunny] has created Registry keys for persistence in [HKLM|HKCU]\\…\\CurrentVersion\\Run."
"T1056.001::[EvilGrab] has the capability to capture keystrokes."
"T1113::[EvilGrab] has the capability to capture screenshots."
"T1123::[EvilGrab] has the capability to capture audio from a victim machine."
"T1125::[EvilGrab] has the capability to capture video from a victim machine."
"T1547.001::[EvilGrab] adds a Registry Run key for ctfmon.exe to establish persistence."
"T1059.007::[Evilnum] has used malicious JavaScript files on the victim's machine."
"T1070.004::[Evilnum] has deleted files used during infection."
"T1105::[Evilnum] can deploy additional components or tools as needed."
"T1204.001::[Evilnum] has sent spearphishing emails designed to trick the recipient into opening malicious shortcut links which downloads a .LNK file."
"T1219::[EVILNUM] has used the malware variant, TerraTV, to run a legitimate TeamViewer application to connect to compromrised machines."
"T1497.001::[Evilnum] has used a component called TerraLoader to check certain hardware and file information to detect sandboxed environments."
"T1539::[Evilnum] can steal cookies and session information from browsers."
"T1548.002::[Evilnum] has used PowerShell to bypass UAC."
"T1555::[Evilnum] can collect email credentials from victims."
"T1566.002::[Evilnum] has sent spearphishing emails containing a link to a zip file hosted on Google Drive."
"T1574.001::[Evilnum] has used the malware variant, TerraTV, to load a malicious DLL placed in the TeamViewer directory, instead of the original Windows DLL located in a system folder."
"T1008::[Exaramel for Linux] can attempt to find a new C2 server if it receives an error."
"T1027::[Exaramel for Linux] uses RC4 for encrypting the configuration."
"T1033::[Exaramel for Linux] can run whoami to identify the system owner."
"T1053.003::[Exaramel for Linux] uses crontab for persistence if it does not have root privileges."
"T1059.004::[Exaramel for Linux] has a command to execute a shell command on the system."
"T1070.004::[Exaramel for Linux] can uninstall its persistence mechanism and delete its configuration file."
"T1071.001::[Exaramel for Linux] uses HTTPS for C2 communications."
"T1105::[Exaramel for Linux] has a command to download a file from  and to a remote C2 server."
"T1140::[Exaramel for Linux] can decrypt its configuration file."
"T1543.002::[Exaramel for Linux] has a hardcoded location under systemd that it uses to achieve persistence if it is running as root."
"T1543::[Exaramel for Linux] has a hardcoded location that it uses to achieve persistence if the startup system is Upstart or System V and it is running as root."
"T1548.001::[Exaramel for Linux] can execute commands with high privileges via a specific binary with setuid functionality."
"T1036.004::The [Exaramel for Windows] dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV” in an apparent attempt to masquerade as a legitimate service."
"T1059.003::[Exaramel for Windows] has a command to launch a remote shell and executes commands on the victim’s machine."
"T1059.005::[Exaramel for Windows] has a command to execute VBS scripts on the victim’s machine."
"T1074.001::[Exaramel for Windows] specifies a path to store files scheduled for exfiltration."
"T1112::[Exaramel for Windows] adds the configuration to the Registry in XML format."
"T1543.003::The [Exaramel for Windows] dropper creates and starts a Windows service named wsmprovav with the description “Windows Check AV.”"
"T1560::[Exaramel for Windows] automatically encrypts files before sending them to the C2 server."
"T1016::[Explosive] has collected the MAC address from the victim's machine."
"T1025::[Explosive] can scan all .exe files located in the USB drive."
"T1033::[Explosive] has collected the username from the infected host."
"T1056.001::[Explosive] has leveraged its keylogging capabilities to gain access to administrator accounts on target servers."
"T1071.001::[Explosive] has used HTTP for communication."
"T1082::[Explosive] has collected the computer name from the infected host."
"T1105::[Explosive] has a function to download a file to the infected system."
"T1106::[Explosive] has a function to call the OpenClipboard wrapper."
"T1112::[Explosive] has a function to write itself to Registry values."
"T1115::[Explosive] has a function to use the OpenClipboard wrapper."
"T1564.001::[Explosive] has commonly set file and path attributes to hidden."
"T1573.001::[Explosive] has encrypted communications with the RC4 method."
"T1001.003::[FakeM] C2 traffic attempts to evade detection by resembling data generated by legitimate messenger applications, such as MSN and Yahoo! messengers. Additionally, some variants of [FakeM] use modified SSL code for communications back to C2 servers, making SSL decryption ineffective."
"T1056.001::[FakeM] contains a keylogger module."
"T1095::Some variants of [FakeM] use SSL to communicate with C2 servers."
"T1573.001::The original variant of [FakeM] encrypts C2 traffic using a custom encryption cipher that uses an XOR key of “YHCRA” and bit rotation between each XOR operation. Some variants of [FakeM] use RC4 to encrypt C2 traffic."
"T1001.003::[FALLCHILL] uses fake Transport Layer Security (TLS) to communicate with its C2 server."
"T1016::[FALLCHILL] collects MAC address and local IP address information from the victim."
"T1070.004::[FALLCHILL] can delete malware and associated artifacts from the victim."
"T1070.006::[FALLCHILL] can modify file or directory timestamps."
"T1082::[FALLCHILL] can collect operating system (OS) version information, processor information, system name, and information about installed disks from the victim."
"T1083::[FALLCHILL] can search files on a victim."
"T1543.003::[FALLCHILL] has been installed as a Windows service."
"T1573.001::[FALLCHILL] encrypts C2 data with RC4 encryption."
"T1005::[FatDuke] can copy files and directories from a compromised host."
"T1008::[FatDuke] has used several C2 servers per targeted organization."
"T1012::[FatDuke] can get user agent strings for the default browser from HKCU\\Software\\Classes\\http\\shell\\open\\command."
"T1016::[FatDuke] can identify the MAC address on the target computer."
"T1027.001::[FatDuke] has been packed with junk code and strings."
"T1027.002::[FatDuke] has been regularly repacked by its operators to create large binaries and evade detection."
"T1027::[FatDuke] can use base64 encoding, string stacking, and opaque predicates for obfuscation."
"T1036::[FatDuke] has attempted to mimic a compromised user's traffic by using the same user agent as the installed browser."
"T1057::[FatDuke] can list running processes on the localhost."
"T1059.001::[FatDuke] has the ability to execute PowerShell scripts."
"T1070.004::[FatDuke] can secure delete its DLL."
"T1071.001::[FatDuke] can be controlled via a custom C2 protocol over HTTP."
"T1082::[FatDuke] can collect the user name, Windows version, computer name, and available space on discs from a compromised host."
"T1083::[FatDuke] can enumerate directories on target machines."
"T1090.001::[FatDuke] can used pipes to connect machines with restricted internet access to remote machines via other infected hosts."
"T1106::[FatDuke] can call ShellExecuteW to open the default browser on the URL localhost."
"T1140::[FatDuke] can decrypt AES encrypted C2 communications."
"T1218.011::[FatDuke] can execute via rundll32."
"T1497.003::[FatDuke] can turn itself on or off at random intervals."
"T1547.001::[FatDuke] has used HKLM\\SOFTWARE\\Microsoft\\CurrentVersion\\Run to establish persistence."
"T1573.001::[FatDuke] can AES encrypt C2 communications."
"T1016::[Felismus] collects the victim LAN IP address and sends it to the C2 server."
"T1033::[Felismus] collects the current username and sends it to the C2 server."
"T1036.005::[Felismus] has masqueraded as legitimate Adobe Content Management System files."
"T1059.003::[Felismus] uses command line for execution."
"T1071.001::[Felismus] uses HTTP for C2."
"T1082::[Felismus] collects the system information, including hostname and OS version, and sends it to the C2 server."
"T1105::[Felismus] can download files from remote servers."
"T1132.001::Some [Felismus] samples use a custom method for C2 traffic that utilizes Base64."
"T1518.001::[Felismus] checks for processes associated with anti-virus vendors."
"T1573.001::Some [Felismus] samples use a custom encryption method for C2 traffic that utilizes AES and multiple keys."
"T1012::[FELIXROOT] queries the Registry for specific keys for potential privilege escalation and proxy information. [FELIXROOT] has also used WMI to query the Windows Registry."
"T1016::[FELIXROOT] collects information about the network including the IP address and DHCP server."
"T1027::[FELIXROOT] encrypts strings in the backdoor using a custom XOR algorithm."
"T1033::[FELIXROOT] collects the username from the victim’s machine."
"T1047::[FELIXROOT] uses WMI to query the Windows Registry."
"T1057::[FELIXROOT] collects a list of running processes."
"T1059.003::[FELIXROOT] executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution."
"T1070.004::[FELIXROOT] deletes the .LNK file from the startup directory as well as the dropper components."
"T1071.001::[FELIXROOT] uses HTTP and HTTPS to communicate with the C2 server."
"T1082::[FELIXROOT] collects the victim’s computer name, processor architecture, OS version, volume serial number, and system type."
"T1105::[FELIXROOT] downloads and uploads files to and from the victim’s machine."
"T1112::[FELIXROOT] deletes the Registry key HKCU\\Software\\Classes\\Applications\\rundll32.exe\\shell\\open."
"T1124::[FELIXROOT] gathers the time zone information from the victim’s machine."
"T1218.011::[FELIXROOT] uses Rundll32 for executing the dropper program."
"T1518.001::[FELIXROOT] checks for installed security software like antivirus and firewall."
"T1547.001::[FELIXROOT] adds a shortcut file to the startup folder for persistence."
"T1547.009::[FELIXROOT] creates a .LNK file for persistence."
"T1560::[FELIXROOT] encrypts collected data with AES and Base64 and then sends it to the C2 server."
"T1059.001::[Ferocious] can use PowerShell scripts for execution."
"T1059.005::[Ferocious] has the ability to use Visual Basic scripts for execution."
"T1070.004::[Ferocious] can delete files from a compromised host."
"T1082::[Ferocious] can use GET.WORKSPACE in Microsoft Excel to determine the OS version of the compromised host."
"T1112::[Ferocious] has the ability to add a Class ID in the current user Registry hive to enable persistence mechanisms."
"T1120::[Ferocious] can run GET.WORKSPACE in Microsoft Excel to check if a mouse is present."
"T1497.001::[Ferocious] can run anti-sandbox checks using the Microsoft Excel 4.0 function GET.WORKSPACE to determine the OS version, if there is a mouse present, and if the host is capable of playing sounds."
"T1518.001::[Ferocious] has checked for AV software as part of its persistence process."
"T1546.015::[Ferocious] can use COM hijacking to establish persistence."
"T1027::[Final1stspy] obfuscates strings with base64 encoding."
"T1057::[Final1stspy] obtains a list of running processes."
"T1071.001::[Final1stspy] uses HTTP for C2."
"T1082::[Final1stspy] obtains victim Microsoft Windows version information and CPU architecture."
"T1140::[Final1stspy] uses Python code to deobfuscate base64-encoded strings."
"T1547.001::[Final1stspy] creates a Registry Run key to establish persistence."
"T1012::[FinFisher] queries Registry values as part of its anti-sandbox checks."
"T1027.001::[FinFisher] contains junk code in its functions in an effort to confuse disassembly programs."
"T1027.002::A [FinFisher] variant uses a custom packer."
"T1027::[FinFisher] is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code."
"T1036.005::[FinFisher] renames one of its .dll files to uxtheme.dll in an apparent attempt to masquerade as a legitimate file."
"T1055.001::[FinFisher] injects itself into various processes depending on whether it is low integrity or high integrity."
"T1056.004::[FinFisher] hooks processes by modifying IAT pointers to CreateWindowEx."
"T1057::[FinFisher] checks its parent process for indications that it is running in a sandbox setup."
"T1070.001::[FinFisher] clears the system event logs using  OpenEventLog/ClearEventLog APIs ."
"T1082::[FinFisher] checks if the victim OS is 32 or 64-bit."
"T1083::[FinFisher] enumerates directories and scans for certain files."
"T1113::[FinFisher] takes a screenshot of the screen and displays it on top of all other windows for few seconds in an apparent attempt to hide some messages showed by the system during the setup process."
"T1134.001::[FinFisher] uses token manipulation with NtFilterToken as part of UAC bypass."
"T1140::[FinFisher] extracts and decrypts stage 3 malware, which is stored in encrypted resources."
"T1497.001::[FinFisher] obtains the hardware device list and checks if the MD5 of the vendor ID is equal to a predefined list in order to check for sandbox/virtualized environments."
"T1518.001::[FinFisher] probes the system to check for antimalware processes."
"T1542.003::Some [FinFisher] variants incorporate an MBR rootkit."
"T1543.003::[FinFisher] creates a new Windows service with the malicious executable for persistence."
"T1547.001::[FinFisher] establishes persistence by creating the Registry key HKCU\\Software\\Microsoft\\Windows\\Run."
"T1548.002::[FinFisher] performs UAC bypass."
"T1574.001::A [FinFisher] variant uses DLL search order hijacking."
"T1574.002::[FinFisher] uses DLL side-loading to load malicious programs."
"T1574.013::[FinFisher] has used the KernelCallbackTable to hijack the execution flow of a process by replacing the __fnDWORD function with the address of a created [Asynchronous Procedure Call] stub routine."
"T1027::The [FIVEHANDS] payload is encrypted with AES-128."
"T1047::[FIVEHANDS] can use WMI to delete files on a  target machine."
"T1059::[FIVEHANDS] can receive a command line argument to limit file encryption to specified directories."
"T1083::[FIVEHANDS] has the ability to enumerate files on a compromised host in order to encrypt files with specific extensions."
"T1135::[FIVEHANDS] can enumerate network shares and mounted drives on a network."
"T1140::[FIVEHANDS] has the ability to decrypt its payload prior to execution."
"T1486::[FIVEHANDS] can use an embedded NTRU public key to encrypt data for ransom."
"T1490::[FIVEHANDS] has the ability to delete volume shadow copies on compromised hosts."
"T1005::[Flagpro] can collect data from a compromised host, including Windows authentication information."
"T1010::[Flagpro] can check the name of the window displayed on the system."
"T1016::[Flagpro] has been used to execute the ipconfig /all command on a victim system."
"T1018::[Flagpro] has been used to execute net view on a targeted system."
"T1027::[Flagpro] has been delivered within ZIP or RAR password-protected archived files."
"T1029::[Flagpro] has the ability to wait for a specified time interval between communicating with and executing commands from C2."
"T1033::[Flagpro] has been used to run the whoami command on the system."
"T1036::[Flagpro] can download malicious files with a .tmp extension and append them with .exe prior to execution."
"T1041::[Flagpro] has exfiltrated data to the C2 server."
"T1049::[Flagpro] has been used to execute netstat -ano on a compromised host."
"T1057::[Flagpro] has been used to run the tasklist command on a compromised system."
"T1059.003::[Flagpro] can use `cmd.exe` to execute commands received from C2."
"T1059.005::[Flagpro] can execute malicious VBA macros embedded in .xlsm files."
"T1069.001::[Flagpro] has been used to execute the net localgroup administrators command on a targeted system."
"T1070::[Flagpro] can close specific Windows Security and Internet Explorer dialog boxes to mask external connections."
"T1071.001::[Flagpro] can communicate with its C2 using HTTP."
"T1105::[Flagpro] can download additional malware from the C2 server."
"T1106::[Flagpro] can use Native API to enable obfuscation including `GetLastError` and `GetTickCount`."
"T1132.001::[Flagpro] has encoded bidirectional data communications between a target system and C2 server using Base64."
"T1135::[Flagpro] has been used to execute `net view` to discover mapped network shares."
"T1204.002::[Flagpro] has relied on users clicking a malicious attachment delivered through spearphishing."
"T1547.001::[Flagpro] has dropped an executable file to the startup directory."
"T1566.001::[Flagpro] has been distributed via spearphishing as an email attachment."
"T1614.001::[Flagpro] can check whether the target system is using Japanese, Taiwanese, or English through detection of specific Windows Security and Internet Explorer dialog."
"T1011.001::[Flame] has a module named BeetleJuice that contains Bluetooth functionality that may be used in different ways, including transmitting encoded information from the infected system over the Bluetooth protocol, acting as a Bluetooth beacon, and identifying other Bluetooth devices in the vicinity."
"T1091::[Flame] contains modules to infect USB sticks and spread laterally to other Windows systems the stick is plugged into using Autorun functionality."
"T1113::[Flame] can take regular screenshots when certain applications are open that are sent to the command and control server."
"T1123::[Flame] can record audio using any existing hardware recording devices."
"T1136.001::[Flame] can create backdoor accounts with login “HelpAssistant” on domain connected systems if appropriate rights are available."
"T1210::[Flame] can use MS10-061 to exploit a print spooler vulnerability in a remote system with a shared printer in order to move laterally."
"T1218.011::Rundll32.exe is used as a way of executing [Flame] at the command-line."
"T1518.001::[Flame] identifies security software such as antivirus through the Security module."
"T1547.002::[Flame] can use Windows Authentication Packages for persistence."
"T1005::[FLASHFLOOD] searches for interesting files (either a default or customized set of file extensions) on the local system. [FLASHFLOOD] will scan the My Recent Documents, Desktop, Temporary Internet Files, and TEMP directories. [FLASHFLOOD] also collects information stored in the Windows Address Book."
"T1025::[FLASHFLOOD] searches for interesting files (either a default or customized set of file extensions) on removable media and copies them to a staging area. The default file types copied would include data copied to the drive by [SPACESHIP]."
"T1074.001::[FLASHFLOOD] stages data it copies from the local system or removable drives in the \"%WINDIR%\\$NtUninstallKB885884$\\\" directory."
"T1083::[FLASHFLOOD] searches for interesting files (either a default or customized set of file extensions) on the local system and removable media."
"T1547.001::[FLASHFLOOD] achieves persistence by making an entry in the Registry's Run key."
"T1560.003::[FLASHFLOOD] employs the same encoding scheme as [SPACESHIP] for data it stages. Data is compressed with zlib, and bytes are rotated four times before being XOR'ed with 0x23."
"T1001::[FlawedAmmyy] may obfuscate portions of the initial C2 handshake."
"T1005::[FlawedAmmyy] has collected information and files from a compromised machine."
"T1033::[FlawedAmmyy] enumerates the current user during the initial infection."
"T1041::[FlawedAmmyy] has sent data collected from a compromised host to its C2 servers."
"T1047::[FlawedAmmyy] leverages WMI to enumerate anti-virus on the victim."
"T1056.001::[FlawedAmmyy] can collect keyboard events."
"T1056::[FlawedAmmyy] can collect mouse events."
"T1059.001::[FlawedAmmyy] has used PowerShell to execute commands."
"T1059.003::[FlawedAmmyy] has used `cmd` to execute commands on a compromised host."
"T1069.001::[FlawedAmmyy] enumerates the privilege level of the victim during the initial infection."
"T1070.004::[FlawedAmmyy] can execute batch scripts to delete files."
"T1071.001::[FlawedAmmyy] has used HTTP for C2."
"T1082::[FlawedAmmyy] can collect the victim's operating system and computer name during the initial infection."
"T1105::[FlawedAmmyy] can transfer files from C2."
"T1113::[FlawedAmmyy] can capture screenshots."
"T1115::[FlawedAmmyy] can collect clipboard data."
"T1120::[FlawedAmmyy] will attempt to detect if a usable smart card is current inserted into a card reader."
"T1218.007::[FlawedAmmyy] has been installed via `msiexec.exe`."
"T1218.011::[FlawedAmmyy] has used `rundll32` for execution."
"T1518.001::[FlawedAmmyy] will attempt to detect anti-virus products during the initial infection."
"T1547.001::[FlawedAmmyy] has established persistence via the `HKCU\\SOFTWARE\\microsoft\\windows\\currentversion\\run` registry key."
"T1573.001::[FlawedAmmyy] has used SEAL encryption during the initial C2 handshake."
"T1027::[FlawedGrace] encrypts its C2 configuration files with AES in CBC mode."
"T1572::[FLIPSIDE] uses RDP to tunnel traffic from a victim environment."
"T1005::[FoggyWeb] can retrieve configuration data from a compromised AD FS server."
"T1027.004::[FoggyWeb] can compile and execute source code sent to the compromised AD FS server via a specific HTTP POST."
"T1027::[FoggyWeb] has been XOR-encoded."
"T1036.005::[FoggyWeb] can be disguised as a Visual Studio file such as `Windows.Data.TimeZones.zh-PH.pri` to evade detection. Also, [FoggyWeb]'s loader can mimic a genuine `dll` file that carries out the same import functions as the legitimate Windows `version.dll` file."
"T1036::[FoggyWeb] can masquerade the output of C2 commands as a fake, but legitimately formatted WebP file."
"T1040::[FoggyWeb] can configure custom listeners to passively monitor all incoming HTTP GET and POST requests sent to the AD FS server from the intranet/internet and intercept HTTP requests that match the custom URI patterns defined by the actor."
"T1041::[FoggyWeb] can remotely exfiltrate sensitive information from a compromised AD FS server."
"T1057::[FoggyWeb]'s loader can enumerate all Common Language Runtimes (CLRs) and running Application Domains in the compromised AD FS server's Microsoft.IdentityServer.ServiceHost.exe process."
"T1071.001::[FoggyWeb] has the ability to communicate with C2 servers over HTTP GET/POST requests."
"T1083::[FoggyWeb]'s loader can check for the [FoggyWeb] backdoor .pri file on a compromised AD FS server."
"T1105::[FoggyWeb] can receive additional malicious components from an actor controlled C2 server and execute them on a compromised AD FS server."
"T1106::[FoggyWeb]'s loader can use API functions to load the [FoggyWeb] backdoor into the same Application Domain within which the legitimate AD FS managed code is executed."
"T1129::[FoggyWeb]'s loader can call the load() function to load the [FoggyWeb] dll into an Application Domain on a compromised AD FS server."
"T1140::[FoggyWeb] can be decrypted in memory using a Lightweight Encryption Algorithm (LEA)-128 key and decoded using a XOR key."
"T1550::[FoggyWeb] can allow abuse of a compromised AD FS server's SAML token."
"T1552.004::[FoggyWeb] can retrieve token signing certificates and token decryption certificates from a compromised AD FS server."
"T1560.002::[FoggyWeb] can invoke the `Common.Compress` method to compress data with the C# GZipStream compression class."
"T1560.003::[FoggyWeb] can use a dynamic XOR key and a custom XOR methodology to encode data before exfiltration. Also, [FoggyWeb] can encode C2 command output within a legitimate WebP file."
"T1573.001::[FoggyWeb] has used a dynamic XOR key and custom XOR methodology for C2 communications."
"T1574.001::[FoggyWeb]'s loader has used DLL Search Order Hijacking to load malicious code instead of the legitimate `version.dll` during the `Microsoft.IdentityServer.ServiceHost.exe` execution process."
"T1620::[FoggyWeb]'s loader has reflectively loaded .NET-based assembly/payloads into memory."
"T1005::[FrameworkPOS] can collect elements related to credit card data from process memory."
"T1048::[FrameworkPOS] can use DNS tunneling for exfiltration of credit card data."
"T1057::[FrameworkPOS] can enumerate and exclude selected processes on a compromised host to speed execution of memory scraping."
"T1074.001::[FrameworkPOS] can identifiy payment card track data on the victim and copy it to a local file in a subdirectory of C:\\Windows\\."
"T1560.003::[FrameworkPOS] can XOR credit card information before exfiltration."
"T1027::[FruitFly] executes and stores obfuscated Perl scripts."
"T1057::[FruitFly] has the ability to list processes on the system."
"T1070.004::[FruitFly] will delete files on the system."
"T1083::[FruitFly] looks for specific files and file types."
"T1113::[FruitFly] takes screenshots of the user's desktop."
"T1543.001::[FruitFly] persists via a Launch Agent."
"T1564.001::[FruitFly] saves itself with a leading \".\" to make it a hidden file."
"T1001::[FunnyDream] can send compressed and obfuscated packets to C2."
"T1005::[FunnyDream] can upload files from victims' machines."
"T1010::[FunnyDream] has the ability to discover application windows via execution of `EnumWindows`."
"T1012::[FunnyDream] can check `Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings` to extract the `ProxyServer` string."
"T1016::[FunnyDream] can parse the `ProxyServer` string in the Registry to discover http proxies."
"T1018::[FunnyDream] can collect information about hosts on the victim network."
"T1025::The [FunnyDream] FilePakMonitor component has the ability to collect files from removable devices."
"T1027::[FunnyDream] can Base64 encode its C2 address stored in a template binary with the `xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_-` or\n`xyz0123456789ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvw_=` character sets."
"T1033::[FunnyDream] has the ability to gather user information from the targeted system using `whoami/upn&whoami/fqdn&whoami/logonid&whoami/all`."
"T1036.004::[FunnyDream] has used a service named `WSearch` for execution."
"T1041::[FunnyDream] can execute commands, including gathering user information, and send the results to C2."
"T1047::[FunnyDream] can use WMI to open a Windows command shell on a remote machine."
"T1055.001::The [FunnyDream] FilepakMonitor component can inject into the Bka.exe process using the `VirtualAllocEx`, `WriteProcessMemory` and `CreateRemoteThread` APIs to load the DLL component."
"T1056.001::The [FunnyDream] Keyrecord component can capture keystrokes."
"T1057::[FunnyDream] has the ability to discover processes, including `Bka.exe` and `BkavUtil.exe`."
"T1059.003::[FunnyDream] can use `cmd.exe` for execution on remote hosts."
"T1070.004::[FunnyDream] can delete files including its dropper component."
"T1070::[FunnyDream] has the ability to clean traces of malware deployment."
"T1074.001::[FunnyDream] can stage collected information including screen captures and logged keystrokes locally."
"T1082::[FunnyDream] can enumerate all logical drives on a targeted machine."
"T1083::[FunnyDream] can identify files with .doc, .docx, .ppt, .pptx, .xls, .xlsx, and .pdf extensions and specific timestamps for collection."
"T1090::[FunnyDream] can identify and use configured proxies in a compromised network for C2 communication."
"T1095::[FunnyDream] can communicate with C2 over TCP and UDP."
"T1105::[FunnyDream] can download additional files onto a compromised host."
"T1106::[FunnyDream] can use Native API for defense evasion, discovery, and collection."
"T1113::The [FunnyDream] ScreenCap component can take screenshots on a compromised host."
"T1119::[FunnyDream] can monitor files for changes and automatically collect them."
"T1120::The [FunnyDream] FilepakMonitor component can detect removable drive insertion."
"T1124::[FunnyDream] can check system time to help determine when changes were made to specified files."
"T1218.011::[FunnyDream] can use `rundll32` for execution of its components."
"T1518.001::[FunnyDream] can identify the processes for Bkav antivirus."
"T1543.003::[FunnyDream] has established persistence by running `sc.exe` and by setting the `WSearch` service to run automatically."
"T1547.001::[FunnyDream] can use a Registry Run Key and the Startup folder to establish persistence."
"T1559.001::[FunnyDream] can use com objects identified with `CLSID_ShellLink`(`IShellLink` and `IPersistFile`) and `WScript.Shell`(`RegWrite` method) to enable persistence mechanisms."
"T1560.002::[FunnyDream] has compressed collected files with zLib."
"T1560.003::[FunnyDream] has compressed collected files with zLib and encrypted them using an XOR operation with the string key from the command line or `qwerasdf` if the command line argument doesn’t contain the key. File names are obfuscated using XOR with the same key as the compressed file content."
"T1572::[FunnyDream] can connect to HTTP proxies via TCP to create a tunnel to C2."
"T1027.002::[FYAnti] has used ConfuserEx to pack its .NET module."
"T1083::[FYAnti] can search the C:\\Windows\\Microsoft.NET\\ directory for files of a specified size."
"T1105::[FYAnti] can download additional payloads to a compromised host."
"T1140::[FYAnti] has the ability to decrypt an embedded .NET module."
"T1027::[Fysbis] has been encrypted using XOR and RC4."
"T1036.004::[Fysbis] has masqueraded as the rsyncd and dbus-inotifier services."
"T1036.005::[Fysbis] has masqueraded as trusted software rsyncd and dbus-inotifier."
"T1056.001::[Fysbis] can perform keylogging."
"T1057::[Fysbis] can collect information about running processes."
"T1059.004::[Fysbis] has the ability to create and execute commands in a remote shell for CLI."
"T1070.004::[Fysbis] has the ability to delete files."
"T1082::[Fysbis] has used the command ls /etc | egrep -e\"fedora\\*|debian\\*|gentoo\\*|mandriva\\*|mandrake\\*|meego\\*|redhat\\*|lsb-\\*|sun-\\*|SUSE\\*|release\" to determine which Linux OS version is running."
"T1083::[Fysbis] has the ability to search for files."
"T1132.001::[Fysbis] can use Base64 to encode its C2 traffic."
"T1543.002::[Fysbis] has established persistence using a systemd service."
"T1547.013::[Fysbis] has installed itself as an autostart entry under ~/.config/autostart/dbus-inotifier.desktop to establish persistence."
"T1027::[Gazer] logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources."
"T1033::[Gazer] obtains the current user's security identifier."
"T1053.005::[Gazer] can establish persistence by creating a scheduled task."
"T1055.003::[Gazer] performs thread execution hijacking to inject its orchestrator into a running thread from a remote process."
"T1055::[Gazer] injects its communication module into an Internet accessible process through which it performs C2."
"T1070.004::[Gazer] has commands to delete files and persistence mechanisms from the victim."
"T1070.006::For early [Gazer] versions, the compilation timestamp was faked."
"T1071.001::[Gazer] communicates with its C2 servers over HTTP."
"T1105::[Gazer] can execute a task to download a file."
"T1546.002::[Gazer] can establish persistence through the system screensaver by configuring it to execute the malware."
"T1547.001::[Gazer] can establish persistence by creating a .lnk file in the Start menu."
"T1547.004::[Gazer] can establish persistence by setting the value “Shell” with “explorer.exe, %malware_pathfile%” under the Registry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon."
"T1547.009::[Gazer] can establish persistence by creating a .lnk file in the Start menu or by modifying existing .lnk files to execute the malware through cmd.exe."
"T1553.002::[Gazer] versions are signed with various valid certificates; one was likely faked and issued by Comodo for \"Solid Loop Ltd,\" and another was issued for \"Ultimate Computer Support Ltd.\""
"T1564.004::[Gazer] stores configuration items in alternate data streams (ADSs) if the Registry is not accessible."
"T1573.001::[Gazer] uses custom encryption for C2 that uses 3DES."
"T1573.002::[Gazer] uses custom encryption for C2 that uses RSA."
"T1007::[GeminiDuke] collects information on programs and services on the victim that are configured to automatically run at startup."
"T1016::[GeminiDuke] collects information on network settings and Internet proxy settings from the victim."
"T1057::[GeminiDuke] collects information on running processes and environment variables from the victim."
"T1071.001::[GeminiDuke] uses HTTP and HTTPS for command and control."
"T1083::[GeminiDuke] collects information from the victim, including installed drivers, programs previously executed by users, programs and services configured to automatically run at startup, files and folders present in any user's home folder, files and folders present in any user's My Documents, programs installed to the Program Files folder, and recently accessed files, folders, and programs."
"T1087.001::[GeminiDuke] collects information on local user accounts from the victim."
"T1033::[Get2] has the ability to identify the current username of an infected host."
"T1055.001::[Get2] has the ability to inject DLLs into processes."
"T1057::[Get2] has the ability to identify running processes on an infected host."
"T1059::[Get2] has the ability to run executables with command-line arguments."
"T1071.001::[Get2] has the ability to use HTTP to send information collected from an infected host to C2."
"T1082::[Get2] has the ability to identify the computer name and Windows version of an infected host."
"T1012::[gh0st RAT] has checked for the existence of a Service key to determine if it has already been installed on the system."
"T1055::[gh0st RAT] can inject malicious code into process created by the “Command_Create&Inject” function."
"T1056.001::[gh0st RAT] has a keylogger."
"T1057::[gh0st RAT] has the capability to list processes."
"T1059::[gh0st RAT] is able to open a remote shell to execute commands."
"T1070.001::[gh0st RAT] is able to wipe event logs."
"T1070.004::[gh0st RAT] has the capability to to delete files."
"T1082::[gh0st RAT] has gathered system architecture, processor, OS configuration, and installed hardware information."
"T1095::[gh0st RAT] has used an encrypted protocol within TCP segments to communicate with the C2."
"T1105::[gh0st RAT] can download files to the victim’s machine."
"T1106::[gh0st RAT] has used the `InterlockedExchange`, `SeShutdownPrivilege`, and `ExitWindowsEx` Windows API functions."
"T1112::[gh0st RAT] has altered the InstallTime subkey."
"T1113::[gh0st RAT] can capture the victim’s screen remotely."
"T1129::[gh0st RAT] can load DLLs into memory."
"T1132.001::[gh0st RAT] has used Zlib to compress C2 communications data before encrypting it."
"T1140::[gh0st RAT] has decrypted and loaded the [gh0st RAT] DLL into memory, once the initial dropper executable is launched."
"T1218.011::A [gh0st RAT] variant has used rundll32 for execution."
"T1543.003::[gh0st RAT] can create a new service to establish persistence."
"T1547.001::[gh0st RAT] has added a Registry Run key to establish persistence."
"T1568.001::[gh0st RAT] operators have used dynamic DNS to mask the true location of their C2 behind rapidly changing IP addresses."
"T1569.002::[gh0st RAT] can execute its service if the Service key exists. If the key does not exist, [gh0st RAT] will create and run the service."
"T1573.001::[gh0st RAT] uses RC4 and XOR to encrypt C2 traffic."
"T1573::[gh0st RAT] has encrypted TCP communications to evade detection."
"T1574.002::A [gh0st RAT] variant has used DLL side-loading."
"T1102.002::[GLOOXMAIL] communicates to servers operated by Google using the Jabber/XMPP protocol."
"T1012::[Gold Dragon] enumerates registry keys with the command regkeyenum and obtains information for the Registry key HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run."
"T1033::[Gold Dragon] collects the endpoint victim's username and uses it as a basis for downloading additional components from the C2 server."
"T1057::[Gold Dragon] checks the running processes on the victim’s machine."
"T1059.003::[Gold Dragon] uses cmd.exe to execute commands for discovery."
"T1070.004::[Gold Dragon] deletes one of its files, 2.hwp, from the endpoint after establishing persistence."
"T1071.001::[Gold Dragon] uses HTTP for communication to the control servers."
"T1074.001::[Gold Dragon] stores information gathered from the endpoint in a file named 1.hwp."
"T1082::[Gold Dragon] collects endpoint information using the systeminfo command."
"T1083::[Gold Dragon] lists the directories for Desktop, program files, and the user’s recently accessed files."
"T1105::[Gold Dragon] can download additional components from the C2 server."
"T1518.001::[Gold Dragon] checks for anti-malware products and processes."
"T1547.001::[Gold Dragon] establishes persistence in the Startup folder."
"T1560::[Gold Dragon] encrypts data using Base64 before being sent to the command and control server."
"T1562.001::[Gold Dragon] terminates anti-malware processes if they’re found running on the system."
"T1027::[GoldenSpy]'s uninstaller has base64-encoded its variables."
"T1036.005::[GoldenSpy]'s setup file installs initial executables under the folder %WinDir%\\System32\\PluginManager."
"T1041::[GoldenSpy] has exfiltrated host environment information to an external C2 domain via port 9006."
"T1059.003::[GoldenSpy] can execute remote commands via the command-line interface."
"T1070.004::[GoldenSpy]'s uninstaller can delete registry entries, files and folders, and finally itself once these tasks have been completed."
"T1071.001::[GoldenSpy] has used the Ryeol HTTP Client to facilitate HTTP internet communication."
"T1082::[GoldenSpy] has gathered operating system information."
"T1083::[GoldenSpy] has included a program \"ExeProtector\", which monitors for the existence of [GoldenSpy] on the infected system and redownloads if necessary."
"T1105::[GoldenSpy] constantly attempts to download and execute files from the remote C2, including [GoldenSpy] itself if not found on the system."
"T1106::[GoldenSpy] can execute remote commands in the Windows command shell using the WinExec() API."
"T1136.001::[GoldenSpy] can create new users on an infected system."
"T1195.002::[GoldenSpy] has been packaged with a legitimate tax preparation software."
"T1497.003::[GoldenSpy]'s installer has delayed installation of [GoldenSpy] for two hours after it reaches a victim system."
"T1543.003::[GoldenSpy] has established persistence by running in the background as an autostart service."
"T1571::[GoldenSpy] has used HTTP over ports 9005 and 9006 for network traffic, 9002 for C2 requests, 33666 as a WebSocket, and 8090 to download files."
"T1016.001::[GoldFinder] performed HTTP GET requests to check internet connectivity and identify HTTP proxy servers and other redirectors that an HTTP request traveled through."
"T1071.001::[GoldFinder] has used HTTP for C2."
"T1119::[GoldFinder] logged and stored information related to the route or hops a packet took from a compromised machine to a hardcoded C2 server, including the target C2 URL, HTTP response/status code, HTTP response headers and values, and data received from the C2 node."
"T1001.001::[GoldMax] has used decoy traffic to surround its malicious network traffic to avoid detection."
"T1016::[GoldMax] retrieved a list of the system's network interface after execution."
"T1027.002::[GoldMax] has been packed for obfuscation."
"T1027::[GoldMax] has written AES-encrypted and Base64-encoded configuration files to disk."
"T1036.004::[GoldMax] has impersonated systems management software to avoid detection."
"T1036.005::[GoldMax] has used filenames that matched the system name, and appeared as a scheduled task impersonating systems management software within the corresponding ProgramData subfolder."
"T1041::[GoldMax] can exfiltrate files over the existing C2 channel."
"T1053.003::The [GoldMax] Linux variant has used a crontab entry with a @reboot line to gain persistence."
"T1053.005::[GoldMax] has used scheduled tasks to maintain persistence."
"T1059.003::[GoldMax] can spawn a command shell, and execute native commands."
"T1071.001::[GoldMax] has used HTTPS and HTTP GET requests with custom HTTP cookies for C2."
"T1105::[GoldMax] can download and execute additional files."
"T1124::[GoldMax] can check the current date-time value of the compromised system, comparing it to the hardcoded execution trigger and can send the current timestamp to the C2 server."
"T1140::[GoldMax] has decoded and decrypted the configuration file when executed."
"T1497.001::[GoldMax] will check if it is being run in a virtualized environment by comparing the collected MAC address to c8:27:cc:c2:37:5a."
"T1497.003::[GoldMax] has set an execution trigger date and time, stored as an ASCII Unix/Epoch time value."
"T1573.002::[GoldMax] has RSA-encrypted its communication with the C2 server."
"T1005::[Goopy] has the ability to exfiltrate documents from infected systems."
"T1027.001::[Goopy] has had null characters padded in its malicious DLL payload."
"T1027::[Goopy]'s decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis."
"T1033::[Goopy] has the ability to enumerate the infected system's user name."
"T1036.005::[Goopy] has impersonated the legitimate goopdate.dll, which was dropped on the target system with a legitimate GoogleUpdate.exe."
"T1041::[Goopy] has the ability to exfiltrate data over the Microsoft Outlook C2 channel."
"T1053.005::[Goopy] has the ability to maintain persistence by creating scheduled tasks set to run every hour."
"T1057::[Goopy] has checked for the Google Updater process to ensure [Goopy] was loaded properly."
"T1059.003::[Goopy] has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel."
"T1059.005::[Goopy] has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2."
"T1070.008::[Goopy] has the ability to delete emails used for C2 once the content has been copied."
"T1071.001::[Goopy] has the ability to communicate with its C2 over HTTP."
"T1071.003::[Goopy] has the ability to use a Microsoft Outlook backdoor macro to communicate with its C2."
"T1071.004::[Goopy] has the ability to communicate with its C2 over DNS."
"T1106::[Goopy] has the ability to  enumerate the infected system's user name via GetUserNameW."
"T1140::[Goopy] has used a polymorphic decryptor to decrypt itself at runtime."
"T1562.001::[Goopy] has the ability to disable Microsoft Outlook's security policies to disable macro warnings."
"T1574.002::[Goopy] has the ability to side-load malicious DLLs with legitimate applications from Kaspersky, Microsoft, and Google."
"T1010::[Grandoreiro] can identify installed security tools based on window names."
"T1016::[Grandoreiro] can determine the IP and physical location of the compromised host via IPinfo."
"T1027.001::[Grandoreiro] has added BMP images to the resources section of its Portable Executable (PE) file increasing each binary to at least 300MB in size."
"T1027::The [Grandoreiro] payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file."
"T1033::[Grandoreiro] can collect the username from the victim's machine."
"T1036.005::[Grandoreiro] has named malicious browser extensions and update files to appear legitimate."
"T1041::[Grandoreiro] can send data it retrieves to the C2 server."
"T1056.001::[Grandoreiro] can log keystrokes on the victim's machine."
"T1057::[Grandoreiro] can identify installed security tools based on process names."
"T1059.005::[Grandoreiro] can use VBScript to execute malicious code."
"T1070.004::[Grandoreiro] can delete .LNK files created in the Startup folder."
"T1071.001::[Grandoreiro] has the ability to use HTTP in C2 communications."
"T1082::[Grandoreiro] can collect the computer name and OS version from a compromised host."
"T1087.003::[Grandoreiro] can parse Outlook .pst files to extract e-mail addresses."
"T1102.001::[Grandoreiro] can obtain C2 information from Google Docs."
"T1102.002::[Grandoreiro] can utilize web services including Google sites to send and receive C2 data."
"T1105::[Grandoreiro] can download its second stage from a hardcoded URL within the loader's code."
"T1106::[Grandoreiro] can execute through the WinExec API."
"T1112::[Grandoreiro] can store its configuration in the Registry at HKCU\\Software\\ under frequently changing names including %USERNAME% and ToolTech-RM."
"T1115::[Grandoreiro] can capture clipboard data from a compromised host."
"T1124::[Grandoreiro] can determine the time on the victim machine via IPinfo."
"T1140::[Grandoreiro] can decrypt its encrypted internal strings."
"T1176::[Grandoreiro] can use malicious browser extensions to steal cookies and other user information."
"T1185::[Grandoreiro] can monitor browser activity for online banking actions and display full-screen overlay images to block user access to the intended site or present additional data fields."
"T1189::[Grandoreiro] has used compromised websites and Google Ads to bait victims into downloading its installer."
"T1204.001::[Grandoreiro] has used malicious links to gain execution on victim machines."
"T1204.002::[Grandoreiro] has infected victims via malicious attachments."
"T1218.007::[Grandoreiro] can use MSI files to execute DLLs."
"T1222.001::[Grandoreiro] can modify the binary ACL to prevent security tools from running."
"T1497.001::[Grandoreiro] can detect VMWare via its I/O port and Virtual PC via the vpcext instruction."
"T1518.001::[Grandoreiro] can list installed security products including the Trusteer and Diebold Warsaw GAS Tecnologia online banking protections."
"T1539::[Grandoreiro] can steal the victim's cookies to use for duplicating the active session from another device."
"T1547.001::[Grandoreiro] can use run keys and create link files in the startup folder for persistence."
"T1547.009::[Grandoreiro] can write or modify browser shortcuts to enable launching of malicious browser extensions."
"T1548.002::[Grandoreiro] can bypass UAC by registering as the default handler for .MSC files."
"T1555.003::[Grandoreiro] can steal cookie data and credentials from Google Chrome."
"T1562.001::[Grandoreiro] can hook APIs, kill processes, break file system paths, and change ACLs to prevent security tools from running."
"T1562.004::[Grandoreiro] can block the Deibold Warsaw GAS Tecnologia security tool at the firewall level."
"T1566.002::[Grandoreiro] has been spread via malicious links embedded in e-mails."
"T1568.002::[Grandoreiro] can use a DGA for hiding C2 addresses, including use of an algorithm with a user-specific key that changes daily."
"T1573.002::[Grandoreiro] can use SSL in C2 communication."
"T1005::[GravityRAT] steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf."
"T1007::[GravityRAT] has a feature to list the available services on the system."
"T1016::[GravityRAT] collects the victim IP address, MAC address, as well as the victim account domain name."
"T1025::[GravityRAT] steals files based on an extension list if a USB drive is connected to the system."
"T1027.005::The author of [GravityRAT] submitted samples to VirusTotal for testing, showing that the author modified the code to try to hide the DDE object in a different part of the document."
"T1027::[GravityRAT] supports file encryption (AES with the key \"lolomycin2017\")."
"T1033::[GravityRAT] collects the victim username along with other account information (account type, description, full name, SID and status)."
"T1047::[GravityRAT] collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed)."
"T1049::[GravityRAT] uses the netstat command to find open ports on the victim’s machine."
"T1053.005::[GravityRAT] creates a scheduled task to ensure it is re-executed everyday."
"T1057::[GravityRAT] lists the running processes on the system."
"T1059.003::[GravityRAT] executes commands remotely on the infected host."
"T1071.001::[GravityRAT] uses HTTP for C2."
"T1082::[GravityRAT] collects the MAC address, computer name, and CPU information."
"T1083::[GravityRAT] collects the volumes mapped on the system, and also steals files with the following extensions: .docx, .doc, .pptx, .ppt, .xlsx, .xls, .rtf, and .pdf."
"T1124::[GravityRAT] can obtain the date and time of a system."
"T1497.001::[GravityRAT] uses WMI to check the BIOS and manufacturer information for strings like \"VMWare\", \"Virtual\", and \"XEN\" and another WMI request to get the current temperature of the hardware to determine if it's a virtual machine environment."
"T1559.002::[GravityRAT] has been delivered via Word documents using DDE for execution."
"T1571::[GravityRAT] has used HTTP over a non-standard port, such as TCP port 46769."
"T1005::[Green Lambert] can collect data from a compromised host."
"T1016::[Green Lambert] can obtain proxy information from a victim's machine using system environment variables."
"T1027::[Green Lambert] has encrypted strings."
"T1036.004::[Green Lambert] has created a new executable named `Software Update Check` to appear legitimate."
"T1036.005::[Green Lambert] has been disguised as a Growl help file."
"T1037.004::[Green Lambert] can add init.d and rc.d files in the /etc folder to establish persistence."
"T1059.004::[Green Lambert] can use shell scripts for execution, such as /bin/sh -c."
"T1070.004::[Green Lambert] can delete the original executable after initial installation in addition to unused functions."
"T1071.004::[Green Lambert] can use DNS for C2 communications."
"T1082::[Green Lambert] can use `uname` to identify the operating system name, version, and processor type."
"T1090::[Green Lambert] can use proxies for C2 traffic."
"T1124::[Green Lambert] can collect the date and time from a compromised host."
"T1140::[Green Lambert] can use multiple custom routines to decrypt strings prior to execution."
"T1543.001::[Green Lambert] can create a [Launch Agent] with the `RunAtLoad` key-value pair set to true, ensuring the `com.apple.GrowlHelper.plist` file runs every time a user logs in."
"T1543.004::[Green Lambert] can add a plist file in the `Library/LaunchDaemons` to establish persistence."
"T1546.004::[Green Lambert] can establish persistence on a compromised host through modifying the `profile`, `login`, and run command (rc) files associated with the `bash`, `csh`, and `tcsh` shells."
"T1547.015::[Green Lambert] can add [Login Items] to establish persistence."
"T1555.001::[Green Lambert] can use Keychain Services API functions to find and collect passwords, such as `SecKeychainFindInternetPassword` and `SecKeychainItemCopyAttributesAndData`."
"T1003.001::[GreyEnergy] has a module for [Mimikatz] to collect Windows credentials from the victim’s machine."
"T1007::[GreyEnergy] enumerates all Windows services."
"T1027.002::[GreyEnergy] is packed for obfuscation."
"T1027::[GreyEnergy] encrypts its configuration files with AES-256 and also encrypts its strings."
"T1055.002::[GreyEnergy] has a module to inject a PE binary into a remote process."
"T1056.001::[GreyEnergy] has a module to harvest pressed keystrokes."
"T1059.003::[GreyEnergy] uses cmd.exe to execute itself in-memory."
"T1070.004::[GreyEnergy] can securely delete a file by hooking into the DeleteFileA and DeleteFileW functions in the Windows API."
"T1071.001::[GreyEnergy] uses HTTP and HTTPS for C2 communications."
"T1090.003::[GreyEnergy] has used Tor relays for Command and Control servers."
"T1105::[GreyEnergy] can download additional modules and payloads."
"T1112::[GreyEnergy] modifies conditions in the Registry and adds keys."
"T1218.011::[GreyEnergy] uses PsExec locally in order to execute rundll32.exe at the highest privileges (NTAUTHORITY\\SYSTEM)."
"T1543.003::[GreyEnergy] chooses a service, drops a DLL file, and writes it to that serviceDLL Registry key."
"T1553.002::[GreyEnergy] digitally signs the malware with a code-signing certificate."
"T1573.001::[GreyEnergy] encrypts communications using AES256."
"T1573.002::[GreyEnergy] encrypts communications using RSA-2048."
"T1053.005::[GRIFFON] has used sctasks for persistence."
"T1059.001::[GRIFFON] has used PowerShell to execute the Meterpreter downloader TinyMet."
"T1059.007::[GRIFFON] is written in and executed as [JavaScript]."
"T1069.002::[GRIFFON] has used a reconnaissance module that can be used to retrieve Windows domain membership information."
"T1082::[GRIFFON] has used a reconnaissance module that can be used to retrieve information about a victim's computer, including the resolution of the workstation ."
"T1113::[GRIFFON] has used a screenshot module that can be used to take a screenshot of the remote system."
"T1124::[GRIFFON] has used a reconnaissance module that can be used to retrieve the date and time of the system."
"T1547.001::[GRIFFON] has used a persistence module that stores the implant inside the Registry, which executes at logon."
"T1001.001::[GrimAgent]  can pad C2 messages with random generated values."
"T1005::[GrimAgent] can collect data and files from a compromised host."
"T1016::[GrimAgent] can enumerate the IP and domain of a target system."
"T1027.001::[GrimAgent] has the ability to add bytes to change the file hash."
"T1027::[GrimAgent] has used Rotate on Right (RoR) and Rotate on Left (RoL) functionality to encrypt strings."
"T1033::[GrimAgent] can identify the user id on a target machine."
"T1041::[GrimAgent] has sent data related to a compromise host over its C2 channel."
"T1053.005::[GrimAgent] has the ability to set persistence using the Task Scheduler."
"T1059.003::[GrimAgent] can use the Windows Command Shell to execute commands, including its own removal."
"T1070.004::[GrimAgent] can delete old binaries on a compromised host."
"T1070.009::[GrimAgent] can delete previously created tasks on a compromised host."
"T1071.001::[GrimAgent] has the ability to use HTTP for C2 communications."
"T1082::[GrimAgent] can collect the OS, and build version on a compromised host."
"T1083::[GrimAgent] has the ability to enumerate files and directories on a compromised host."
"T1105::[GrimAgent] has the ability to download and execute additional payloads."
"T1106::[GrimAgent] can use Native API including GetProcAddress and ShellExecuteW."
"T1132.001::[GrimAgent] can base64 encode C2 replies."
"T1140::[GrimAgent] can use a decryption algorithm for strings based on Rotate on Right (RoR) and Rotate on Left (RoL) functionality."
"T1497.003::[GrimAgent] can sleep for 195 - 205 seconds after payload execution and before deleting its task."
"T1547.001::[GrimAgent] can set persistence with a Registry run key."
"T1573.001::[GrimAgent] can use an AES key to encrypt C2 communications."
"T1573.002::[GrimAgent] can use a hardcoded server public RSA key to encrypt the first request to C2."
"T1614.001::[GrimAgent] has used Accept-Language to identify hosts in the United Kingdom, United States, France, and Spain."
"T1614::[GrimAgent] can identify the country code on a compromised host."
"T1055::[GuLoader] has the ability to inject shellcode into a donor processes that is started in a suspended state. [GuLoader] has previously used RegAsm as a donor process."
"T1070.004::[GuLoader] can delete its executable from the AppData\\Local\\Temp directory on the compromised host."
"T1071.001::[GuLoader] can use HTTP to retrieve additional binaries."
"T1102::[GuLoader] has the ability to download malware from Google Drive."
"T1105::[GuLoader] can download further malware for execution on the victim's machine."
"T1106::[GuLoader] can use a number of different APIs for discovery and execution."
"T1204.001::[GuLoader] has relied upon users clicking on links to malicious documents."
"T1204.002::The [GuLoader] executable has been retrieved via embedded macros in malicious Word documents."
"T1497.001::[GuLoader] has the ability to perform anti-VM and anti-sandbox checks using string hashing, the API call EnumWindows, and checking for Qemu guest agent."
"T1497.003::[GuLoader] has the ability to perform anti-debugging based on time checks, API calls, and CPUID."
"T1547.001::[GuLoader] can establish persistence via the Registry under HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce."
"T1566.002::[GuLoader] has been spread in phishing campaigns using malicious web links."
"T1027.002::[H1N1] uses a custom packing algorithm."
"T1027::[H1N1] uses multiple techniques to obfuscate strings, including XOR."
"T1059.003::[H1N1] kills and disables services by using cmd.exe."
"T1080::[H1N1] has functionality to copy itself to network shares."
"T1091::[H1N1] has functionality to copy itself to removable media."
"T1105::[H1N1] contains a command to download and execute a file from a remotely hosted URL using WinINet HTTP requests."
"T1132::[H1N1] obfuscates C2 traffic with an altered version of base64."
"T1490::[H1N1] disable recovery options and deletes shadow copies from the victim."
"T1548.002::[H1N1] bypasses user access control by using a DLL hijacking vulnerability in the Windows Update Standalone Installer (wusa.exe)."
"T1555.003::[H1N1] dumps usernames and passwords from Firefox, Internet Explorer, and Outlook."
"T1562.001::[H1N1] kills and disables services for Windows Security Center, and Windows Defender."
"T1562.004::[H1N1] kills and disables services for Windows Firewall."
"T1573.001::[H1N1] encrypts C2 traffic using an RC4 key."
"T1014::[Hacking Team UEFI Rootkit] is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems."
"T1542.001::[Hacking Team UEFI Rootkit] is a UEFI BIOS rootkit developed by the company Hacking Team to persist remote access software on some targeted systems."
"T1047::[HALFBAKED] can use WMI queries to gather system information."
"T1057::[HALFBAKED] can obtain information about running processes on the victim."
"T1059.001::[HALFBAKED] can execute PowerShell scripts."
"T1070.004::[HALFBAKED] can delete a specified file."
"T1082::[HALFBAKED] can obtain information about the OS, processor, and BIOS."
"T1113::[HALFBAKED] can obtain screenshots from the victim."
"T1001.002::[HAMMERTOSS] is controlled via commands that are appended to image files."
"T1059.001::[HAMMERTOSS] is known to use PowerShell."
"T1071.001::The \"Uploader\" variant of [HAMMERTOSS] visits a hard-coded server over HTTP/S to download the images [HAMMERTOSS] uses to receive commands."
"T1102.003::The \"tDiscoverer\" variant of [HAMMERTOSS] establishes a C2 channel by downloading resources from Web services like Twitter and GitHub. [HAMMERTOSS] binaries contain an algorithm that generates a different Twitter handle for the malware to check for instructions every day."
"T1564.003::[HAMMERTOSS] has used -WindowStyle hidden to conceal [PowerShell] windows."
"T1567.002::[HAMMERTOSS] exfiltrates data by uploading it to accounts created by the actors on Web cloud storage providers for the adversaries to retrieve later."
"T1573.001::Before being appended to image files, [HAMMERTOSS] commands are encrypted with a key composed of both a hard-coded value and a string contained on that day's tweet. To decrypt the commands, an investigator would need access to the intended malware sample, the day's tweet, and the image file containing the command."
"T1027::[Hancitor] has used Base64 to encode malicious links. [Hancitor] has also delivered compressed payloads in ZIP files to victims."
"T1059.001::[Hancitor] has used PowerShell to execute commands."
"T1070.004::[Hancitor] has deleted files using the VBA kill function."
"T1105::[Hancitor] has the ability to download additional files from C2."
"T1106::[Hancitor] has used CallWindowProc and EnumResourceTypesA to interpret and execute shellcode."
"T1140::[Hancitor] has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. [Hancitor] has also extracted executables from ZIP files."
"T1204.001::[Hancitor] has relied upon users clicking on a malicious link delivered through phishing."
"T1204.002::[Hancitor] has used malicious Microsoft Word documents, sent via email, which prompted the victim to enable macros."
"T1218.012::[Hancitor] has used verclsid.exe to download and execute a malicious script."
"T1497::[Hancitor] has used a macro to check that an ActiveDocument shape object in the lure message is present. If this object is not found, the macro will exit without downloading additional payloads."
"T1547.001::[Hancitor]  has added Registry Run keys to establish persistence."
"T1566.001::[Hancitor] has been delivered via phishing emails with malicious attachments."
"T1566.002::[Hancitor] has been delivered via phishing emails which contained malicious links."
"T1033::can collect the victim user name."
"T1082::can collect system information, including computer name, system manufacturer, IsDebuggerPresent state, and execution path."
"T1105::can download and execute a second-stage payload."
"T1001.003::[HARDRAIN] uses FakeTLS to communicate with its C2 server."
"T1059.003::[HARDRAIN] uses cmd.exe to execute netshcommands."
"T1090::[HARDRAIN] uses the command cmd.exe /c netsh firewall add portopening TCP 443 \"adp\" and makes the victim machine function as a proxy server."
"T1562.004::[HARDRAIN] opens the Windows Firewall to modify incoming connections."
"T1571::[HARDRAIN] binds and listens on port 443 with a FakeTLS method."
"T1027::[HAWKBALL] has encrypted the payload with an XOR-based algorithm."
"T1033::[HAWKBALL] can collect the user name of the system."
"T1041::[HAWKBALL] has sent system information and files over the C2 channel."
"T1059.003::[HAWKBALL] has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line."
"T1070.004::[HAWKBALL] has the ability to delete files."
"T1071.001::[HAWKBALL] has used HTTP to communicate with a single hard-coded C2 server."
"T1082::[HAWKBALL] can collect the OS version, architecture information, and computer name."
"T1106::[HAWKBALL] has leveraged several Windows API calls to create processes, gather disk information, and detect debugger activity."
"T1203::[HAWKBALL] has exploited Microsoft Office vulnerabilities CVE-2017-11882 and CVE-2018-0802 to deliver the payload."
"T1559.002::[HAWKBALL] has used an OLE object that uses Equation Editor to drop the embedded shellcode."
"T1560.003::[HAWKBALL] has encrypted data with XOR before sending it over the C2 channel."
"T1059.003::[hcdLoader] provides command-line access to the compromised system."
"T1543.003::[hcdLoader] installs itself as a service for persistence."
"T1046::[HDoor] scans to identify open ports on the victim."
"T1562.001::[HDoor] kills anti-virus found on the victim."
"T1047::[HELLOKITTY] can use WMI to delete volume shadow copies."
"T1057::[HELLOKITTY] can search for specific processes to terminate."
"T1082::[HELLOKITTY] can enumerate logical drives on a target system."
"T1135::[HELLOKITTY] has the ability to enumerate network resources."
"T1486::[HELLOKITTY] can use an embedded RSA-2048 public key to encrypt victim data for ransom."
"T1490::[HELLOKITTY] can delete volume shadow copies on compromised hosts."
"T1027::The [Helminth] config file is encrypted with RC4."
"T1030::[Helminth] splits data into chunks up to 23 bytes and sends the data in DNS queries to its C2 server."
"T1053.005::[Helminth] has used a scheduled task for persistence."
"T1056.001::The executable version of [Helminth] has a module to log keystrokes."
"T1057::[Helminth] has used [Tasklist] to get information on processes."
"T1059.001::One version of [Helminth] uses a PowerShell script."
"T1059.003::[Helminth] can provide a remote shell. One version of [Helminth] uses batch scripting."
"T1059.005::One version of [Helminth] consists of VBScript scripts."
"T1069.001::[Helminth] has checked the local administrators group."
"T1069.002::[Helminth] has checked for the domain admin group and Exchange Trusted Subsystem groups using the commands net group Exchange Trusted Subsystem /domain and net group domain admins /domain."
"T1071.001::[Helminth] can use HTTP for C2."
"T1071.004::[Helminth] can use DNS for C2."
"T1074.001::[Helminth] creates folders to store output from batch scripts prior to sending the information to its C2 server."
"T1105::[Helminth] can download additional files."
"T1115::The executable version of [Helminth] has a module to log clipboard contents."
"T1119::A [Helminth] VBScript receives a batch script to execute a set of commands in a command prompt."
"T1132.001::For C2 over HTTP, [Helminth] encodes data with base64 and sends it via the \"Cookie\" field of HTTP requests. For C2 over DNS, [Helminth] converts ASCII characters into their hexadecimal values and sends the data in cleartext."
"T1547.001::[Helminth] establishes persistence by creating a shortcut in the Start Menu folder."
"T1547.009::[Helminth] establishes persistence by creating a shortcut."
"T1553.002::[Helminth] samples have been signed with legitimate, compromised code signing certificates owned by software company AI Squared."
"T1573.001::[Helminth] encrypts data sent to its C2 server over HTTP with RC4."
"T1027::[HermeticWiper] can compress 32-bit and 64-bit driver files with the Lempel-Ziv algorithm."
"T1036.005::[HermeticWiper] has used the name `postgressql.exe` to mask a malicious payload."
"T1053.005::[HermeticWiper] has the ability to use scheduled tasks for execution."
"T1059.003::[HermeticWiper] can use `cmd.exe /Q/c move CSIDL_SYSTEM_DRIVE\\temp\\sys.tmp1 CSIDL_WINDOWS\\policydefinitions\\postgresql.exe 1> \\\\127.0.0.1\\ADMIN$\\_1636727589.6007507 2>&1` to deploy on an infected system."
"T1070.001::[HermeticWiper] can overwrite the `C:\\Windows\\System32\\winevt\\Logs` file on a targeted system."
"T1070.004::[HermeticWiper] has the ability to overwrite its own file with random bites."
"T1070::[HermeticWiper] can disable pop-up information about folders and desktop items and delete Registry keys to hide malicious services."
"T1082::[HermeticWiper] can determine the OS version, bitness, and enumerate physical drives on a targeted host."
"T1083::[HermeticWiper] can enumerate common folders such as My Documents, Desktop, and AppData."
"T1106::[HermeticWiper] can call multiple Windows API functions used for privilege escalation, service execution, and to overwrite random bites of data."
"T1112::[HermeticWiper] has the ability to modify Registry keys to disable crash dumps, colors for compressed files, and pop-up information about folders and desktop items."
"T1134::[HermeticWiper] can use `AdjustTokenPrivileges` to grant itself privileges for debugging with `SeDebugPrivilege`, creating backups with `SeBackupPrivilege`, loading drivers with `SeLoadDriverPrivilege`, and shutting down a local system with `SeShutdownPrivilege`."
"T1140::[HermeticWiper] can decompress and copy driver files using `LZCopy`."
"T1484.001::[HermeticWiper] has the ability to deploy through an infected system's default domain policy."
"T1485::[HermeticWiper] can recursively wipe folders and files in `Windows`, `Program Files`, `Program Files(x86)`, `PerfLogs`, `Boot, System`, `Volume Information`, and `AppData` folders using `FSCTL_MOVE_FILE`. [HermeticWiper] can also overwrite symbolic links and big files in `My Documents` and on the Desktop with random bytes."
"T1489::[HermeticWiper] has the ability to stop the Volume Shadow Copy service."
"T1490::[HermeticWiper] can disable the VSS service on a compromised host using the service control manager."
"T1497.003::[HermeticWiper] has the ability to receive a command parameter to sleep prior to carrying out destructive actions on a targeted host."
"T1529::[HermeticWiper] can initiate a system shutdown."
"T1543.003::[HermeticWiper] can load drivers by creating a new service using the `CreateServiceW` API."
"T1553.002::The [HermeticWiper] executable has been signed with a legitimate certificate issued to Hermetica Digital Ltd."
"T1561.001::[HermeticWiper] has the ability to corrupt disk partitions and obtain raw disk access to destroy data."
"T1561.002::[HermeticWiper] has the ability to corrupt disk partitions, damage the Master Boot Record (MBR), and overwrite the Master File Table (MFT) of all available physical drives."
"T1562.006::[HermeticWiper] has the ability to set the `HKLM:\\SYSTEM\\\\CurrentControlSet\\\\Control\\\\CrashControl\\CrashDumpEnabled` Registry key to `0` in order to disable crash dumps."
"T1569.002::[HermeticWiper] can create system services to aid in executing the payload."
"T1018::[HermeticWizard] can find machines on the local network by gathering known local IP addresses through `DNSGetCacheDataTable`, `GetIpNetTable`,`WNetOpenEnumW(RESOURCE_GLOBALNET, RESOURCETYPE_ANY)`,`NetServerEnum`,`GetTcpTable`, and `GetAdaptersAddresses.`"
"T1021.002::[HermeticWizard] can use a list of hardcoded credentials to to authenticate via NTLMSSP to the SMB shares on remote systems."
"T1027::[HermeticWizard] has the ability to encrypt PE files with a reverse XOR loop."
"T1036.005::[HermeticWizard] has been named `exec_32.dll` to mimic a legitimate MS Outlook .dll."
"T1046::[HermeticWizard] has the ability to scan ports on a compromised network."
"T1047::[HermeticWizard] can use WMI to create a new process on a remote machine via `C:\\windows\\system32\\cmd.exe /c start C:\\windows\\system32\\\\regsvr32.exe /s /iC:\\windows\\<filename>.dll`."
"T1059.003::[HermeticWizard] can use `cmd.exe` for execution on compromised hosts."
"T1070.001::[HermeticWizard] has the ability to use `wevtutil cl system` to clear event logs."
"T1106::[HermeticWizard] can connect to remote shares using `WNetAddConnection2W`."
"T1110.001::[HermeticWizard] can use a list of hardcoded credentials in attempt to authenticate to SMB shares."
"T1218.010::[HermeticWizard] has used `regsvr32.exe /s /i` to execute malicious payloads."
"T1218.011::[HermeticWizard] has the ability to create a new process using `rundll32`."
"T1553.002::[HermeticWizard] has been signed by valid certificates assigned to Hermetica Digital."
"T1559.001::[HermeticWizard] can execute files on remote machines using DCOM."
"T1569.002::[HermeticWizard] can use `OpenRemoteServiceManager` to create a service."
"T1570::[HermeticWizard] can copy files to other machines on a compromised network."
"T1007::[Heyoka Backdoor] can check if it is running as a service on a compromised host."
"T1027::[Heyoka Backdoor] can encrypt its payload."
"T1036.004::[Heyoka Backdoor] has been named `srvdll.dll` to appear as a legitimate service."
"T1055.001::[Heyoka Backdoor] can inject a DLL into rundll32.exe for execution."
"T1057::[Heyoka Backdoor] can gather process information."
"T1070.004::[Heyoka Backdoor] has the ability to delete folders and files from a targeted system."
"T1071.004::[Heyoka Backdoor] can use DNS tunneling for C2 communications."
"T1082::[Heyoka Backdoor] can enumerate drives on a compromised host."
"T1083::[Heyoka Backdoor] has the ability to search the compromised host for files."
"T1120::[Heyoka Backdoor] can identify removable media attached to victim's machines."
"T1140::[Heyoka Backdoor] can decrypt its payload prior to execution."
"T1204.002::[Heyoka Backdoor] has been spread through malicious document lures."
"T1218.011::[Heyoka Backdoor] can use rundll32.exe to gain execution."
"T1547.001::[Heyoka Backdoor] can establish persistence with the auto start function including using the value `EverNoteTrayUService`."
"T1572::[Heyoka Backdoor] can use spoofed DNS requests to create a bidirectional tunnel between a compromised host and its C2 servers."
"T1027::[Hi-Zor] uses various XOR techniques to obfuscate its components."
"T1059.003::[Hi-Zor] has the ability to create a reverse shell."
"T1070.004::[Hi-Zor] deletes its RAT installer file as it executes its DLL payload file."
"T1071.001::[Hi-Zor] communicates with its C2 server over HTTPS."
"T1105::[Hi-Zor] has the ability to upload and download files from its C2 server."
"T1218.010::[Hi-Zor] executes using regsvr32.exe called from the [Registry Run Keys / Startup Folder] persistence mechanism."
"T1547.001::[Hi-Zor] creates a Registry Run key to establish persistence."
"T1573.001::[Hi-Zor] encrypts C2 traffic with a double XOR using two distinct single-byte keys."
"T1573.002::[Hi-Zor] encrypts C2 traffic with TLS."
"T1014::[HiddenWasp] uses a rootkit to hook and implement functions on the system."
"T1027::[HiddenWasp] encrypts its configuration and payload."
"T1037.004::[HiddenWasp] installs reboot persistence by adding itself to /etc/rc.local."
"T1059.003::[HiddenWasp] uses a script to automate tasks on the victim's machine and to assist in execution."
"T1095::[HiddenWasp] communicates with a simple network protocol over TCP."
"T1105::[HiddenWasp] downloads a tar compressed archive from a download server to the system."
"T1136.001::[HiddenWasp] creates a user account as a means to provide initial persistence to the compromised machine."
"T1140::[HiddenWasp] uses a cipher to implement a decoding function."
"T1573.001::[HiddenWasp] uses an RC4-like algorithm with an already computed PRGA generated key-stream for network communication."
"T1574.006::[HiddenWasp] adds itself as a shared object to the LD_PRELOAD environment variable."
"T1014::[HIDEDRV] is a rootkit that hides certain operating system artifacts."
"T1055.001::[HIDEDRV] injects a DLL for [Downdelph] into the explorer.exe process."
"T1005::[Hikit] can upload files from compromised machines."
"T1014::[Hikit] is a [Rootkit] that has been used by [Axiom]."
"T1059.003::[Hikit] has the ability to create a remote shell and run given commands."
"T1071.001::[Hikit] has used HTTP for C2."
"T1090.001::[Hikit] supports peer connections."
"T1105::[Hikit] has the ability to download files to a compromised host."
"T1553.004::[Hikit] uses certmgr.exe -add GlobalSign.cer -c -s -r localMachine Root and certmgr.exe -add GlobalSign.cer -c -s -r localMachineTrustedPublisher to install a self-generated certificate to the local trust store as a root CA and Trusted Publisher."
"T1553.006::[Hikit] has attempted to disable driver signing verification by tampering with several Registry keys prior to the loading of a rootkit driver component."
"T1566::[Hikit] has been spread through spear phishing."
"T1573.001::[Hikit] performs XOR encryption."
"T1574.001::[Hikit] has used [DLL Search Order Hijacking] to load oci.dll as a persistence mechanism."
"T1014::[Hildegard] has modified /etc/ld.so.preload to overwrite readdir() and readdir64()."
"T1027.002::[Hildegard] has packed ELF files into other binaries."
"T1027::[Hildegard] has encrypted an ELF file."
"T1036.004::[Hildegard] has disguised itself as a known Linux process."
"T1046::[Hildegard] has used masscan to look for kubelets in the internal Kubernetes network."
"T1059.004::[Hildegard] has used shell scripts for execution."
"T1068::[Hildegard] has used the BOtB tool which exploits CVE-2019-5736."
"T1070.003::[Hildegard] has used history -c to clear script shell logs."
"T1070.004::[Hildegard] has deleted scripts after execution."
"T1071::[Hildegard] has used an IRC channel for C2 communications."
"T1082::[Hildegard] has collected the host's OS, CPU, and memory information."
"T1102::[Hildegard] has downloaded scripts from GitHub."
"T1105::[Hildegard] has downloaded additional scripts that build and run Monero cryptocurrency miners."
"T1133::[Hildegard] was executed through an unsecure kubelet that allowed anonymous access to the victim environment."
"T1136.001::[Hildegard] has created a user named “monerodaemon”."
"T1140::[Hildegard] has decrypted ELF files with AES."
"T1219::[Hildegard] has established tmate sessions for C2 communications."
"T1496::[Hildegard] has used xmrig to mine cryptocurrency."
"T1543.002::[Hildegard] has started a monero service."
"T1552.001::[Hildegard] has searched for SSH keys, Docker credentials, and Kubernetes service tokens."
"T1552.004::[Hildegard] has searched for private keys in .ssh."
"T1552.005::[Hildegard] has queried the Cloud Instance Metadata API for cloud credentials."
"T1562.001::[Hildegard] has modified DNS resolvers to evade DNS monitoring tools."
"T1574.006::[Hildegard] has modified /etc/ld.so.preload to intercept shared library import functions."
"T1609::[Hildegard] was executed through the kubelet API run command and by executing commands on running containers."
"T1611::[Hildegard] has used the BOtB tool that can break out of containers."
"T1613::[Hildegard] has used masscan to search for kubelets and the kubelet API for additional running containers."
"T1003::[HOMEFRY] can perform credential dumping."
"T1027::Some strings in [HOMEFRY] are obfuscated with XOR x56."
"T1059.003::[HOMEFRY] uses a command-line interface."
"T1003.002::[HOPLIGHT] has the capability to harvest credentials and passwords from the SAM database."
"T1008::[HOPLIGHT] has multiple C2 channels in place in case one fails."
"T1012::A variant of [HOPLIGHT] hooks lsass.exe, and lsass.exe then checks the Registry for the data value 'rdpproto' under the key SYSTEM\\CurrentControlSet\\Control\\Lsa Name."
"T1041::[HOPLIGHT] has used its C2 channel to exfiltrate data."
"T1047::[HOPLIGHT] has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository."
"T1055::[HOPLIGHT] has injected into running processes."
"T1059.003::[HOPLIGHT] can launch cmd.exe to execute commands on the system."
"T1082::[HOPLIGHT] has been observed collecting victim machine information like OS version, drivers, volume information and more."
"T1083::[HOPLIGHT] has been observed enumerating system drives and partitions."
"T1090::[HOPLIGHT] has multiple proxy options that mask traffic between the malware and the remote operators."
"T1105::[HOPLIGHT] has the ability to connect to a remote host in order to upload and download files."
"T1112::[HOPLIGHT] has modified Managed Object Format (MOF) files within the Registry to run specific commands and create persistence on the system."
"T1124::[HOPLIGHT] has been observed collecting system time from victim machines."
"T1132.001::[HOPLIGHT] has utilized Zlib compression to obfuscate the communications payload."
"T1550.002::[HOPLIGHT] has been observed loading several APIs associated with Pass the Hash."
"T1562.004::[HOPLIGHT] has modified the firewall using [netsh]."
"T1569.002::[HOPLIGHT] has used svchost.exe to execute a malicious DLL ."
"T1571::[HOPLIGHT] has connected outbound over TCP port 443 with a FakeTLS method."
"T1007::[HotCroissant] has the ability to retrieve a list of services on the infected host."
"T1010::[HotCroissant] has the ability to list the names of all open windows on the infected host."
"T1016::[HotCroissant] has the ability to identify the IP address of the compromised machine."
"T1027.002::[HotCroissant] has used the open source UPX executable packer."
"T1027::[HotCroissant] has encrypted strings with single-byte XOR and base64 encoded RC4."
"T1033::[HotCroissant] has the ability to collect the username on the infected host."
"T1041::[HotCroissant] has the ability to download files from the infected host to the command and control (C2) server."
"T1053.005::[HotCroissant] has attempted to install a scheduled task named “Java Maintenance64” on startup to establish persistence."
"T1057::[HotCroissant] has the ability to list running processes on the infected host."
"T1059.003::[HotCroissant] can remotely open applications on the infected host with the ShellExecuteA command."
"T1070.004::[HotCroissant] has the ability to clean up installed files, delete files, and delete itself from the victim’s machine."
"T1082::[HotCroissant] has the ability to determine if the current user is an administrator, Windows product name, processor name, screen resolution, and physical RAM of the infected host."
"T1083::[HotCroissant] has the ability to retrieve a list of files in a given directory as well as drives and drive types."
"T1105::[HotCroissant] has the ability to upload a file from the command and control (C2) server to the victim machine."
"T1106::[HotCroissant] can perform dynamic DLL importing and API lookups using LoadLibrary and GetProcAddress on obfuscated strings."
"T1113::[HotCroissant] has the ability to do real time screen viewing on an infected host."
"T1489::[HotCroissant] has the ability to stop services on the infected host."
"T1518::[HotCroissant] can retrieve a list of applications from the SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\App Paths registry key."
"T1564.003::[HotCroissant] has the ability to hide the window for operations performed on a given file."
"T1573.001::[HotCroissant] has compressed network communications and encrypted them with a custom stream cipher."
"T1027::[HTTPBrowser]'s code may be obfuscated through structured exception handling and return-oriented programming."
"T1036.005::[HTTPBrowser]'s installer contains a malicious file named navlu.dll to decrypt and run the RAT. navlu.dll is also the name of a legitimate Symantec DLL."
"T1056.001::[HTTPBrowser] is capable of capturing keystrokes on victims."
"T1059.003::[HTTPBrowser] is capable of spawning a reverse shell on a victim."
"T1070.004::[HTTPBrowser] deletes its original installer file once installation is complete."
"T1071.001::[HTTPBrowser] has used HTTP and HTTPS for command and control."
"T1071.004::[HTTPBrowser] has used DNS for command and control."
"T1083::[HTTPBrowser] is capable of listing files, folders, and drives on a victim."
"T1105::[HTTPBrowser] is capable of writing a file to the compromised system from the C2 server."
"T1547.001::[HTTPBrowser] has established persistence by setting the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key value for wdm to the path of the executable. It has also used the Registry entry HKEY_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run vpdn “%ALLUSERPROFILE%\\%APPDATA%\\vpdn\\VPDN_LU.exe” to establish persistence."
"T1574.001::[HTTPBrowser] abuses the Windows DLL load order by using a legitimate Symantec anti-virus binary, VPDN_LU.exe, to load a malicious DLL that mimics a legitimate Symantec DLL, navlu.dll."
"T1574.002::[HTTPBrowser] has used DLL side-loading."
"T1059.003::[httpclient] opens cmd.exe on the victim."
"T1071.001::[httpclient] uses HTTP for command and control."
"T1573.001::[httpclient] encrypts C2 content with XOR using a single byte, 0x12."
"T1005::[Hydraq] creates a backdoor through which remote attackers can read data from files."
"T1007::[Hydraq] creates a backdoor through which remote attackers can monitor services."
"T1012::[Hydraq] creates a backdoor through which remote attackers can retrieve system information, such as CPU speed, from Registry keys."
"T1016::[Hydraq] creates a backdoor through which remote attackers can retrieve IP addresses of compromised machines."
"T1027::[Hydraq] uses basic obfuscation in the form of spaghetti code."
"T1048::[Hydraq] connects to a predefined domain on port 443 to exfil gathered information."
"T1057::[Hydraq] creates a backdoor through which remote attackers can monitor processes."
"T1070.001::[Hydraq] creates a backdoor through which remote attackers can clear all system event logs."
"T1070.004::[Hydraq] creates a backdoor through which remote attackers can delete files."
"T1082::[Hydraq] creates a backdoor through which remote attackers can retrieve information such as computer name, OS version, processor speed, memory size, and CPU speed."
"T1083::[Hydraq] creates a backdoor through which remote attackers can check for the existence of files, including its own components, as well as retrieve a list of logical drives."
"T1105::[Hydraq] creates a backdoor through which remote attackers can download files and additional malware components."
"T1112::[Hydraq] creates a Registry subkey to register its created service, and can also uninstall itself later by deleting this value. [Hydraq]'s backdoor also enables remote attackers to modify and delete subkeys."
"T1113::[Hydraq] includes a component based on the code of VNC that can stream a live feed of the desktop of an infected host."
"T1129::[Hydraq] creates a backdoor through which remote attackers can load and call DLL functions."
"T1134::[Hydraq] creates a backdoor through which remote attackers can adjust token privileges."
"T1543.003::[Hydraq] creates new services to establish persistence."
"T1569.002::[Hydraq] uses svchost.exe to execute a malicious DLL included in a new service group."
"T1573.001::[Hydraq] C2 traffic is encrypted using bitwise NOT and XOR operations."
"T1007::[HyperBro] can list all services and their configurations."
"T1027.002::[HyperBro] has the ability to pack its payload."
"T1027::[HyperBro] can be delivered encrypted to a compromised host."
"T1055::[HyperBro] can run shellcode it injects into a newly created process."
"T1070.004::[HyperBro] has the ability to delete a specified file."
"T1071.001::[HyperBro] has used HTTPS for C2 communications."
"T1105::[HyperBro] has the ability to download additional files."
"T1106::[HyperBro] has the ability to run an application (CreateProcessW) or script/file (ShellExecuteW) via API."
"T1113::[HyperBro] has the ability to take screenshots."
"T1140::[HyperBro] can unpack and decrypt its payload prior to execution."
"T1569.002::[HyperBro] has the ability to start and stop a specified service."
"T1574.002::[HyperBro] has used a legitimate application to sideload a DLL to decrypt, decompress, and run a payload."
"T1078.001::[HyperStack] can use default credentials to connect to IPC$ shares on remote machines."
"T1087.001::[HyperStack] can enumerate all account names on a remote share."
"T1106::[HyperStack] can use Windows API's ConnectNamedPipe and WNetAddConnection2 to detect incoming connections and connect to remote shares."
"T1112::[HyperStack] can add the name of its communication pipe to HKLM\\SYSTEM\\\\CurrentControlSet\\\\Services\\\\lanmanserver\\\\parameters\\NullSessionPipes."
"T1559::[HyperStack] can connect to the IPC$ share on remote machines."
"T1573.001::[HyperStack] has used RSA encryption for C2 communications."
"T1003.002::[IceApple]'s Credential Dumper module can dump encrypted password hashes from SAM registry keys, including `HKLM\\SAM\\SAM\\Domains\\Account\\F` and `HKLM\\SAM\\SAM\\Domains\\Account\\Users\\*\\V`."
"T1003.004::[IceApple]'s Credential Dumper module can dump LSA secrets from registry keys, including: `HKLM\\SECURITY\\Policy\\PolEKList\\default`, `HKLM\\SECURITY\\Policy\\Secrets\\*\\CurrVal`, and `HKLM\\SECURITY\\Policy\\Secrets\\*\\OldVal`."
"T1005::[IceApple] can collect files, passwords, and other data from a compromised host."
"T1016::The [IceApple] [ifconfig] module can iterate over all network interfaces on the host and retrieve the name, description, MAC address, DNS suffix, DNS servers, gateways, IPv4 addresses, and subnet masks."
"T1027::[IceApple] can use Base64 and \"junk\" JavaScript code to obfuscate information."
"T1036.005::[IceApple] .NET assemblies have used `App_Web_` in their file names to appear legitimate."
"T1041::[IceApple]'s Multi File Exfiltrator module can exfiltrate multiple files from a compromised host as an HTTP response over C2."
"T1056.003::The [IceApple] OWA credential logger can monitor for OWA authentication requests and log the credentials."
"T1070.004::[IceApple] can delete files and directories from targeted systems."
"T1071.001::[IceApple] can use HTTP GET to request and pull information from C2."
"T1082::The [IceApple] Server Variable Dumper module iterates over all server variables present for the current request and returns them to the adversary."
"T1083::The [IceApple] Directory Lister module can list information about files and directories including creation time, last write time, name, and size."
"T1087.002::The [IceApple] Active Directory Querier module  can perform authenticated requests against an Active Directory server."
"T1140::[IceApple] can use a Base64-encoded AES key to decrypt tasking."
"T1505.004::[IceApple] is an IIS post-exploitation framework, consisting of 18 modules that provide several functionalities."
"T1552.002::[IceApple] can harvest credentials from local and remote host registries."
"T1560.001::[IceApple] can encrypt and compress files using Gzip prior to exfiltration."
"T1573.001::The [IceApple] Result Retriever module can AES encrypt C2 responses."
"T1620::[IceApple] can use reflective code loading to load .NET assemblies into `MSExchangeOWAAppPool` on targeted Exchange servers."
"T1027.002::[IcedID] has packed and encrypted its loader module."
"T1027.003::[IcedID] has embedded binaries within RC4 encrypted .png files."
"T1027::[IcedID] has utilzed encrypted binaries and base64 encoded strings."
"T1047::[IcedID] has used WMI to execute binaries."
"T1053.005::[IcedID] has created a scheduled task that executes every hour to establish persistence."
"T1055.004::[IcedID] has used ZwQueueApcThread to inject itself into remote processes."
"T1059.005::[IcedID] has used obfuscated VBA string expressions."
"T1069::[IcedID] has the ability to identify Workgroup membership."
"T1071.001::[IcedID] has used HTTPS in communications with C2."
"T1082::[IcedID] has the ability to identify the computer name and OS version on a compromised host."
"T1087.002::[IcedID] can query LDAP to identify additional users on the network to infect."
"T1105::[IcedID] has the ability to download additional modules and a configuration file from C2."
"T1106::[IcedID] has called ZwWriteVirtualMemory, ZwProtectVirtualMemory, ZwQueueApcThread, and NtResumeThread to inject itself into a remote process."
"T1185::[IcedID] has used web injection attacks to redirect victims to spoofed sites designed to harvest banking and other credentials.  [IcedID] can use a self signed TLS certificate in connection with the spoofed site and simultaneously maintains a live connection with the legitimate site to display the correct URL and certificates in the browser."
"T1204.002::[IcedID] has been executed through Word documents with malicious embedded macros."
"T1218.007::[IcedID] can inject itself into a suspended msiexec.exe process to send beacons to C2 while appearing as a normal msi application."
"T1547.001::[IcedID] has established persistence by creating a Registry run key."
"T1566.001::[IcedID] has been delivered via phishing e-mails with malicious attachments."
"T1573.002::[IcedID] has used SSL and TLS in communications with C2."
"T1016::[iKitten] will look for the current IP address."
"T1037.004::[iKitten] adds an entry to the rc.common file for persistence."
"T1056.002::[iKitten] prompts the user for their credentials."
"T1057::[iKitten] lists the current processes running."
"T1555.001::[iKitten] collects the keychains on the system."
"T1560.001::[iKitten] will zip up the /Library/Keychains directory before exfiltrating it."
"T1564.001::[iKitten] saves itself with a leading \".\" so that it's hidden from users by default."
"T1012::[Industroyer] has a data wiper component that enumerates keys in the Registry HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Services."
"T1016::[Industroyer]’s 61850 payload component enumerates connected network adapters and their corresponding IP addresses."
"T1018::[Industroyer] can enumerate remote computers in the compromised network."
"T1027::[Industroyer] uses heavily obfuscated code in its Windows Notepad backdoor."
"T1041::[Industroyer] sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request."
"T1046::[Industroyer] uses a custom port scanner to map out a network."
"T1071.001::[Industroyer]’s main backdoor connected to a remote C2 server using HTTPS."
"T1078::[Industroyer] can use supplied user credentials to execute processes and stop services."
"T1082::[Industroyer] collects the victim machine’s Windows GUID."
"T1083::[Industroyer]’s data wiper component enumerates specific files on all the Windows drives."
"T1090.003::[Industroyer] used [Tor] nodes for C2."
"T1105::[Industroyer] downloads a shellcode payload from a remote C2 server and loads it into memory."
"T1140::[Industroyer] decrypts code to connect to a remote C2 server."
"T1485::[Industroyer]’s data wiper module clears registry keys and overwrites both ICS configuration and Windows files."
"T1489::[Industroyer]’s data wiper module writes zeros into the registry keys in SYSTEM\\CurrentControlSet\\Services to render a system inoperable."
"T1499.004::[Industroyer] uses a custom DoS tool that leverages CVE-2015-5374 and targets hardcoded IP addresses of Siemens SIPROTEC devices."
"T1543.003::[Industroyer] can use an arbitrary system service to load at system boot for persistence and replaces the ImagePath registry value of a Windows service with a new backdoor binary."
"T1554::[Industroyer] has used a Trojanized version of the Windows Notepad application for an additional backdoor persistence mechanism."
"T1572::[Industroyer] attempts to perform an HTTP CONNECT via an internal proxy to establish a tunnel."
"T1027::[InnaputRAT] uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload."
"T1036.004::[InnaputRAT] variants have attempted to appear legitimate by adding a new service named OfficeUpdateService."
"T1036.005::[InnaputRAT] variants have attempted to appear legitimate by using the file names SafeApp.exe and NeutralApp.exe."
"T1059.003::[InnaputRAT] launches a shell to execute commands on the victim’s machine."
"T1070.004::[InnaputRAT] has a command to delete files."
"T1082::[InnaputRAT] gathers volume drive information and system information."
"T1083::[InnaputRAT] enumerates directories and obtains file attributes on a system."
"T1106::[InnaputRAT] uses the API call ShellExecuteW for execution."
"T1543.003::Some [InnaputRAT] variants create a new Windows service to establish persistence."
"T1547.001::Some [InnaputRAT] variants establish persistence by modifying the Registry key HKU\\<SID>\\Software\\Microsoft\\Windows\\CurrentVersion\\Run:%appdata%\\NeutralApp\\NeutralApp.exe."
"T1001.003::[InvisiMole] can mimic HTTP protocol with custom HTTP “verbs” HIDE, ZVVP, and NOP."
"T1005::[InvisiMole] can collect data from the system, and can monitor changes in specified directories."
"T1007::[InvisiMole] can obtain running services on the victim."
"T1008::[InvisiMole] has been configured with several servers available for alternate C2 communications."
"T1010::[InvisiMole] can enumerate windows and child windows on a compromised host."
"T1012::[InvisiMole] can enumerate Registry values, keys, and data."
"T1016::[InvisiMole] gathers information on the IP forwarding table, MAC address, configured proxy, and network SSID."
"T1025::[InvisiMole] can collect jpeg files from connected MTP devices."
"T1027.005::[InvisiMole] has undergone regular technical improvements in an attempt to evade detection."
"T1027::[InvisiMole] avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format."
"T1033::[InvisiMole] lists local users and session information."
"T1036.004::[InvisiMole] has attempted to disguise itself by registering under a seemingly legitimate service name."
"T1036.005::[InvisiMole] has disguised its droppers as legitimate software or documents, matching their original names and locations, and saved its files as mpr.dll in the Windows folder."
"T1046::[InvisiMole] can scan the network for open ports and vulnerable instances of RDP and SMB protocols."
"T1053.005::[InvisiMole] has used scheduled tasks named MSST and \\Microsoft\\Windows\\Autochk\\Scheduled to establish persistence."
"T1055.002::[InvisiMole] can inject its backdoor as a portable executable into a target process."
"T1055.004::[InvisiMole] can inject its code into a trusted process via the APC queue."
"T1055.015::[InvisiMole] has used ListPlanting to inject code into a trusted process."
"T1055::[InvisiMole] can inject itself into another process to avoid detection including use of a technique called ListPlanting that customizes the sorting algorithm in a ListView structure."
"T1056.001::[InvisiMole] can capture keystrokes on a compromised host."
"T1057::[InvisiMole] can obtain a list of running processes."
"T1059.003::[InvisiMole] can launch a remote shell to execute commands."
"T1059.007::[InvisiMole] can use a JavaScript file as part of its execution chain."
"T1068::[InvisiMole] has exploited CVE-2007-5633 vulnerability in the speedfan.sys driver to obtain kernel mode privileges."
"T1070.004::[InvisiMole] has deleted files and directories including XML and files successfully uploaded to C2 servers."
"T1070.005::[InvisiMole] can disconnect previously connected remote drives."
"T1070.006::[InvisiMole] samples were timestomped by the authors by setting the PE timestamps to all zero values. [InvisiMole] also has a built-in command to modify file times."
"T1071.001::[InvisiMole] uses HTTP for C2 communications."
"T1071.004::[InvisiMole] has used a custom implementation of DNS tunneling to embed C2 communications in DNS requests and replies."
"T1074.001::[InvisiMole] determines a working directory where it stores all the gathered data about the compromised machine."
"T1080::[InvisiMole] can replace legitimate software or documents in the compromised network with their trojanized versions, in an attempt to propagate itself within the network."
"T1082::[InvisiMole] can gather information on the mapped drives, OS version, computer name, DEP policy, memory size, and system volume serial number."
"T1083::[InvisiMole] can list information about files in a directory and recently opened or used documents. [InvisiMole] can also search for specific files by supplied file mask."
"T1087.001::[InvisiMole] has a command to list account information on the victim’s machine."
"T1090.001::[InvisiMole] can function as a proxy to create a server that relays communication between the client and C&C server, or between two clients."
"T1090.002::[InvisiMole] InvisiMole can identify proxy servers used by the victim and use them for C2 communication."
"T1095::[InvisiMole] has used TCP to download additional modules."
"T1105::[InvisiMole] can upload files to the victim's machine for operations."
"T1106::[InvisiMole] can use winapiexec tool for indirect execution of  ShellExecuteW and CreateProcessA."
"T1112::[InvisiMole] has a command to create, set, copy, or delete a specified Registry key or value."
"T1113::[InvisiMole] can capture screenshots of not only the entire screen, but of each separate window open, in case they are overlapping."
"T1119::[InvisiMole] can sort and collect specific documents as well as generate a list of all files on a newly inserted drive and store them in an encrypted file."
"T1123::[InvisiMole] can record sound using input audio devices."
"T1124::[InvisiMole] gathers the local system time from the victim’s machine."
"T1125::[InvisiMole] can remotely activate the victim’s webcam to capture content."
"T1132.002::[InvisiMole] can use a modified base32 encoding to encode data within the subdomain of C2 requests."
"T1135::[InvisiMole] can gather network share information."
"T1140::[InvisiMole] can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher."
"T1203::[InvisiMole] has installed legitimate but vulnerable Total Video Player software and wdigest.dll library drivers on compromised hosts to exploit stack overflow and input validation vulnerabilities for code execution."
"T1204.002::[InvisiMole] can deliver trojanized versions of software and documents, relying on user execution."
"T1210::[InvisiMole] can spread within a network via the BlueKeep (CVE-2019-0708) and EternalBlue (CVE-2017-0144) vulnerabilities in RDP and SMB respectively."
"T1218.002::[InvisiMole] can register itself for execution and persistence via the Control Panel."
"T1218.011::[InvisiMole] has used rundll32.exe for execution."
"T1480.001::[InvisiMole] can use Data Protection API to encrypt its components on the victim’s computer, to evade detection, and to make sure the payload can only be decrypted and loaded on one specific compromised computer."
"T1490::[InvisiMole] can can remove all system restore points."
"T1497.001::[InvisiMole] can check for artifacts of VirtualBox, Virtual PC and VMware environment, and terminate itself if they are detected."
"T1518.001::[InvisiMole] can check for the presence of network sniffers, AV, and BitDefender firewall."
"T1518::[InvisiMole] can collect information about installed software used by specific users, software executed on user login, and software executed by each system."
"T1543.003::[InvisiMole] can register a Windows service named CsPower as part of its execution chain, and a Windows service named clr_optimization_v2.0.51527_X86 to achieve persistence."
"T1547.001::[InvisiMole] can place a lnk file in the Startup Folder to achieve persistence."
"T1547.009::[InvisiMole] can use a .lnk shortcut for the Control Panel to establish persistence."
"T1548.002::[InvisiMole] can use fileless UAC bypass and create an elevated COM object to escalate privileges."
"T1559.001::[InvisiMole] can use the ITaskService, ITaskDefinition and ITaskSettings COM interfaces to schedule a task."
"T1560.001::[InvisiMole] uses WinRAR to compress data that is intended to be exfiltrated."
"T1560.002::[InvisiMole] can use zlib to compress and decompress data."
"T1560.003::[InvisiMole] uses a variation of the XOR cipher to encrypt files before exfiltration."
"T1562.004::[InvisiMole] has a command to disable routing and the Firewall on the victim’s machine."
"T1564.001::[InvisiMole] can create hidden system directories."
"T1564.003::[InvisiMole] has executed legitimate tools in hidden windows."
"T1569.002::[InvisiMole] has used Windows services as a way to execute its malicious payload."
"T1573.001::[InvisiMole] uses variations of a simple XOR encryption routine for C&C communications."
"T1574.001::[InvisiMole] can be launched by using DLL search order hijacking in which the wrapper DLL is placed in the same folder as explorer.exe and loaded during startup into the Windows Explorer process instead of the legitimate library."
"T1027::[ISMInjector] is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com."
"T1053.005::[ISMInjector] creates scheduled tasks to establish persistence."
"T1055.012::[ISMInjector] hollows out a newly created process RegASM.exe and injects its payload into the hollowed process."
"T1140::[ISMInjector] uses the certutil command to decode a payload file."
"T1102.002::[APT12] has used blogs and WordPress for C2 infrastructure."
"T1203::[APT12] has exploited multiple vulnerabilities for execution, including Microsoft Office vulnerabilities (CVE-2009-3129, CVE-2012-0158) and vulnerabilities in Adobe Reader and Flash (CVE-2009-4324, CVE-2009-0927, CVE-2011-0609, CVE-2011-0611)."
"T1204.002::[APT12] has attempted to get victims to open malicious Microsoft Word and PDF attachment sent via spearphishing."
"T1566.001::[APT12] has sent emails with malicious Microsoft Office documents and PDFs attached."
"T1568.003::[APT12] has used multiple variants of [DNS Calculation] including multiplying the first two octets of an IP address and adding the third octet to that value in order to get a resulting command and control port."
"T1053.003::[Janicab] used a cron job for persistence on Mac devices."
"T1113::[Janicab] captured screenshots and sent them out to a C2 server."
"T1123::[Janicab] captured audio and sent it out to a C2 server."
"T1553.002::[Janicab] used a valid AppleDeveloperID to sign the code to get past security restrictions."
"T1027.001::[Javali] can use large obfuscated libraries to hinder detection and analysis."
"T1057::[Javali] can monitor processes for open browsers and custom banking applications."
"T1059.005::[Javali] has used embedded VBScript to download malicious payloads from C2."
"T1102.001::[Javali] can read C2 information from Google Documents and YouTube."
"T1105::[Javali] can download payloads from remote C2 servers."
"T1204.001::[Javali] has achieved execution through victims clicking links to malicious websites."
"T1204.002::[Javali] has achieved execution through victims opening malicious attachments, including MSI files with embedded VBScript."
"T1218.007::[Javali] has used the MSI installer to download and execute malicious payloads."
"T1555.003::[Javali] can capture login credentials from open browsers including Firefox, Chrome, Internet Explorer, and Edge."
"T1566.001::[Javali] has been delivered as malicious e-mail attachments."
"T1566.002::[Javali] has been delivered via malicious links embedded in e-mails."
"T1574.002::[Javali] can use DLL side-loading to load malicious DLLs into legitimate executables."
"T1059.001::[JCry] has used PowerShell to execute payloads."
"T1059.003::[JCry] has used cmd.exe to launch PowerShell."
"T1059.005::[JCry] has used VBS scripts."
"T1204.002::[JCry] has achieved execution by luring users to click on a file that appeared to be an Adobe Flash Player update installer."
"T1486::[JCry] has encrypted files and demanded Bitcoin to decrypt those files."
"T1490::[JCry] has been observed deleting shadow copies to ensure that data cannot be restored easily."
"T1547.001::[JCry] has created payloads in the Startup directory to maintain persistence."
"T1008::[JHUHUGIT] tests if it can reach its C2 server by first attempting a direct connection, and if it fails, obtaining proxy settings and sending the connection through a proxy, and finally injecting code into a running browser if the proxy method fails."
"T1016::A [JHUHUGIT] variant gathers network interface card information."
"T1027::Many strings in [JHUHUGIT] are obfuscated with a XOR algorithm."
"T1037.001::[JHUHUGIT] has registered a Windows shell script under the Registry key HKCU\\Environment\\UserInitMprLogonScript to establish persistence."
"T1053.005::[JHUHUGIT] has registered itself as a scheduled task to run each time the current user logs in."
"T1055::[JHUHUGIT] performs code injection injecting its own functions to browser processes."
"T1057::[JHUHUGIT] obtains a list of running processes on the victim."
"T1059.003::[JHUHUGIT] uses a .bat file to execute a .dll."
"T1068::[JHUHUGIT] has exploited CVE-2015-1701 and CVE-2015-2387 to escalate privileges."
"T1070.004::The [JHUHUGIT] dropper can delete itself from the victim. Another [JHUHUGIT] variant has the capability to delete specified files."
"T1071.001::[JHUHUGIT] variants have communicated with C2 servers over HTTP and HTTPS."
"T1082::[JHUHUGIT] obtains a build identifier as well as victim hard drive information from Windows registry key HKLM\\SYSTEM\\CurrentControlSet\\Services\\Disk\\Enum. Another [JHUHUGIT] variant gathers the victim storage volume serial number and the storage device name."
"T1105::[JHUHUGIT] can retrieve an additional payload from its C2 server."
"T1113::A [JHUHUGIT] variant takes screenshots by simulating the user pressing the \"Take Screenshot\" key (VK_SCREENSHOT), accessing the screenshot saved in the clipboard, and converting it to a JPG image."
"T1115::A [JHUHUGIT] variant accesses a screenshot saved in the clipboard and converts it to a JPG image."
"T1132.001::A [JHUHUGIT] variant encodes C2 POST data base64."
"T1218.011::[JHUHUGIT] is executed using rundll32.exe."
"T1543.003::[JHUHUGIT] has registered itself as a service to establish persistence."
"T1546.015::[JHUHUGIT] has used COM hijacking to establish persistence by hijacking a class named MMDeviceEnumerator and also by registering the payload as a Shell Icon Overlay handler COM object ({3543619C-D563-43f7-95EA-4DA7E1CC396A})."
"T1547.001::[JHUHUGIT] has used a Registry Run key to establish persistence by executing JavaScript code within the rundll32.exe process."
"T1007::[JPIN] can list running services."
"T1012::[JPIN] can enumerate Registry keys."
"T1016::[JPIN] can obtain network information, including DNS, IP, and proxies."
"T1027::A [JPIN] uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer."
"T1033::[JPIN] can obtain the victim user name."
"T1055::[JPIN] can inject content into lsass.exe to load a module."
"T1056.001::[JPIN] contains a custom keylogger."
"T1057::[JPIN] can list running processes."
"T1059.003::[JPIN] can use the command-line utility cacls.exe to change file permissions."
"T1069.001::[JPIN] can obtain the permissions of the victim user."
"T1070.004::[JPIN]'s installer/uninstaller component deletes itself if it encounters a version of Windows earlier than Windows XP or identifies security-related processes running."
"T1071.002::[JPIN] can communicate over FTP."
"T1071.003::[JPIN] can send email over SMTP."
"T1082::[JPIN] can obtain system information such as OS version and disk space."
"T1083::[JPIN] can enumerate drives and their types. It can also change file permissions using cacls.exe."
"T1105::[JPIN] can download files and upgrade itself."
"T1197::A [JPIN] variant downloads the backdoor payload via the BITS service."
"T1222.001::[JPIN] can use the command-line utility cacls.exe to change file permissions."
"T1518.001::[JPIN] checks for the presence of certain security-related processes and deletes its installer/uninstaller component if it identifies any of them."
"T1562.001::[JPIN] can lower security settings by changing Registry keys."
"T1007::[jRAT] can list local services."
"T1016::[jRAT] can gather victim internal and external IPs."
"T1021.001::[jRAT] can support RDP control."
"T1027.002::[jRAT] payloads have been packed."
"T1027::[jRAT]’s Java payload is encrypted with AES."
"T1029::[jRAT] can be configured to reconnect at certain intervals."
"T1037.005::[jRAT] can list and manage startup entries."
"T1047::[jRAT] uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details."
"T1049::[jRAT] can list network connections."
"T1056.001::[jRAT] has the capability to log keystrokes from the victim’s machine, both offline and online."
"T1057::[jRAT] can query and kill system processes."
"T1059.003::[jRAT] has command line access."
"T1059.005::[jRAT] has been distributed as HTA files with VBScript."
"T1059.007::[jRAT] has been distributed as HTA files with JScript."
"T1070.004::[jRAT] has a function to delete files from the victim’s machine."
"T1082::[jRAT] collects information about the OS (version, build type, install date) as well as system up-time upon receiving a connection from a backdoor."
"T1083::[jRAT] can browse file systems."
"T1090::[jRAT] can serve as a SOCKS proxy server."
"T1105::[jRAT] can download and execute files."
"T1113::[jRAT] has the capability to take screenshots of the victim’s machine."
"T1115::[jRAT] can capture clipboard data."
"T1120::[jRAT] can map UPnP ports."
"T1123::[jRAT] can capture microphone recordings."
"T1125::[jRAT] has the capability to capture video from a webcam."
"T1518.001::[jRAT] can list security software, such as by using WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details."
"T1552.001::[jRAT] can capture passwords from common chat applications such as MSN Messenger, AOL, Instant Messenger, and and Google Talk."
"T1552.004::[jRAT] can steal keys for VPNs and cryptocurrency wallets."
"T1555.003::[jRAT] can capture passwords from common web browsers such as Internet Explorer, Google Chrome, and Firefox."
"T1053.005::[JSS Loader] has the ability to launch scheduled tasks to establish persistence."
"T1059.001::[JSS Loader] has the ability to download and execute PowerShell scripts."
"T1059.005::[JSS Loader] can download and execute VBScript files."
"T1059.007::[JSS Loader] can download and execute JavaScript files."
"T1105::[JSS Loader] has the ability to download malicious executables to a compromised host."
"T1204.002::[JSS Loader] has been executed through malicious attachments contained in spearphishing emails."
"T1566.001::[JSS Loader] has been delivered by phishing emails containing malicious Microsoft Excel attachments."
"T1082::[KARAE] can collect system information."
"T1102.002::[KARAE] can use public cloud-based storage providers for command and control."
"T1105::[KARAE] can upload and download files, including second-stage malware."
"T1189::[KARAE] was distributed through torrent file-sharing websites to South Korean victims, using a YouTube video downloader application as a lure."
"T1056.001::[Kasidet] has the ability to initiate keylogging."
"T1057::[Kasidet] has the ability to search for a given process name in processes currently running in the system."
"T1059.003::[Kasidet] can execute commands using cmd.exe."
"T1082::[Kasidet] has the ability to obtain a victim's system name and operating system version."
"T1083::[Kasidet] has the ability to search for a given filename on a victim."
"T1105::[Kasidet] has the ability to download and execute additional files."
"T1113::[Kasidet] has the ability to initiate keylogging and screen captures."
"T1518.001::[Kasidet] has the ability to identify any anti-virus installed on the infected system."
"T1547.001::[Kasidet] creates a Registry Run key to establish persistence."
"T1562.004::[Kasidet] has the ability to change firewall settings to allow a plug-in to be downloaded."
"T1005::[Kazuar] uploads files from a specified directory to the C2 server."
"T1008::[Kazuar] can accept multiple URLs for C2 servers."
"T1010::[Kazuar] gathers information about opened windows."
"T1016::[Kazuar] gathers information about network adapters."
"T1027::[Kazuar] is obfuscated using the open source ConfuserEx protector. [Kazuar] also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher."
"T1029::[Kazuar] can sleep for a specific time and be set to communicate at specific intervals."
"T1033::[Kazuar] gathers information on users."
"T1047::[Kazuar] obtains a list of running processes through WMI querying."
"T1055.001::If running in a Windows environment, [Kazuar] saves a DLL to disk that is injected into the explorer.exe process to execute the payload. [Kazuar] can also be configured to inject and execute within specific processes."
"T1057::[Kazuar] obtains a list of running processes through WMI querying and the ps command."
"T1059.003::[Kazuar] uses cmd.exe to execute commands on the victim’s machine."
"T1059.004::[Kazuar] uses /bin/bash to execute commands on the victim’s machine."
"T1069.001::[Kazuar] gathers information about local groups and members."
"T1070.004::[Kazuar] can delete files."
"T1071.001::[Kazuar] uses HTTP and HTTPS to communicate with the C2 server. [Kazuar] can also act as a webserver and listen for inbound HTTP requests through an exposed API."
"T1071.002::[Kazuar] uses FTP and FTPS to communicate with the C2 server."
"T1074.001::[Kazuar] stages command output and collected data in files before exfiltration."
"T1082::[Kazuar] gathers information on the system and local drives."
"T1083::[Kazuar] finds a specified directory, lists the files and metadata about those files."
"T1087.001::[Kazuar] gathers information on local groups and members on the victim’s machine."
"T1090.001::[Kazuar] has used internal nodes on the compromised network for C2 communications."
"T1102.002::[Kazuar] has used compromised WordPress blogs as C2 servers."
"T1105::[Kazuar] downloads additional plug-ins to load on the victim’s machine, including the ability to upgrade and replace its own binary."
"T1113::[Kazuar] captures screenshots of the victim’s screen."
"T1125::[Kazuar] captures images from the webcam."
"T1132.001::[Kazuar] encodes communications to the C2 server in Base64."
"T1485::[Kazuar] can overwrite files with random data before deleting them."
"T1543.003::[Kazuar] can install itself as a new service."
"T1547.001::[Kazuar] adds a sub-key under several Registry run keys."
"T1547.009::[Kazuar] adds a .lnk file to the Windows startup folder."
"T1027::[Kerrdown] can encrypt, encode, and compress multiple layers of shellcode."
"T1059.005::[Kerrdown] can use a VBS base64 decoder function published by Motobit."
"T1082::[Kerrdown] has the ability to determine if the compromised host is running a 32 or 64 bit OS architecture."
"T1105::[Kerrdown] can download specific payloads to a compromised host based on OS architecture."
"T1140::[Kerrdown] can decode, decrypt, and decompress multiple layers of shellcode."
"T1204.001::[Kerrdown] has gained execution through victims opening malicious links."
"T1204.002::[Kerrdown] has gained execution through victims opening malicious files."
"T1566.001::[Kerrdown] has been distributed through malicious e-mail attachments."
"T1566.002::[Kerrdown] has been distributed via e-mails containing a malicious link."
"T1574.002::[Kerrdown] can use DLL side-loading to load malicious DLLs."
"T1016::[Kessel] has collected the DNS address of the infected host."
"T1027::[Kessel]'s configuration is hardcoded and RC4 encrypted within the binary."
"T1030::[Kessel] can split the data to be exilftrated into chunks that will fit in subdomains of DNS queries."
"T1041::[Kessel] has exfiltrated information gathered from the infected system to the C2 server."
"T1048.003::[Kessel] can exfiltrate credentials and other information via HTTP POST request, TCP, and DNS."
"T1059::[Kessel] can create a reverse shell between the infected host and a specified system."
"T1082::[Kessel] has collected the system architecture, OS version, and MAC address information."
"T1090::[Kessel] can use a proxy during exfiltration if set in the configuration."
"T1105::[Kessel] can download additional modules from the C2 server."
"T1132.001::[Kessel] has exfiltrated data via hexadecimal-encoded subdomain fields of DNS queries."
"T1140::[Kessel] has decrypted the binary's configuration once the main function was launched."
"T1554::[Kessel] has maliciously altered the OpenSSH binary on targeted systems to create a backdoor."
"T1556::[Kessel] has trojanized the <sode>ssh_login and user-auth_pubkey functions to steal plaintext credentials."
"T1560::[Kessel] can RC4-encrypt credentials before sending to the C2."
"T1001.001::[Kevin] can generate a sequence of dummy HTTP C2 requests to obscure traffic."
"T1005::[Kevin] can upload logs and other data from a compromised host."
"T1008::[Kevin] can assign hard-coded fallback domains for C2."
"T1016::[Kevin] can collect the MAC address and other information from a victim machine using `ipconfig/all`."
"T1027::[Kevin] has Base64-encoded its configuration file."
"T1030::[Kevin] can exfiltrate data to the C2 server in 27-character chunks."
"T1036.003::[Kevin] has renamed an image of `cmd.exe` with a random name followed by a `.tmpl` extension."
"T1041::[Kevin] can send data from the victim host through a DNS C2 channel."
"T1059.003::[Kevin] can use a renamed image of `cmd.exe` for execution."
"T1070.004::[Kevin] can delete files created on the victim's machine."
"T1071.001::Variants of [Kevin] can communicate with C2 over HTTP."
"T1071.004::Variants of [Kevin] can communicate over DNS through queries to the server for constructed domain names with embedded information."
"T1074::[Kevin] can create directories to store logs and other collected data."
"T1082::[Kevin] can enumerate the OS version and hostname of a targeted machine."
"T1105::[Kevin] can download files to the compromised host."
"T1106::[Kevin] can use the `ShowWindow` API to avoid detection."
"T1132.001::[Kevin] can Base32 encode chunks of output files during exfiltration."
"T1497::[Kevin] can sleep for a time interval between C2 communication attempts."
"T1564.003::[Kevin] can hide the current window from the targeted user via the `ShowWindow` API function."
"T1572::[Kevin] can use a custom protocol tunneled through DNS or HTTP."
"T1016::[Tropic Trooper] has used scripts to collect the host's network topology."
"T1020::[Tropic Trooper] has used a copy function to automatically exfiltrate sensitive data from air-gapped systems using USB storage."
"T1027.003::[Tropic Trooper] has used JPG files with encrypted payloads to mask their backdoor routines and evade detection."
"T1027::[Tropic Trooper] has encrypted configuration files."
"T1033::[Tropic Trooper] used letmein to scan for saved usernames on the target system."
"T1036.005::[Tropic Trooper] has hidden payloads in Flash directories and fake installer files."
"T1046::[Tropic Trooper] used pr and an openly available tool to scan for open ports on target systems."
"T1049::[Tropic Trooper] has tested if the localhost network is available and other connection capability on an infected system using command scripts."
"T1052.001::[Tropic Trooper] has exfiltrated data using USB storage devices."
"T1055.001::[Tropic Trooper] has injected a DLL backdoor into dllhost.exe and svchost.exe."
"T1057::[Tropic Trooper] is capable of enumerating the running processes on the system using pslist."
"T1059.003::[Tropic Trooper] has used Windows command scripts."
"T1070.004::[Tropic Trooper] has deleted dropper files on an infected system using command scripts."
"T1071.001::[Tropic Trooper] has used HTTP in communication with the C2."
"T1071.004::[Tropic Trooper]'s backdoor has communicated to the C2 over the DNS protocol."
"T1078.003::[Tropic Trooper] has used known administrator account credentials to execute the backdoor directly."
"T1082::[Tropic Trooper] has detected a target system’s OS version and system volume information."
"T1083::[Tropic Trooper] has monitored files' modified time."
"T1091::[Tropic Trooper] has attempted to transfer [USBferry] from an infected USB device by copying an Autorun function to the target machine."
"T1105::[Tropic Trooper] has used a delivered trojan to download additional files."
"T1106::[Tropic Trooper] has used multiple Windows APIs including HttpInitialize, HttpCreateHttpHandle, and HttpAddUrl."
"T1119::[Tropic Trooper] has collected information automatically using the adversary's [USBferry] attack."
"T1132.001::[Tropic Trooper] has used base64 encoding to hide command strings delivered from the C2."
"T1135::[Tropic Trooper] used netview to scan target systems for shared resources."
"T1140::[Tropic Trooper] used shellcode with an XOR algorithm to decrypt a payload. [Tropic Trooper] also decrypted image files which contained a payload."
"T1203::[Tropic Trooper] has executed commands through Microsoft security vulnerabilities, including CVE-2017-11882, CVE-2018-0802, and CVE-2012-0158."
"T1204.002::[Tropic Trooper] has lured victims into executing malware via malicious e-mail attachments."
"T1221::[Tropic Trooper] delivered malicious documents with the XLSX extension, typically used by OpenXML documents, but the file itself was actually an OLE (XLS) document."
"T1505.003::[Tropic Trooper] has started a web service in the target host and wait for the adversary to connect, acting as a web shell."
"T1518.001::[Tropic Trooper] can search for anti-virus software running on the system."
"T1518::[Tropic Trooper]'s backdoor could list the infected system's installed software."
"T1543.003::[Tropic Trooper] has installed a service pointing to a malicious DLL dropped to disk."
"T1547.001::[Tropic Trooper] has created shortcuts in the Startup folder to establish persistence."
"T1547.004::[Tropic Trooper] has created the Registry key HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell and sets the value to establish persistence."
"T1564.001::[Tropic Trooper] has created a hidden directory under C:\\ProgramData\\Apple\\Updates\\ and C:\\Users\\Public\\Documents\\Flash\\."
"T1566.001::[Tropic Trooper] sent spearphishing emails that contained malicious Microsoft Office and fake installer file attachments."
"T1573.002::[Tropic Trooper] has used SSL to connect to C2 servers."
"T1573::[Tropic Trooper] has encrypted traffic with the C2 to prevent network detection."
"T1574.002::[Tropic Trooper] has been known to side-load DLLs using a valid version of a Windows Address Book and Windows Defender executable with one of their tools."
"T1036.006::[Keydnap] puts a space after a false .jpg extension so that execution actually goes through the Terminal.app program."
"T1056.002::[Keydnap] prompts the users for credentials."
"T1059.006::[Keydnap] uses Python for scripting to execute additional commands."
"T1071.001::[Keydnap] uses HTTPS for command and control."
"T1090.003::[Keydnap] uses a copy of tor2web proxy for HTTPS communications."
"T1543.001::[Keydnap] uses a Launch Agent to persist."
"T1548.001::[Keydnap] adds the setuid flag to a binary so it can easily elevate in the future."
"T1555.002::[Keydnap] uses the keychaindump project to read securityd memory."
"T1564.009::[Keydnap] uses a resource fork to present a macOS JPEG or text file icon rather than the executable's icon assigned by the operating system."
"T1016::[KEYMARBLE] gathers the MAC address of the victim’s machine."
"T1057::[KEYMARBLE] can obtain a list of running processes on the system."
"T1059.003::[KEYMARBLE] can execute shell commands using cmd.exe."
"T1070.004::[KEYMARBLE] has the capability to delete files off the victim’s machine."
"T1082::[KEYMARBLE] has the capability to collect the computer name, language settings, the OS version, CPU information, disk devices, and time elapsed since system start."
"T1083::[KEYMARBLE] has a command to search for files on the victim’s machine."
"T1105::[KEYMARBLE] can upload files to the victim’s machine and can download additional payloads."
"T1112::[KEYMARBLE] has a command to create Registry entries for storing data under HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\WABE\\DataPath."
"T1113::[KEYMARBLE] can capture screenshots of the victim’s machine."
"T1573.001::[KEYMARBLE] uses a customized XOR algorithm to encrypt C2 communications."
"T1027::[KillDisk] uses VMProtect to make reverse engineering the malware more difficult."
"T1036.004::[KillDisk] registers as a service under the Plug-And-Play Support name."
"T1057::[KillDisk] has called GetCurrentProcess."
"T1070.001::[KillDisk] deletes Application, Security, Setup, and System Windows Event Logs."
"T1070.004::[KillDisk] has the ability to quit and delete itself."
"T1082::[KillDisk] retrieves the hard disk name by calling the CreateFileA to \\\\.\\PHYSICALDRIVE0 API."
"T1083::[KillDisk] has used the FindNextFile command as part of its file deletion process."
"T1106::[KillDisk] has called the Windows API to retrieve the hard disk handle and shut down the machine."
"T1129::[KillDisk] loads and executes functions from a DLL."
"T1134::[KillDisk] has attempted to get the access token of a process by calling OpenProcessToken. If [KillDisk] gets the access token, then it attempt to modify the token privileges with AdjustTokenPrivileges."
"T1485::[KillDisk] deletes system files to make the OS unbootable. [KillDisk] also targets and deletes files with 35 different file extensions."
"T1486::[KillDisk] has a ransomware component that encrypts files with an AES key that is also RSA-1028 encrypted."
"T1489::[KillDisk] terminates various processes to get the user to reboot the victim machine."
"T1529::[KillDisk] attempts to reboot the machine by terminating specific processes."
"T1561.002::[KillDisk] overwrites the first sector of the Master Boot Record with “0x00”."
"T1018::[Kinsing] has used a script to parse files like /etc/hosts and SSH known_hosts to discover remote systems."
"T1021.004::[Kinsing] has used SSH for lateral movement."
"T1053.003::[Kinsing] has used crontab to download and run shell scripts every minute to ensure persistence."
"T1057::[Kinsing] has used ps to list processes."
"T1059.004::[Kinsing] has used Unix shell scripts to execute commands in the victim environment."
"T1071.001::[Kinsing] has communicated with C2 over HTTP."
"T1078::[Kinsing] has used valid SSH credentials to access remote hosts."
"T1083::[Kinsing] has used the find command to search for specific files."
"T1105::[Kinsing] has downloaded additional lateral movement scripts from C2."
"T1110::[Kinsing] has attempted to brute force hosts over SSH."
"T1133::[Kinsing] was executed in an Ubuntu container deployed via an open Docker daemon API."
"T1222.002::[Kinsing] has used chmod to modify permissions on key files for use."
"T1496::[Kinsing] has created and run a Bitcoin cryptocurrency miner."
"T1552.003::[Kinsing] has searched bash_history for credentials."
"T1552.004::[Kinsing] has searched for private keys."
"T1609::[Kinsing] was executed with an Ubuntu container entry point that runs shell scripts."
"T1610::[Kinsing] was run through a deployed Ubuntu container."
"T1021::[Kivars] has the ability to remotely trigger keyboard input and mouse clicks."
"T1056.001::[Kivars] has the ability to initiate keylogging on the infected host."
"T1070.004::[Kivars] has the ability to uninstall malware from the infected host."
"T1083::[Kivars] has the ability to list drives on the infected host."
"T1105::[Kivars] has the ability to download and execute files."
"T1113::[Kivars] has the ability to capture screenshots on the infected host."
"T1564.003::[Kivars] has the ability to conceal its activity through hiding active windows."
"T1016::[Kobalos] can record the IP address of the target machine."
"T1027::[Kobalos] encrypts all strings using RC4 and bundles all functionality into a single function call."
"T1048::[Kobalos] can exfiltrate credentials over the network via UDP."
"T1056::[Kobalos] has used a compromised SSH client to capture the hostname, port, username and password used to establish an SSH connection from the compromised host."
"T1059.004::[Kobalos] can spawn a new pseudo-terminal and execute arbitrary commands at the command prompt."
"T1070.003::[Kobalos] can remove all command history on compromised hosts."
"T1070.006::[Kobalos] can modify timestamps of replaced files, such as ssh with the added credential stealer or sshd used to deploy [Kobalos]."
"T1074::[Kobalos] can write captured SSH connection credentials to a file under the /var/run directory with a .pid extension for exfiltration."
"T1082::[Kobalos] can record the hostname and kernel version of the target machine."
"T1090.003::[Kobalos] can chain together multiple compromised machines as proxies to reach their final targets."
"T1140::[Kobalos] decrypts strings right after the initial communication, but before the authentication process."
"T1205::[Kobalos] is triggered by an incoming TCP connection to a legitimate service from a specific source port."
"T1554::[Kobalos] replaced the SSH client with a trojanized SSH client to steal credentials on compromised systems."
"T1573.001::[Kobalos]'s post-authentication communication channel uses a 32-byte-long password with RC4 for inbound and outbound traffic."
"T1573.002::[Kobalos]'s authentication and key exchange is performed using RSA-512."
"T1027::[KOCTOPUS] has obfuscated scripts with the BatchEncryption tool."
"T1036.005::[KOCTOPUS] has been disguised as legitimate software programs associated with the travel and airline industries."
"T1059.001::[KOCTOPUS] has used PowerShell commands to download additional files."
"T1059.003::[KOCTOPUS] has used `cmd.exe` and batch files for execution."
"T1059.005::[KOCTOPUS] has used VBScript to call wscript to execute a PowerShell command."
"T1070.009::[KOCTOPUS] can delete created registry keys used for persistence as part of its cleanup procedure."
"T1082::[KOCTOPUS] has checked the OS version using `wmic.exe` and the `find` command."
"T1090::[KOCTOPUS] has deployed a modified version of Invoke-Ngrok to expose open local ports to the Internet."
"T1105::[KOCTOPUS] has executed a PowerShell command to download a file to the system."
"T1106::[KOCTOPUS] can use the `LoadResource` and `CreateProcessW` APIs for execution."
"T1112::[KOCTOPUS] has added and deleted keys from the Registry."
"T1140::[KOCTOPUS] has deobfuscated itself before executing its commands."
"T1204.001::[KOCTOPUS] has relied on victims clicking on a malicious link delivered via email."
"T1204.002::[KOCTOPUS] has relied on victims clicking a malicious document for execution."
"T1547.001::[KOCTOPUS] can set the AutoRun Registry key with a PowerShell command."
"T1548.002::[KOCTOPUS] will perform UAC bypass either through fodhelper.exe or eventvwr.exe."
"T1562.001::[KOCTOPUS] will attempt to delete or disable all Registry keys and scheduled tasks related to Microsoft Security Defender and Security Essentials."
"T1564.003::[KOCTOPUS] has used -WindowsStyle Hidden to hide the command window."
"T1566.001::[KOCTOPUS] has been distributed via spearphishing emails with malicious attachments."
"T1566.002::[KOCTOPUS] has been distributed as a malicious link within an email."
"T1033::The OsInfo function in [Komplex] collects the current running username."
"T1057::The OsInfo function in [Komplex] collects a running process list."
"T1070.004::The [Komplex] trojan supports file deletion."
"T1071.001::The [Komplex] C2 channel uses HTTP POST requests."
"T1543.001::The [Komplex] trojan creates a persistent launch agent called with $HOME/Library/LaunchAgents/com.apple.updates.plist with launchctl load -w ~/Library/LaunchAgents/com.apple.updates.plist."
"T1564.001::The [Komplex] payload is stored in a hidden directory at /Users/Shared/.local/kextd."
"T1573.001::The [Komplex] C2 channel uses an 11-byte XOR algorithm to hide data."
"T1047::[KOMPROGO] is capable of running WMI queries."
"T1059.003::[KOMPROGO] is capable of creating a reverse shell."
"T1082::[KOMPROGO] is capable of retrieving information about the infected system."
"T1005::[KONNI] has stored collected information and discovered processes in a tmp file."
"T1016::[KONNI] can collect the IP address from the victim’s machine."
"T1027.002::[KONNI] has been packed for obfuscation."
"T1027::[KONNI] is heavily obfuscated and includes encrypted configuration files."
"T1033::[KONNI] can collect the username from the victim’s machine."
"T1036.004::[KONNI] has pretended to be the xmlProv Network Provisioning service."
"T1036.005::[KONNI] has created a shortcut called \"Anti virus service.lnk\" in an apparent attempt to masquerade as a legitimate file."
"T1041::[KONNI] has sent data and files to its C2 server."
"T1048.003::[KONNI] has used FTP to exfiltrate reconnaissance data out."
"T1049::[KONNI] has used net session on the victim's machine."
"T1056.001::[KONNI] has the capability to perform keylogging."
"T1057::[KONNI] has used the command cmd /c tasklist to get a snapshot of the current processes on the target machine."
"T1059.001::[KONNI] used PowerShell to download and execute a specific 64-bit version of the malware."
"T1059.003::[KONNI] has used cmd.exe to execute arbitrary commands on the infected host across different stages of the infection chain."
"T1059.007::[KONNI] has executed malicious JavaScript code."
"T1070.004::[KONNI] can delete files."
"T1071.001::[KONNI] has used HTTP POST for C2."
"T1082::[KONNI] can gather the OS version, architecture information, connected drives, hostname, RAM size, and disk space information from the victim’s machine and has used cmd /c systeminfo command to get a snapshot of the current system state of the target machine."
"T1083::A version of [KONNI] searches for filenames created with a previous version of the malware, suggesting different versions targeted the same victims and the versions may work together."
"T1105::[KONNI] can download files and execute them on the victim’s machine."
"T1106::[KONNI] has hardcoded API calls within its functions to use on the victim's machine."
"T1112::[KONNI] has modified registry keys of ComSysApp, Svchost, and xmlProv on the machine to gain persistence."
"T1113::[KONNI] can take screenshots of the victim’s machine."
"T1115::[KONNI] had a feature to steal data from the clipboard."
"T1132.001::[KONNI] has used a custom base64 key to encode stolen data before exfiltration."
"T1134.002::[KONNI] has duplicated the token of a high integrity process to spawn an instance of cmd.exe under an impersonated user."
"T1134.004::[KONNI] has used parent PID spoofing to spawn a new `cmd` process using `CreateProcessW` and a handle to `Taskmgr.exe`."
"T1140::[KONNI] has used certutil to download and decode base64 encoded strings and has also devoted a custom section to performing all the components of the deobfuscation process."
"T1204.002::[KONNI] has relied on a victim to enable malicious macros within an attachment delivered via email."
"T1218.011::[KONNI] has used Rundll32 to execute its loader for privilege escalation purposes."
"T1543.003::[KONNI] has registered itself as a service using its export function."
"T1546.015::[KONNI] has modified ComSysApp service to load the malicious DLL payload."
"T1547.001::A version of [KONNI] has dropped a Windows shortcut into the Startup folder to establish persistence."
"T1547.009::A version of [KONNI] drops a Windows shortcut on the victim’s machine to establish persistence."
"T1548.002::[KONNI] has bypassed UAC by performing token impersonation as well as an RPC-based method, this included bypassing UAC set to “AlwaysNotify\"."
"T1555.003::[KONNI] can steal profiles (containing credential information) from Firefox, Chrome, and Opera."
"T1560::[KONNI] has encrypted data and files prior to exfiltration."
"T1566.001::[KONNI] has been delivered via spearphishing campaigns through a malicious Word document."
"T1573.001::[KONNI] has used AES to encrypt C2 traffic."
"T1007::[Kwampirs] collects a list of running services with the command tasklist /svc."
"T1008::[Kwampirs] uses a large list of C2 servers that it cycles through until a successful connection is established."
"T1016::[Kwampirs] collects network adapter and interface information by using the commands ipconfig /all, arp -a and route print. It also collects the system's MAC address with getmac and domain configuration with net config workstation."
"T1018::[Kwampirs] collects a list of available servers with the command net view."
"T1021.002::[Kwampirs] copies itself over network shares to move laterally on a victim network."
"T1027.001::Before writing to disk, [Kwampirs] inserts a randomly generated string into the middle of the decrypted payload in an attempt to evade hash-based detections."
"T1027::[Kwampirs] downloads additional files that are base64-encoded and encrypted with another cipher."
"T1033::[Kwampirs] collects registered owner details by using the commands systeminfo and net config workstation."
"T1036.004::[Kwampirs] establishes persistence by adding a new service with the display name \"WMI Performance Adapter Extension\" in an attempt to masquerade as a legitimate WMI service."
"T1049::[Kwampirs] collects a list of active and listening connections by using the command netstat -nao as well as a list of available network mappings with net use."
"T1057::[Kwampirs] collects a list of running services with the command tasklist /v."
"T1069.001::[Kwampirs] collects a list of users belonging to the local users and administrators groups with the commands net localgroup administrators and net localgroup users."
"T1069.002::[Kwampirs] collects a list of domain groups with the command net localgroup /domain."
"T1082::[Kwampirs] collects OS version information such as registered owner details, manufacturer details, processor type, available storage, installed patches, hostname, version info, system date, and other system information by using the commands systeminfo, net config workstation, hostname, ver, set, and date /t."
"T1083::[Kwampirs] collects a list of files and directories in C:\\ with the command dir /s /a c:\\ >> \"C:\\windows\\TEMP\\[RANDOM].tmp\"."
"T1087.001::[Kwampirs] collects a list of accounts with the command net users."
"T1105::[Kwampirs] downloads additional files from C2 servers."
"T1135::[Kwampirs] collects a list of network shares with the command net share."
"T1140::[Kwampirs] decrypts and extracts a copy of its main DLL payload when executing."
"T1201::[Kwampirs] collects password policy information with the command net accounts."
"T1218.011::[Kwampirs] uses rundll32.exe in a Registry value added to establish persistence."
"T1543.003::[Kwampirs] creates a new service named WmiApSrvEx to establish persistence."
"T1001.002::[LightNeuron] is controlled via commands that are embedded into PDFs and JPGs using steganographic methods."
"T1005::[LightNeuron] can collect files from a local system."
"T1016::[LightNeuron] gathers information about network adapters using the Win32 API call GetAdaptersInfo."
"T1020::[LightNeuron] can be configured to automatically exfiltrate files under a specified directory."
"T1027::[LightNeuron] encrypts its configuration files with AES-256."
"T1029::[LightNeuron] can be configured to exfiltrate data during nighttime or working hours."
"T1036.005::[LightNeuron] has used filenames associated with Exchange and Outlook for binary and configuration files, such as winmail.dat."
"T1041::[LightNeuron] exfiltrates data over its email C2 channel."
"T1059.003::[LightNeuron] is capable of executing commands via cmd.exe."
"T1070.004::[LightNeuron] has a function to delete files."
"T1071.003::[LightNeuron] uses SMTP for C2."
"T1074.001::[LightNeuron] can store email data in files and directories specified in its configuration, such as C:\\Windows\\ServiceProfiles\\NetworkService\\appdata\\Local\\Temp\\."
"T1082::[LightNeuron] gathers the victim computer name using the Win32 API call GetComputerName."
"T1105::[LightNeuron] has the ability to download and execute additional files."
"T1106::[LightNeuron] is capable of starting a process using CreateProcess."
"T1114.002::[LightNeuron] collects Exchange emails matching rules specified in its configuration."
"T1119::[LightNeuron] can be configured to automatically collect files under a specified directory."
"T1140::[LightNeuron] has used AES and XOR to decrypt configuration files and commands."
"T1505.002::[LightNeuron] has used a malicious Microsoft Exchange transport agent for persistence."
"T1560::[LightNeuron] contains a function to encrypt and store emails that it collects."
"T1565.002::[LightNeuron] is capable of modifying email content, headers, and attachments during transit."
"T1573.001::[LightNeuron] uses AES to encrypt C2 traffic."
"T1005::[Linfo] creates a backdoor through which remote attackers can obtain data from local systems."
"T1008::[Linfo] creates a backdoor through which remote attackers can change C2 servers."
"T1029::[Linfo] creates a backdoor through which remote attackers can change the frequency at which compromised hosts contact remote C2 infrastructure."
"T1057::[Linfo] creates a backdoor through which remote attackers can retrieve a list of running processes."
"T1059.003::[Linfo] creates a backdoor through which remote attackers can start a remote shell."
"T1070.004::[Linfo] creates a backdoor through which remote attackers can delete files."
"T1082::[Linfo] creates a backdoor through which remote attackers can retrieve system information."
"T1083::[Linfo] creates a backdoor through which remote attackers can list contents of drives and search for files."
"T1105::[Linfo] creates a backdoor through which remote attackers can download files onto compromised hosts."
"T1033::[Linux Rabbit] opens a socket on port 22 and if it receives a response it attempts to obtain the machine's hostname and Top-Level Domain."
"T1078::[Linux Rabbit] acquires valid SSH accounts through brute force."
"T1110.003::[Linux Rabbit] brute forces SSH passwords in order to attempt to gain access and install its malware onto the server."
"T1132::[Linux Rabbit] sends the payload from the C2 server as an encoded URL parameter."
"T1133::[Linux Rabbit] attempts to gain access to the server via SSH."
"T1546.004::[Linux Rabbit] maintains persistence on an infected machine through rc.local and .bashrc files."
"T1012::[LiteDuke] can query the Registry to check for the presence of HKCU\\Software\\KasperskyLab."
"T1016::[LiteDuke] has the ability to discover the proxy configuration of Firefox and/or Opera."
"T1027.002::[LiteDuke] has been packed with multiple layers of encryption."
"T1027.003::[LiteDuke] has used image files to hide its loader component."
"T1033::[LiteDuke] can enumerate the account name on a targeted system."
"T1070.004::[LiteDuke] can securely delete files by first writing random data to the file."
"T1071.001::[LiteDuke] can use HTTP GET requests in C2 communications."
"T1082::[LiteDuke] can enumerate the CPUID and BIOS version on a compromised system."
"T1105::[LiteDuke] has the ability to download files."
"T1140::[LiteDuke] has the ability to decrypt and decode multiple layers of obfuscation."
"T1497.003::[LiteDuke] can wait 30 seconds before executing additional code if security software is detected."
"T1518.001::[LiteDuke] has the ability to check for the presence of Kaspersky security software."
"T1547.001::[LiteDuke] can create persistence by adding a shortcut in the CurrentVersion\\Run Registry key."
"T1012::[LitePower] can query the Registry for keys added to execute COM hijacking."
"T1033::[LitePower] can determine if the current user has admin privileges."
"T1041::[LitePower] can send collected data, including screenshots, over its C2 channel."
"T1053.005::[LitePower] can create a scheduled task to enable persistence mechanisms."
"T1059.001::[LitePower] can use a PowerShell script to execute commands."
"T1071.001::[LitePower] can use HTTP and HTTPS for C2 communications."
"T1082::[LitePower] has the ability to list local drives and enumerate the OS architecture."
"T1105::[LitePower] has the ability to download payloads containing system commands to a compromised host."
"T1106::[LitePower] can use various API calls."
"T1113::[LitePower] can take system screenshots and save them to `%AppData%`."
"T1518.001::[LitePower] can identify installed AV software."
"T1003.001::[Lizar] can run [Mimikatz] to harvest credentials."
"T1016::[Lizar] can retrieve network information from a compromised host."
"T1033::[Lizar] can collect the username from the system."
"T1049::[Lizar] has a plugin to retrieve information about all active network sessions on the infected server."
"T1055.001::[Lizar] has used the PowerKatz plugin that can be loaded into the address space of a PowerShell process through reflective DLL loading."
"T1055.002::[Lizar] can execute PE files in the address space of the specified process."
"T1055::[Lizar] can migrate the loader into another process."
"T1057::[Lizar] has a plugin designed to obtain a list of processes."
"T1059.001::[Lizar] has used PowerShell scripts."
"T1059.003::[Lizar] has a command to open the command-line on the infected system."
"T1082::[Lizar] can collect the computer name from the machine,."
"T1087.003::[Lizar] can collect email accounts from Microsoft Outlook and Mozilla Thunderbird."
"T1105::[Lizar] can download additional plugins, files, and tools."
"T1106::[Lizar] has used various Windows API functions on a victim's machine."
"T1113::[Lizar] can take JPEG screenshots of an infected system."
"T1140::[Lizar] can decrypt its configuration data."
"T1217::[Lizar] can retrieve browser history and database files."
"T1518.001::[Lizar] can search for processes associated with an anti-virus product from list."
"T1555.003::[Lizar] has a module to collect usernames and passwords stored in browsers."
"T1555.004::[Lizar] has a plugin that can retrieve credentials from Internet Explorer and Microsoft Edge using `vaultcmd.exe` and another that can collect RDP access credentials using the `CredEnumerateW` function."
"T1560::[Lizar] has encrypted data before sending it to the server."
"T1573::[Lizar] can support encrypted communications between the client and server."
"T1070.004::[LockerGoga] has been observed deleting its original launcher after execution."
"T1486::[LockerGoga] has encrypted files, including core Windows OS files, using RSA-OAEP MGF1 and then demanded Bitcoin be paid for the decryption key."
"T1529::[LockerGoga] has been observed shutting down infected systems."
"T1531::[LockerGoga] has been observed changing account passwords and logging off current users."
"T1553.002::[LockerGoga] has been signed with stolen certificates in order to make it look more legitimate."
"T1562.001::[LockerGoga] installation has been immediately preceded by a \"task kill\" command in order to disable anti-virus."
"T1570::[LockerGoga] has been observed moving around the victim network via SMB, indicating the actors behind this ransomware are manually copying files form computer to computer instead of self-propagating."
"T1014::[LoJax] is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems."
"T1112::[LoJax] has modified the Registry key ‘HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute’ from ‘autocheck autochk *’ to ‘autocheck autoche *’."
"T1542.001::[LoJax] is a UEFI BIOS rootkit deployed to persist remote access software on some targeted systems."
"T1547.001::[LoJax] has modified the Registry key ‘HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Session Manager\\BootExecute’ from ‘autocheck autochk *’ to ‘autocheck autoche *’ in order to execute its payload during Windows startup."
"T1564.004::[LoJax] has loaded an embedded NTFS DXE driver to be able to access and write to NTFS partitions."
"T1016::[Lokibot] has the ability to discover the domain name of the infected host."
"T1027.002::[Lokibot] has used several packing methods for obfuscation."
"T1027::[Lokibot] has obfuscated strings with base64 encoding."
"T1033::[Lokibot] has the ability to discover the username on the infected host."
"T1041::[Lokibot] has the ability to initiate contact with command and control (C2) to exfiltrate stolen data."
"T1053.005::[Lokibot] embedded the commands schtasks /Run /TN \\Microsoft\\Windows\\DiskCleanup\\SilentCleanup /I inside a batch script."
"T1053::[Lokibot]'s second stage DLL has set a timer using “timeSetEvent” to schedule its next execution."
"T1055.012::[Lokibot] has used process hollowing to inject itself into legitimate Windows process."
"T1056.001::[Lokibot] has the ability to capture input on the compromised host via keylogging."
"T1059.001::[Lokibot] has used PowerShell commands embedded inside batch scripts."
"T1059.003::[Lokibot] has used cmd /c commands embedded within batch scripts."
"T1059.005::[Lokibot] has used VBS scripts and XLS macros for execution."
"T1070.004::[Lokibot] will delete its dropped files after bypassing UAC."
"T1071.001::[Lokibot] has used HTTP for C2 communications."
"T1082::[Lokibot] has the ability to discover the computer name and Windows product name/version."
"T1083::[Lokibot] can search for specific files on an infected host."
"T1105::[Lokibot] downloaded several staged items onto the victim's machine."
"T1106::[Lokibot] has used LoadLibrary(), GetProcAddress() and CreateRemoteThread() API functions to execute its shellcode."
"T1112::[Lokibot] has modified the Registry as part of its UAC bypass process."
"T1140::[Lokibot] has decoded and decrypted its stages multiple times using hard-coded keys to deliver the final payload, and has decoded its server response hex string using XOR."
"T1204.002::[Lokibot] has tricked recipients into enabling malicious macros by getting victims to click \"enable content\" in email attachments."
"T1497.003::[Lokibot] has performed a time-based anti-debug check before downloading its third stage."
"T1548.002::[Lokibot] has utilized multiple techniques to bypass UAC."
"T1555.003::[Lokibot] has demonstrated the ability to steal credentials from multiple applications and data sources including Safari and the Chromium and Mozilla Firefox-based web browsers."
"T1555::[Lokibot] has stolen credentials from multiple applications and data sources including Windows OS credentials, email clients, FTP, and SFTP clients."
"T1564.001::[Lokibot] has the ability to copy itself to a hidden file and directory."
"T1566.001::[Lokibot] is delivered via a malicious XLS attachment contained within a spearhpishing email."
"T1620::[Lokibot] has reflectively loaded the decoded DLL into memory."
"T1007::[LookBack] can enumerate services on the victim machine."
"T1036.005::[LookBack] has a C2 proxy tool that masquerades as GUP.exe, which is software used by Notepad++."
"T1057::[LookBack] can list running processes."
"T1059.003::[LookBack] executes the cmd.exe command."
"T1059.005::[LookBack] has used VBA macros in Microsoft Word attachments to drop additional files to the host."
"T1070.004::[LookBack] removes itself after execution and can delete files on the system."
"T1071.001::[LookBack]’s C2 proxy tool sends data to a C2 server over HTTP."
"T1083::[LookBack] can retrieve file listings from the victim machine."
"T1095::[LookBack] uses a custom binary protocol over sockets for C2 communications."
"T1113::[LookBack] can take desktop screenshots."
"T1140::[LookBack] has a function that decrypts malicious data."
"T1489::[LookBack] can kill processes and delete services."
"T1529::[LookBack] can shutdown and reboot the victim machine."
"T1547.001::[LookBack] sets up a Registry Run key to establish a persistence mechanism."
"T1573.001::[LookBack] uses a modified version of RC4 for data transfer."
"T1574.002::[LookBack] side loads its communications module as a DLL into the libcurl.dll loader."
"T1016::[LoudMiner] used a script to gather the IP address of the infected machine before sending to the C2."
"T1027::[LoudMiner] has obfuscated various scripts and encrypted DMG files."
"T1057::[LoudMiner] used the ps command to monitor the running processes on the system."
"T1059.003::[LoudMiner] used a batch script to run the Linux virtual machine as a service."
"T1059.004::[LoudMiner] used shell scripts to launch various services and to start/stop the QEMU virtualization."
"T1070.004::[LoudMiner] deleted installation files after completion."
"T1082::[LoudMiner] has monitored CPU usage."
"T1105::[LoudMiner] used SCP to update the miner from the C2."
"T1189::[LoudMiner] is typically bundled with pirated copies of Virtual Studio Technology (VST) for Windows and macOS."
"T1218.007::[LoudMiner] used an MSI installer to install the virtualization software."
"T1496::[LoudMiner] harvested system resources to mine cryptocurrency, using XMRig to mine Monero."
"T1543.003::[LoudMiner] can automatically launch a Linux virtual machine as a service at startup if the AutoStart option is enabled in the VBoxVmService configuration file."
"T1543.004::[LoudMiner] adds plist files with the naming format com.[random_name].plist in the /Library/LaunchDaemons folder with the RunAtLoad and KeepAlive keys set to true."
"T1564.001::[LoudMiner] has set the attributes of the VirtualBox directory and VBoxVmService parent directory to \"hidden\"."
"T1564.006::[LoudMiner] has used QEMU and VirtualBox to run a Tiny Core Linux virtual machine, which runs XMRig and makes connections to the C2 server for updates."
"T1569.001::[LoudMiner] launched the QEMU services in the /Library/LaunchDaemons/ folder using launchctl. It also uses launchctl to unload all [Launch Daemon]s when updating to a newer version of [LoudMiner]."
"T1569.002::[LoudMiner] started the cryptomining virtual machine as a service on the infected machine."
"T1071.001::[LOWBALL] command and control occurs via HTTPS over port 443."
"T1102.002::[LOWBALL] uses the Dropbox cloud storage service for command and control."
"T1105::[LOWBALL] uses the Dropbox API to request two files, one of which is the same file as the one dropped by the malicious email attachment. This is most likely meant to be a mechanism to update the compromised host with a new version of the [LOWBALL] malware."
"T1012::[Lucifer] can check for existing stratum cryptomining information in HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\spreadCpuXmr – %stratum info%."
"T1016::[Lucifer] can collect the IP address of a compromised host."
"T1021.002::[Lucifer] can infect victims by brute forcing SMB."
"T1027.002::[Lucifer] has used UPX packed binaries."
"T1033::[Lucifer] has the ability to identify the username on a compromised host."
"T1046::[Lucifer] can scan for open ports including TCP ports 135 and 1433."
"T1047::[Lucifer] can use WMI to log into remote machines for propagation."
"T1049::[Lucifer] can identify the IP and port numbers for all remote connections from the compromised host."
"T1053.005::[Lucifer] has established persistence by creating the following scheduled task schtasks /create /sc minute /mo 1 /tn QQMusic ^ /tr C:Users\\%USERPROFILE%\\Downloads\\spread.exe /F."
"T1057::[Lucifer] can identify the process that owns remote connections."
"T1059.003::[Lucifer] can issue shell commands to download and execute additional payloads."
"T1070.001::[Lucifer] can clear and remove event logs."
"T1071::[Lucifer] can use the Stratum protocol on port 10001 for communication between the cryptojacking bot and the mining server."
"T1082::[Lucifer] can collect the computer name, system architecture, default language, and processor frequency of a compromised host."
"T1105::[Lucifer] can download and execute a replica of itself using [certutil]."
"T1110.001::[Lucifer] has attempted to brute force TCP ports 135 (RPC) and 1433 (MSSQL) with the default username or list of usernames and    passwords."
"T1140::[Lucifer] can decrypt its C2 address upon execution."
"T1210::[Lucifer] can exploit multiple vulnerabilities including EternalBlue (CVE-2017-0144) and EternalRomance (CVE-2017-0144)."
"T1496::[Lucifer] can use system resources to mine cryptocurrency, dropping XMRig to mine Monero."
"T1497.001::[Lucifer] can check for specific usernames, computer names, device drivers, DLL's, and virtual devices associated with sandboxed environments and can enter an infinite loop and stop itself if any are detected."
"T1498::[Lucifer] can execute TCP, UDP,  and HTTP denial of service (DoS) attacks."
"T1547.001::[Lucifer] can persist by setting Registry key values HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic and HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\QQMusic."
"T1570::[Lucifer] can use [certutil] for propagation on Windows hosts within intranets."
"T1573.001::[Lucifer] can perform a decremental-xor encryption on the initial C2 request before sending it over the wire."
"T1560::[Lurid] can compress data before sending it."
"T1573.001::[Lurid] performs XOR encryption."
"T1036.005::[Machete]'s [Machete] MSI installer has masqueraded as a legitimate Adobe Acrobat Reader installer."
"T1053.005::[Machete] has created scheduled tasks to maintain [Machete]'s persistence."
"T1059.003::[Machete] has used batch files to initiate additional downloads of malicious files."
"T1059.005::[Machete] has embedded malicious macros within spearphishing attachments to download additional files."
"T1059.006::[Machete] used multiple compiled Python scripts on the victim’s system. [Machete]'s main backdoor [Machete] is also written in Python."
"T1189::[Machete] has distributed [Machete] through a fake blog website."
"T1204.001::[Machete] has has relied on users opening malicious links delivered through spearphishing to execute malware."
"T1204.002::[Machete] has relied on users opening malicious attachments delivered through spearphishing to execute malware."
"T1218.007::[Machete] has used msiexec to install the [Machete] malware."
"T1566.001::[Machete] has delivered spearphishing emails that contain a zipped file with malicious contents."
"T1566.002::[Machete] has sent phishing emails that contain a link to an external server with ZIP and RAR archives."
"T1005::[MacMa] can collect then exfiltrate files from the compromised system."
"T1016::[MacMa] can collect IP addresses from a compromised host."
"T1021::[MacMa] can manage remote screen sessions."
"T1033::[MacMa] can collect the username from the compromised machine."
"T1041::[MacMa] exfiltrates data from a supplied path over its C2 channel."
"T1056.001::[MacMa] can use Core Graphics Event Taps to intercept user keystrokes from any text input field and saves them to text files. Text input fields include Spotlight, Finder, Safari, Mail, Messages, and other apps that have text fields for passwords."
"T1057::[MacMa] can enumerate running processes."
"T1059.004::[MacMa] can execute supplied shell commands and uses bash scripts to perform additional actions."
"T1070.002::[MacMa] can clear possible malware traces such as application logs."
"T1070.004::[MacMa] can delete itself from the compromised computer."
"T1070.006::[MacMa] has the capability to create and modify file timestamps."
"T1074.001::[MacMa] has stored collected files locally before exfiltration."
"T1082::[MacMa] can collect information about a compromised computer, including: Hardware UUID, Mac serial number, macOS version, and disk sizes."
"T1083::[MacMa] can search for a specific file on the compromised computer and can enumerate files in Desktop, Downloads, and Documents folders."
"T1095::[MacMa] has used a custom JSON-based protocol for its C&C communications."
"T1105::[MacMa] has downloaded additional files, including an exploit for used privilege escalation."
"T1106::[MacMa] has used macOS API functions to perform tasks."
"T1113::[MacMa] has used Apple’s Core Graphic APIs, such as `CGWindowListCreateImageFromArray`, to capture the user's screen and open windows."
"T1123::[MacMa] has the ability to record audio."
"T1140::[MacMa] decrypts a downloaded file using AES-128-EBC with a custom delta."
"T1543.001::[MacMa] installs a `com.apple.softwareupdate.plist` file in the `/LaunchAgents` folder with the `RunAtLoad` value set to `true`. Upon user login, [MacMa] is executed from `/var/root/.local/softwareupdate` with root privileges. Some variations also include the `LimitLoadToSessionType` key with the value `Aqua`, ensuring the [MacMa] only runs when there is a logged in GUI user."
"T1553.001::[MacMa] has removed the `com.apple.quarantineattribute` from the dropped file, `$TMPDIR/airportpaird`."
"T1555.001::[MacMa] can dump credentials from the macOS keychain."
"T1571::[MacMa] has used TCP port 5633 for C2 Communication."
"T1573::[MacMa] has used TLS encryption to initialize a custom protocol for C2 communications."
"T1027.008::[macOS.OSAMiner] has used run-only Applescripts, a compiled and stripped version of [AppleScript], to remove human readable indicators to evade detection."
"T1027.009::[macOS.OSAMiner] has embedded [Stripped Payloads] within another run-only [Stripped Payloads]."
"T1057::[macOS.OSAMiner] has used `ps ax | grep <name> | grep -v grep | ...` and `ps ax | grep -E...` to conduct process discovery."
"T1059.002::[macOS.OSAMiner] has used `osascript` to call itself via the `do shell script` command in the [Launch Agent] `.plist` file."
"T1082::[macOS.OSAMiner] can gather the device serial number and has checked to ensure there is enough disk space using the Unix utility `df`."
"T1105::[macOS.OSAMiner] has used `curl` to download a [Stripped Payloads] from a public facing adversary-controlled webpage."
"T1497.001::[macOS.OSAMiner] can parse the output of the native `system_profiler` tool to determine if the machine is running with 4 cores."
"T1543.001::[macOS.OSAMiner] has placed a [Stripped Payloads] with a `plist` extension in the [Launch Agent]'s folder."
"T1562.001::[macOS.OSAMiner] has searched for the Activity Monitor process in the System Events process list and kills the process if running. [macOS.OSAMiner] also searches the operating system's `install.log` for apps matching its hardcoded list, killing all matching process names."
"T1569.001::[macOS.OSAMiner] has used `launchctl` to restart the [Launch Agent]."
"T1056.001::[MacSpy] captures keystrokes."
"T1070.004::[MacSpy] deletes any temporary files it creates"
"T1071.001::[MacSpy] uses HTTP for command and control."
"T1090.003::[MacSpy] uses Tor for command and control."
"T1113::[MacSpy] can capture screenshots of the desktop over multiple monitors."
"T1115::[MacSpy] can steal clipboard contents."
"T1123::[MacSpy] can record the sounds from microphones on a computer."
"T1543.001::[MacSpy] persists via a Launch Agent."
"T1564.001::[MacSpy] stores itself in ~/Library/.DS_Stores/"
"T1005::[MarkiRAT] can upload data from the victim's machine to the C2 server."
"T1033::[MarkiRAT] can retrieve the victim’s username."
"T1036.005::[MarkiRAT] can masquerade as update.exe and svehost.exe; it has also mimicked legitimate Telegram and Chrome files."
"T1041::[MarkiRAT] can exfiltrate locally stored data via its C2."
"T1056.001::[MarkiRAT] can capture all keystrokes on a compromised host."
"T1057::[MarkiRAT] can search for different processes on a system."
"T1059.003::[MarkiRAT] can utilize cmd.exe to execute commands in a victim's environment."
"T1071.001::[MarkiRAT] can initiate communication over HTTP/HTTPS for its C2 server."
"T1074.001::[MarkiRAT] can store collected data locally in a created .nfo file."
"T1082::[MarkiRAT] can obtain the computer name from a compromised host."
"T1083::[MarkiRAT] can look for files carrying specific extensions such as: .rtf, .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pps, .ppsx, .txt, .gpg, .pkr, .kdbx, .key, and .jpb."
"T1105::[MarkiRAT] can download additional files and tools from its C2 server, including through the use of [BITSAdmin]."
"T1106::[MarkiRAT] can run the ShellExecuteW API via the Windows Command Shell."
"T1113::[MarkiRAT] can capture screenshots that are initially saved as ‘scr.jpg’."
"T1115::[MarkiRAT] can capture clipboard content."
"T1197::[MarkiRAT] can use BITS Utility to connect with the C2 server."
"T1518.001::[MarkiRAT] can check for running processes on the victim’s machine to look for Kaspersky and Bitdefender antivirus products."
"T1518::[MarkiRAT] can check for the Telegram installation directory by enumerating the files on disk."
"T1547.001::[MarkiRAT] can drop its payload into the Startup directory to ensure it automatically runs when the compromised system is started."
"T1547.009::[MarkiRAT] can modify the shortcut that launches Telegram by replacing its path with the malicious payload to launch with the legitimate executable."
"T1555.005::[MarkiRAT] can gather information from the Keepass password manager."
"T1614.001::[MarkiRAT] can use the GetKeyboardLayout API to check if a compromised host's keyboard is set to Persian."
"T1027::[Matryoshka] obfuscates API function names using a substitute cipher combined with Base64 encoding."
"T1053.005::[Matryoshka] can establish persistence by adding a Scheduled Task named \"Microsoft Boost Kernel Optimization\"."
"T1055.001::[Matryoshka] uses reflective DLL injection to inject the malicious library and execute the RAT."
"T1056.001::[Matryoshka] is capable of keylogging."
"T1059::[Matryoshka] is capable of providing Meterpreter shell access."
"T1071.004::[Matryoshka] uses DNS for C2."
"T1113::[Matryoshka] is capable of performing screen captures."
"T1218.011::[Matryoshka] uses rundll32.exe in a Registry Run key value for execution as part of its persistence mechanism."
"T1547.001::[Matryoshka] can establish persistence by adding Registry Run keys."
"T1555::[Matryoshka] is capable of stealing Outlook passwords."
"T1027.001::[Maze] has inserted large blocks of junk code, including some components to decrypt strings and other important information for later in the encryption process."
"T1027::[Maze] has decrypted strings and other important information during the encryption process. [Maze] also calls certain functions dynamically to hinder analysis."
"T1036.004::[Maze] operators have created scheduled tasks masquerading as \"Windows Update Security\", \"Windows Update Security Patches\", and \"Google Chrome Security Update\" designed to launch the ransomware."
"T1047::[Maze] has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network."
"T1049::[Maze] has used the \"WNetOpenEnumW\", \"WNetEnumResourceW”, “WNetCloseEnum” and “WNetAddConnection2W” functions to enumerate the network resources on the infected machine."
"T1053.005::[Maze] has created scheduled tasks using name variants such as \"Windows Update Security\", \"Windows Update Security Patches\", and \"Google Chrome Security Update\", to launch [Maze] at a specific time."
"T1055.001::[Maze] has injected the malware DLL into a target process."
"T1057::[Maze] has gathered all of the running system processes."
"T1059.003::The [Maze] encryption process has used batch scripts with various commands."
"T1070::[Maze] has used the “Wow64RevertWow64FsRedirection” function following attempts to delete the shadow volumes, in order to leave the system in the same state as it was prior to redirection."
"T1071.001::[Maze] has communicated to hard-coded IP addresses via HTTP."
"T1082::[Maze] has checked the language of the infected system using the \"GetUSerDefaultUILanguage\" function."
"T1106::[Maze] has used several Windows API functions throughout the encryption process including IsDebuggerPresent, TerminateProcess, Process32FirstW, among others."
"T1218.007::[Maze] has delivered components for its ransomware attacks using MSI files, some of which have been executed from the command-line using msiexec."
"T1486::[Maze] has disrupted systems by encrypting files on targeted machines, claiming to decrypt files if a ransom payment is made. [Maze] has used the ChaCha algorithm, based on Salsa20, and an RSA algorithm to encrypt files."
"T1489::[Maze] has stopped SQL services to ensure it can encrypt any database."
"T1490::[Maze] has attempted to delete the shadow volumes of infected machines, once before and once after the encryption process."
"T1529::[Maze] has issued a shutdown command on a victim machine that, upon reboot, will run the ransomware within a VM."
"T1547.001::[Maze] has created a file named \"startup_vrun.bat\" in the Startup folder of a virtual machine to establish persistence."
"T1562.001::[Maze] has disabled dynamic analysis and other security tools including IDA debugger, x32dbg, and OllyDbg."
"T1564.006::[Maze] operators have used VirtualBox and a Windows 7 virtual machine to run the ransomware; the virtual machine's configuration file mapped the shared network drives of the target company, presumably so [Maze] can encrypt files on the shared drives as well as the local machine."
"T1568::[Maze] has forged POST strings with a random choice from a list of possibilities including \"forum\", \"php\", \"view\", etc. while making connection with the C2, hindering detection efforts."
"T1614.001::[Maze] has checked the language of the machine with function GetUserDefaultUILanguage and terminated execution if the language matches with an entry in the predefined list."
"T1033::[MechaFlounder] has the ability to identify the username and hostname on a compromised host."
"T1036.005::[MechaFlounder] has been downloaded as a file named lsass.exe, which matches the legitimate Windows file."
"T1041::[MechaFlounder] has the ability to send the compromised user's account name and hostname within a URL to C2."
"T1059.003::[MechaFlounder] has the ability to run commands on a compromised host."
"T1059.006::[MechaFlounder] uses a python-based payload."
"T1071.001::[MechaFlounder] has the ability to use HTTP in communication with C2."
"T1105::[MechaFlounder] has the ability to upload and download files to and from a compromised host."
"T1132.001::[MechaFlounder] has the ability to use base16 encoded strings in C2."
"T1055.001::[MegaCortex] loads injecthelper.dll into a newly created rundll32.exe process."
"T1059.003::[MegaCortex] has used .cmd scripts on the victim's system."
"T1083::[MegaCortex] can parse the available drives and directories to determine which files to encrypt."
"T1106::After escalating privileges, [MegaCortex] calls TerminateProcess(), CreateRemoteThread, and other Win32 APIs."
"T1112::[MegaCortex] has added entries to the Registry for ransom contact information."
"T1134::[MegaCortex] can enable SeDebugPrivilege and adjust token privileges."
"T1140::[MegaCortex] has used a Base64 key to decode its components."
"T1218.011::[MegaCortex] has used rundll32.exe to load a DLL for file encryption."
"T1486::[MegaCortex] has used the open-source library, Mbed Crypto, and generated AES keys to carry out the file encryption process."
"T1489::[MegaCortex] can stop and disable services on the system."
"T1490::[MegaCortex] has deleted volume shadow copies using vssadmin.exe."
"T1497.001::[MegaCortex] has checked the number of CPUs in the system to avoid being run in a sandbox or emulator."
"T1531::[MegaCortex] has changed user account passwords and logged users off the system."
"T1561.001::[MegaCortex] can wipe deleted data from all drives using cipher.exe."
"T1562.001::[MegaCortex] was used to kill endpoint security processes."
"T1588.003::[MegaCortex] has used code signing certificates issued to fake companies to bypass security controls."
"T1027.002::[Melcoz] has been packed with VMProtect and Themida."
"T1059.005::[Melcoz] can use VBS scripts to execute malicious DLLs."
"T1059::[Melcoz] has been distributed through an AutoIt loader script."
"T1105::[Melcoz] has the ability to download additional files to a compromised host."
"T1115::[Melcoz] can monitor content saved to the clipboard."
"T1185::[Melcoz] can monitor the victim's browser for online banking sessions and display an overlay window to manipulate the session in the background."
"T1204.001::[Melcoz] has gained execution through victims opening malicious links."
"T1218.007::[Melcoz] can use MSI files with embedded VBScript for execution."
"T1555.003::[Melcoz] has the ability to steal credentials from web browsers."
"T1565.002::[Melcoz] can monitor the clipboard for cryptocurrency addresses and change the intended address to one controlled by the adversary."
"T1566.002::[Melcoz] has been spread through malicious links embedded in e-mails."
"T1574.001::[Melcoz] can use DLL hijacking to bypass security controls."
"T1040::[MESSAGETAP] uses the libpcap library to listen to all traffic and parses network protocols starting with Ethernet and IP layers. It continues parsing protocol layers including SCTP, SCCP, and TCAP and finally extracts SMS message data and routing metadata."
"T1049::After loading the keyword and phone data files, [MESSAGETAP] begins monitoring all network connections to and from the victim server."
"T1070.004::Once loaded into memory, [MESSAGETAP] deletes the keyword_parm.txt and parm.txt configuration files from disk."
"T1074.001::[MESSAGETAP] stored targeted SMS messages that matched its target list in CSV files on the compromised system."
"T1083::[MESSAGETAP] checks for the existence of two configuration files (keyword_parm.txt and parm.txt) and attempts to read the files every 30 seconds."
"T1119::[MESSAGETAP] checks two files, keyword_parm.txt and parm.txt, for instructions on how to target and save data parsed and extracted from SMS message data from the network traffic. If an SMS message contained either a phone number, IMSI number, or keyword that matched the predefined list, it is saved to a CSV file for later theft by the threat actor."
"T1140::After checking for the existence of two files, keyword_parm.txt and parm.txt, [MESSAGETAP] XOR decodes and read the contents of the files."
"T1560.003::[MESSAGETAP] has XOR-encrypted and stored contents of SMS messages that matched its target list."
"T1010::[Metamorfo] can enumerate all windows on the victim’s machine."
"T1027.002::[Metamorfo] has used VMProtect to pack and protect files."
"T1027::[Metamorfo] has encrypted payloads and strings."
"T1033::[Metamorfo] has collected the username from the victim's machine."
"T1036.005::[Metamorfo] has disguised an MSI file as the Adobe Acrobat Reader Installer and has masqueraded payloads as OneDrive, WhatsApp, or Spotify, for example."
"T1041::[Metamorfo] can send the data it collects to the C2 server."
"T1055.001::[Metamorfo] has injected a malicious DLL into the Windows Media Player process (wmplayer.exe)."
"T1056.001::[Metamorfo] has a command to launch a keylogger and capture keystrokes on the victim’s machine."
"T1056.002::[Metamorfo] has displayed fake forms on top of banking sites to intercept credentials from victims."
"T1057::[Metamorfo] has performed process name checks and has monitored applications."
"T1059.003::[Metamorfo] has used cmd.exe /c to execute files."
"T1059.005::[Metamorfo] has used VBS code on victims’ systems."
"T1059.007::[Metamorfo] includes payloads written in JavaScript."
"T1070.004::[Metamorfo] has deleted itself from the system after execution."
"T1070::[Metamorfo] has a command to delete a Registry key it uses, \\Software\\Microsoft\\Internet Explorer\\notes."
"T1071.001::[Metamorfo] has used HTTP for C2."
"T1082::[Metamorfo] has collected the hostname and operating system version from the compromised host."
"T1083::[Metamorfo] has searched the Program Files directories for specific folders and has searched for strings related to its mutexes."
"T1095::[Metamorfo] has used raw TCP for C2."
"T1102.001::[Metamorfo] has used YouTube to store and hide C&C server domains."
"T1102.003::[Metamorfo] has downloaded a zip file for execution on the system."
"T1105::[Metamorfo] has used MSI files to download additional files to execute."
"T1106::[Metamorfo] has used native WINAPI calls."
"T1112::[Metamorfo] has written process names to the Registry, disabled IE browser features, deleted Registry keys, and changed the ExtendedUIHoverTime key."
"T1113::[Metamorfo] can collect screenshots of the victim’s machine."
"T1115::[Metamorfo] has a function to hijack data from the clipboard by monitoring the contents of the clipboard and replacing the cryptocurrency wallet with the attacker's."
"T1119::[Metamorfo] has automatically collected mouse clicks, continuous screenshots on the machine, and set timers to collect the contents of the clipboard and website browsing."
"T1124::[Metamorfo] uses JavaScript to get the system time."
"T1129::[Metamorfo] had used AutoIt to load and execute the DLL payload."
"T1140::Upon execution, [Metamorfo] has unzipped itself after being downloaded to the system and has performed string decryption."
"T1204.002::[Metamorfo] requires the user to double-click the executable to run the malicious HTA file or to download a malicious installer."
"T1218.005::[Metamorfo] has used mshta.exe to execute a HTA payload."
"T1218.007::[Metamorfo] has used MsiExec.exe to automatically execute files."
"T1497::[Metamorfo] has embedded a \"vmdetect.exe\" executable to identify virtual machines at the beginning of execution."
"T1518.001::[Metamorfo] collects a list of installed antivirus software from the victim’s system."
"T1518::[Metamorfo] has searched the compromised system for banking applications."
"T1547.001::[Metamorfo] has configured persistence to the Registry ket HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run, Spotify =% APPDATA%\\Spotify\\Spotify.exe and used .LNK files in the startup folder to achieve persistence."
"T1553.002::[Metamorfo] has digitally signed executables using AVAST Software certificates."
"T1562.001::[Metamorfo] has a function to kill processes associated with defenses and can prevent certain processes from launching."
"T1564.003::[Metamorfo] has hidden its GUI using the ShowWindow() WINAPI call."
"T1565.002::[Metamorfo] has a function that can watch the contents of the system clipboard for valid bitcoin addresses, which it then overwrites with the attacker's address."
"T1566.001::[Metamorfo] has been delivered to victims via emails with malicious HTML attachments."
"T1571::[Metamorfo] has communicated with hosts over raw TCP on port 9999."
"T1573.001::[Metamorfo] has encrypted C2 commands with AES-256."
"T1573.002::[Metamorfo]'s C2 communication has been encrypted using OpenSSL."
"T1574.002::[Metamorfo] has side-loaded its malicious DLL file."
"T1036.004::[Meteor] has been disguised as the Windows Power Efficiency Diagnostics report tool."
"T1047::[Meteor] can use `wmic.exe` as part of its effort to delete shadow copies."
"T1053.005::[Meteor] execution begins from a scheduled task named `Microsoft\\Windows\\Power Efficiency Diagnostics\\AnalyzeAll` and it creates a separate scheduled task called `mstask` to run the wiper only once at 23:55:00."
"T1057::[Meteor] can check if a specific process is running, such as Kaspersky's `avp.exe`."
"T1059.001::[Meteor] can use PowerShell commands to disable the network adapters on a victim machines."
"T1059.003::[Meteor] can run `set.bat`, `update.bat`, `cache.bat`, `bcd.bat`, `msrun.bat`, and similar scripts."
"T1070.001::[Meteor] can use [Wevtutil] to remove Security, System and Application Event Viewer logs."
"T1070.004::[Meteor] will delete the folder containing malicious scripts if it detects the hostname as `PIS-APP`, `PIS-MOB`, `WSUSPROXY`, or `PIS-DB`."
"T1082::[Meteor] has the ability to discover the hostname of a compromised host."
"T1105::[Meteor] has the ability to download additional files for execution on the victim's machine."
"T1106::[Meteor] can use `WinAPI` to remove a victim machine from an Active Directory domain."
"T1484.001::[Meteor] can use group policy to push a scheduled task from the AD to all network machines."
"T1485::[Meteor] can fill a victim's files and directories with zero-bytes in replacement of real content before deleting them."
"T1489::[Meteor] can disconnect all network adapters on a compromised host using `powershell -Command \"Get-WmiObject -class Win32_NetworkAdapter | ForEach { If ($.NetEnabled) { $.Disable() } }\" > NUL`."
"T1490::[Meteor] can use `bcdedit` to delete different boot identifiers on a compromised host; it can also use `vssadmin.exe delete shadows /all /quiet` and `C:\\\\Windows\\\\system32\\\\wbem\\\\wmic.exe shadowcopy delete`."
"T1491.001::[Meteor] can change both the desktop wallpaper and the lock screen image to a custom image."
"T1518.001::[Meteor] has the ability to search for Kaspersky Antivirus on a victim's machine."
"T1531::[Meteor] has the ability to change the password of local users on compromised hosts and can log off users."
"T1562.001::[Meteor] can attempt to uninstall Kaspersky Antivirus or remove the Kaspersky license; it can also add all files and folders related to the attack to the Windows Defender exclusion list."
"T1564.003::[Meteor] can hide its console window upon execution to decrease its visibility to a victim."
"T1027::[Micropsia] obfuscates the configuration with a custom Base64 and XOR."
"T1033::[Micropsia] collects the username from the victim’s machine."
"T1047::[Micropsia] searches for anti-virus software and firewall products installed on the victim’s machine using WMI."
"T1056.001::[Micropsia] has keylogging capabilities."
"T1059.003::[Micropsia] creates a command-line shell using cmd.exe."
"T1071.001::[Micropsia] uses HTTP and HTTPS for C2 network communications."
"T1082::[Micropsia] gathers the hostname and OS version from the victim’s machine."
"T1083::[Micropsia] can perform a recursive directory listing for all volume drives available on the victim's machine and can also fetch specific files by their paths."
"T1105::[Micropsia] can download and execute an executable from the C2 server."
"T1113::[Micropsia] takes screenshots every 90 seconds by calling the Gdi32.BitBlt API."
"T1119::[Micropsia] executes an RAR tool to recursively archive files based on a predefined list of file extensions (*.xls, *.xlsx, *.csv, *.odt, *.doc, *.docx, *.ppt, *.pptx, *.pdf, *.mdb, *.accdb, *.accde, *.txt)."
"T1123::[Micropsia] can perform microphone recording."
"T1518.001::[Micropsia] searches for anti-virus software and firewall products installed on the victim’s machine using WMI."
"T1547.009::[Micropsia] creates a shortcut to maintain persistence."
"T1560.001::[Micropsia] creates a RAR archive based on collected files on the victim's machine."
"T1564.001::[Micropsia] creates a new hidden directory to store all components' outputs in a dedicated sub-folder for each."
"T1005::[Milan] can upload files from a compromised host."
"T1012::[Milan] can query `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography MachineGuid` to retrieve the machine GUID."
"T1016::[Milan] can run `C:\\Windows\\system32\\cmd.exe /c cmd /c ipconfig /all 2>&1` to discover network settings."
"T1027::[Milan] can encode files containing information about the targeted system."
"T1033::[Milan] can identify users registered to a targeted machine."
"T1036.007::[Milan] has used an executable named `companycatalog.exe.config` to appear benign."
"T1036::[Milan] has used an executable named `companycatalogue` to appear benign."
"T1053.005::[Milan] can establish persistence on a targeted host with scheduled tasks."
"T1059.003::[Milan] can use `cmd.exe` for discovery actions on a targeted system."
"T1070.004::[Milan] can delete files via `C:\\Windows\\system32\\cmd.exe /c ping 1.1.1.1 -n 1 -w 3000 > Nul & rmdir /s /q`."
"T1071.001::[Milan] can use HTTPS for communication with C2."
"T1071.004::[Milan] has the ability to use DNS for C2 communications."
"T1074.001::[Milan] has saved files prior to upload from a compromised host to folders beginning with the characters `a9850d2f`."
"T1082::[Milan] can enumerate the targeted machine's name and GUID."
"T1087.001::[Milan] has run `C:\\Windows\\system32\\cmd.exe /c cmd /c dir c:\\users\\ /s 2>&1` to discover local accounts."
"T1105::[Milan] has received files from C2 and stored them in log folders beginning with the character sequence `a9850d2f`."
"T1106::[Milan] can use the API `DnsQuery_A` for DNS resolution."
"T1559.001::[Milan] can use a COM component to generate scheduled tasks."
"T1568.002::[Milan] can use hardcoded domains as an input for domain generation algorithms."
"T1572::[Milan] can use a custom protocol tunneled through DNS or HTTP."
"T1080::[Miner-C] copies itself into the public folder of Network Attached Storage (NAS) devices and infects new victims who open the file."
"T1008::[MiniDuke] uses Google Search to identify C2 servers if its primary C2 method via Twitter is not working."
"T1027::[MiniDuke] can use control flow flattening to obscure code."
"T1071.001::[MiniDuke] uses HTTP and HTTPS for command and control."
"T1082::[MiniDuke] can gather the hostname on a compromised machine."
"T1083::[MiniDuke] can enumerate local drives."
"T1090.001::[MiniDuke] can can use a named pipe to forward communications from one compromised machine with internet access to other compromised machines."
"T1102.001::Some [MiniDuke] components use Twitter to initially obtain the address of a C2 server or as a backup if no hard-coded C2 server responds."
"T1105::[MiniDuke] can download additional encrypted backdoors onto the victim via GIF files."
"T1568.002::[MiniDuke] can use DGA to generate new Twitter URLs for C2."
"T1033::[MirageFox] can gather the username from the victim’s machine."
"T1059.003::[MirageFox] has the capability to execute commands using cmd.exe."
"T1082::[MirageFox] can collect CPU and architecture information from the victim’s machine."
"T1140::[MirageFox] has a function for decrypting data containing C2 configuration information."
"T1574.001::[MirageFox] is likely loaded via DLL hijacking into a legitimate McAfee binary."
"T1005::[Mis-Type] has collected files and data from a compromised host."
"T1008::[Mis-Type] first attempts to use a Base64-encoded network protocol over a raw TCP socket for C2, and if that method fails, falls back to a secondary HTTP-based protocol to communicate to an alternate C2 server."
"T1016::[Mis-Type] may create a file containing the results of the command cmd.exe /c ipconfig /all."
"T1033::[Mis-Type] runs tests to determine the privilege level of the compromised user."
"T1036.005::[Mis-Type] saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary."
"T1041::[Mis-Type] has transmitted collected files and data to its C2 server."
"T1055::[Mis-Type] has been injected directly into a running process, including `explorer.exe`."
"T1059.003::[Mis-Type] has used `cmd.exe` to run commands on a compromised host."
"T1071.001::[Mis-Type] network traffic can communicate over HTTP."
"T1074.001::[Mis-Type] has temporarily stored collected information to the files `“%AppData%\\{Unique Identifier}\\HOSTRURKLSR”` and `“%AppData%\\{Unique Identifier}\\NEWERSSEMP”`."
"T1082::The initial beacon packet for [Mis-Type] contains the operating system version and file system of the victim."
"T1087.001::[Mis-Type] may create a file containing the results of the command cmd.exe /c net user {Username}."
"T1095::[Mis-Type] network traffic can communicate over a raw socket."
"T1105::[Mis-Type] has downloaded additional malware and files onto a compromised host."
"T1106::[Mis-Type] has used Windows API calls, including `NetUserAdd` and `NetUserDel`."
"T1132.001::[Mis-Type] uses Base64 encoding for C2 traffic."
"T1136.001::[Mis-Type] may create a temporary user on the system named `Lost_{Unique Identifier}`."
"T1547::[Mis-Type] has created registry keys for persistence, including `HKCU\\Software\\bkfouerioyou`, `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{6afa8072-b2b1-31a8-b5c1-{Unique Identifier}`, and `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{3BF41072-B2B1-31A8-B5C1-{Unique Identifier}`."
"T1005::[Misdat] has collected files and data from a compromised host."
"T1027.002::[Misdat] was typically packed using UPX."
"T1036.005::[Misdat] saves itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary."
"T1041::[Misdat] has uploaded files and data to its C2 servers."
"T1059.003::[Misdat] is capable of providing shell functionality to the attacker to execute commands."
"T1070.004::[Misdat] is capable of deleting the backdoor file."
"T1070.006::Many [Misdat] samples were programmed using Borland Delphi, which will mangle the default PE compile timestamp of a file."
"T1070.009::[Misdat] is capable of deleting Registry keys used for persistence."
"T1082::The initial beacon packet for [Misdat] contains the operating system version of the victim."
"T1083::[Misdat] is capable of running commands to obtain a list of files and directories, as well as enumerating logical drives."
"T1095::[Misdat] network traffic communicates over a raw socket."
"T1105::[Misdat] is capable of downloading files from the C2."
"T1106::[Misdat] has used Windows APIs, including `ExitWindowsEx` and `GetKeyboardType`."
"T1132.001::[Misdat] network traffic is Base64-encoded plaintext."
"T1547::[Misdat] has created registry keys for persistence, including `HKCU\\Software\\dnimtsoleht\\StubPath`, `HKCU\\Software\\snimtsOleht\\StubPath`, `HKCU\\Software\\Backtsaleht\\StubPath`, `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed. Components\\{3bf41072-b2b1-21c8-b5c1-bd56d32fbda7}`, and `HKLM\\SOFTWARE\\Microsoft\\Active Setup\\Installed Components\\{3ef41072-a2f1-21c8-c5c1-70c2c3bc7905}`."
"T1614.001::[Misdat] has attempted to detect if a compromised host had a Japanese keyboard via the Windows API call `GetKeyboardType`."
"T1003.002::[Mivast] has the capability to gather NTLM password information."
"T1059.003::[Mivast] has the capability to open a remote shell and run basic commands."
"T1105::[Mivast] has the capability to download and execute .exe files."
"T1547.001::[Mivast] creates the following Registry entry: HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\Micromedia."
"T1005::[MobileOrder] exfiltrates data collected from the victim mobile device."
"T1041::[MobileOrder] exfiltrates data to its C2 server over the same protocol as C2 communications."
"T1057::[MobileOrder] has a command to upload information about all running processes to its C2 server."
"T1082::[MobileOrder] has a command to upload to its C2 server victim mobile device information, including IMEI, IMSI, SIM card serial number, phone number, Android version, and other information."
"T1083::[MobileOrder] has a command to upload to its C2 server information about files on the victim mobile device, including SD card size, installed app list, SMS content, contacts, and calling history."
"T1105::[MobileOrder] has a command to download a file from the C2 server to the victim mobile device's SD card."
"T1217::[MobileOrder] has a command to upload to its C2 server victim browser bookmarks."
"T1047::[MoleNet] can perform WMI commands on the system."
"T1059.001::[MoleNet] can use PowerShell to set persistence."
"T1059.003::[MoleNet] can execute commands via the command line utility."
"T1082::[MoleNet] can collect information about the about the system."
"T1105::[MoleNet] can download additional payloads from the C2."
"T1518.001::[MoleNet] can use WMI commands to check the system for firewall and antivirus software."
"T1547.001::[MoleNet] can achieve persitence on the infected machine by setting the Registry run key."
"T1005::[Mongall] has the ability to upload files from victim's machines."
"T1027.002::[Mongall] has been packed with Themida."
"T1041::[Mongall] can upload files and information from a compromised host to its C2 server."
"T1055.001::[Mongall] can inject a DLL into `rundll32.exe` for execution."
"T1071.001::[Mongall] can use HTTP for C2 communication."
"T1082::[Mongall] can identify drives on compromised hosts and retrieve the hostname via `gethostbyname`."
"T1105::[Mongall] can download files to targeted systems."
"T1120::[Mongall] can identify removable media attached to compromised hosts."
"T1132.001::[Mongall] can use Base64 to encode information sent to its C2."
"T1140::[Mongall] has the ability to decrypt its payload prior to execution."
"T1204.002::[Mongall] has relied on a user opening a malicious document for execution."
"T1218.011::[Mongall] can use `rundll32.exe` for execution."
"T1547.001::[Mongall] can establish persistence with the auto start function including using the value `EverNoteTrayUService`."
"T1573.001::[Mongall] has the ability to RC4 encrypt C2 communications."
"T1016::[MoonWind] obtains the victim IP address."
"T1033::[MoonWind] obtains the victim username."
"T1056.001::[MoonWind] has a keylogger."
"T1057::[MoonWind] has a command to return a list of running processes."
"T1059.003::[MoonWind] can execute commands via an interactive command shell."
"T1070.004::[MoonWind] can delete itself or specified files."
"T1074.001::[MoonWind] saves information from its keylogging routine as a .zip file in the present working directory."
"T1082::[MoonWind] can obtain the victim hostname, Windows version, RAM amount, number of drives, and screen resolution."
"T1083::[MoonWind] has a command to return a directory listing for a specified directory."
"T1095::[MoonWind] completes network communication via raw sockets."
"T1120::[MoonWind] obtains the number of removable drives from the victim."
"T1124::[MoonWind] obtains the victim's current time."
"T1543.003::[MoonWind] installs itself as a new service with automatic startup to establish persistence. The service checks every 60 seconds to determine if the malware is running; if not, it will spawn a new instance."
"T1571::[MoonWind] communicates over ports 80, 443, 53, and 8080 via raw sockets instead of the protocols usually associated with the ports."
"T1573.001::[MoonWind] encrypts C2 traffic using RC4 with a static key."
"T1001.001::[Mori] has obfuscated the FML.dll with 200MB of junk data."
"T1012::[Mori] can read data from the Registry including from `HKLM\\Software\\NFC\\IPA` and\n`HKLM\\Software\\NFC\\`."
"T1070.004::[Mori] can delete its DLL file and related files by Registry value."
"T1071.001::[Mori] can communicate using HTTP over IPv4 or IPv6 depending on a flag set."
"T1071.004::[Mori] can use DNS tunneling to communicate with C2."
"T1112::[Mori] can write data to `HKLM\\Software\\NFC\\IPA` and `HKLM\\Software\\NFC\\` and delete Registry values."
"T1132.001::[Mori] can use Base64 encoded JSON libraries used in C2."
"T1140::[Mori] can resolve networking APIs from strings that are ADD-encrypted."
"T1218.010::[Mori] can use `regsvr32.exe` for DLL execution."
"T1016::[Mosquito] uses the ipconfig command."
"T1027::[Mosquito]’s installer is obfuscated with a custom crypter to obfuscate the installer."
"T1033::[Mosquito] runs whoami on the victim’s machine."
"T1047::[Mosquito]'s installer uses WMI to search for antivirus display names."
"T1057::[Mosquito] runs tasklist to obtain running processes."
"T1059.001::[Mosquito] can launch PowerShell Scripts."
"T1059.003::[Mosquito] executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server."
"T1070.004::[Mosquito] deletes files using DeleteFileW API call."
"T1105::[Mosquito] can upload and download files to the victim."
"T1106::[Mosquito] leverages the CreateProcess() and LoadLibrary() calls to execute files with the .dll and .exe extensions."
"T1112::[Mosquito] stores configuration values under the Registry key HKCU\\Software\\Microsoft\\[dllname] and modifies Registry keys under HKCR\\CLSID\\...\\InprocServer32with a path to the launcher."
"T1218.011::[Mosquito]'s launcher uses rundll32.exe in a Registry Key value to start the main backdoor capability."
"T1518.001::[Mosquito]'s installer searches the Registry and system to see if specific antivirus tools are installed on the system."
"T1546.015::[Mosquito] uses COM hijacking as a method of persistence."
"T1547.001::[Mosquito] establishes persistence under the Registry key HKCU\\Software\\Run auto_update."
"T1573.001::[Mosquito] uses a custom encryption algorithm, which consists of XOR and a stream that is similar to the Blum Blum Shub algorithm."
"T1018::[MURKYTOP] has the capability to identify remote hosts on connected networks."
"T1046::[MURKYTOP] has the capability to scan for open ports on hosts in a connected network."
"T1053.002::[MURKYTOP] has the capability to schedule remote AT jobs."
"T1059.003::[MURKYTOP] uses the command-line interface."
"T1069::[MURKYTOP] has the capability to retrieve information about groups."
"T1070.004::[MURKYTOP] has the capability to delete local files."
"T1082::[MURKYTOP] has the capability to retrieve information about the OS."
"T1087.001::[MURKYTOP] has the capability to retrieve information about users on remote hosts."
"T1135::[MURKYTOP] has the capability to retrieve information about shares on remote hosts."
"T1016::[Naid] collects the domain name from a compromised host."
"T1082::[Naid] collects a unique identifier (UID) from a compromised host."
"T1112::[Naid] creates Registry entries that store information about a created service and point to a malicious DLL dropped to disk."
"T1543.003::[Naid] creates a new service to establish."
"T1016::[NanHaiShu] can gather information about the victim proxy server."
"T1027::[NanHaiShu] encodes files in Base64."
"T1033::[NanHaiShu] collects the username from the victim."
"T1059.005::[NanHaiShu] executes additional VBScript code on the victim's machine."
"T1059.007::[NanHaiShu] executes additional Jscript code on the victim's machine."
"T1070.004::[NanHaiShu] launches a script to delete their original decoy file to cover tracks."
"T1071.004::[NanHaiShu] uses DNS for the C2 communications."
"T1082::[NanHaiShu] can gather the victim computer name and serial number."
"T1105::[NanHaiShu] can download additional files from URLs."
"T1218.005::[NanHaiShu] uses mshta.exe to load its program and files."
"T1547.001::[NanHaiShu] modifies the %regrun% Registry to point itself to an autostart mechanism."
"T1562.001::[NanHaiShu] can change Internet Explorer settings to reduce warnings about malware activity."
"T1016::[NanoCore] gathers the IP address from the victim’s machine."
"T1027::[NanoCore]’s plugins were obfuscated with Eazfuscater.NET 3.3."
"T1056.001::[NanoCore] can perform keylogging on the victim’s machine."
"T1059.003::[NanoCore] can open a remote command-line interface and execute commands."
"T1059.005::[NanoCore] uses VBS files."
"T1105::[NanoCore] has the capability to download and activate additional modules for execution."
"T1112::[NanoCore] has the capability to edit the Registry."
"T1123::[NanoCore] can capture audio feeds from the system."
"T1125::[NanoCore] can access the victim's webcam and capture data."
"T1547.001::[NanoCore] creates a RunOnce key in the Registry to execute its VBS scripts each time the user logs on to the machine."
"T1562.001::[NanoCore] can modify the victim's anti-virus."
"T1562.004::[NanoCore] can modify the victim's firewall."
"T1573.001::[NanoCore] uses DES to encrypt the C2 traffic."
"T1036::[NativeZone] has, upon execution, displayed a message box that appears to be related to a Ukrainian electronic document management system."
"T1140::[NativeZone] can decrypt and decode embedded  [Cobalt Strike] beacon stage shellcode."
"T1204.002::[NativeZone] can display an RTF document to the user  to enable execution of  [Cobalt Strike] stage shellcode."
"T1218.011::[NativeZone] has used rundll32 to execute a malicious DLL."
"T1480::[NativeZone] can check for the presence of KM.EkeyAlmaz1C.dll and will halt execution unless it is in the same directory as the rest of the malware's components."
"T1497.001::[NativeZone] has checked if Vmware or VirtualBox VM is running on a compromised host."
"T1055::[NavRAT] copies itself into a running Internet Explorer process to evade detection."
"T1056.001::[NavRAT] logs the keystrokes on the targeted system."
"T1057::[NavRAT] uses tasklist /v to check running processes."
"T1059.003::[NavRAT] leverages cmd.exe to perform discovery techniques."
"T1071.003::[NavRAT] uses the email platform, Naver, for C2 communications, leveraging SMTP."
"T1074.001::[NavRAT] writes multiple outputs to a TMP file using the >> method."
"T1082::[NavRAT] uses systeminfo on a victim’s machine."
"T1105::[NavRAT] can download files remotely."
"T1547.001::[NavRAT] creates a Registry key to ensure a file gets executed upon reboot in order to establish persistence."
"T1033::[NDiskMonitor] obtains the victim username and encrypts the information to send over its C2 channel."
"T1082::[NDiskMonitor] obtains the victim computer name and encrypts the information to send over its C2 channel."
"T1083::[NDiskMonitor] can obtain a list of all files and directories as well as logical drives."
"T1105::[NDiskMonitor] can download and execute a file from given URL."
"T1573.001::[NDiskMonitor] uses AES to encrypt certain information sent over its C2 channel."
"T1005::[Nebulae] has the capability to upload collected files to C2."
"T1036.004::[Nebulae] has created a service named \"Windows Update Agent1\" to appear legitimate."
"T1036.005::[Nebulae] uses functions named StartUserModeBrowserInjection and StopUserModeBrowserInjection indicating that it's trying to imitate chrome_frame_helper.dll."
"T1057::[Nebulae] can enumerate processes on a target system."
"T1059.003::[Nebulae] can use CMD to execute a process."
"T1070.004::[Nebulae] has the ability to delete files and directories."
"T1082::[Nebulae] can discover logical drive information including the drive type, free space, and volume information."
"T1083::[Nebulae] can list files and directories on a compromised host."
"T1095::[Nebulae] can use TCP in C2 communications."
"T1105::[Nebulae] can download files from C2."
"T1106::[Nebulae] has the ability to use CreateProcess to execute a process."
"T1543.003::[Nebulae] can create a service to establish persistence."
"T1547.001::[Nebulae] can achieve persistence through a Registry Run key."
"T1573.001::[Nebulae] can use RC4 and XOR to encrypt C2 communications."
"T1574.002::[Nebulae] can use DLL side-loading to gain execution."
"T1005::[Neoichor] can upload files from a victim's machine."
"T1016.001::[Neoichor] can check for Internet connectivity by contacting bing[.]com with the request format `bing[.]com?id=<GetTickCount>`."
"T1016::[Neoichor] can gather the IP address from an infected host."
"T1033::[Neoichor] can collect the user name from a victim's machine."
"T1070::[Neoichor] can clear the browser history on a compromised host by changing the `ClearBrowsingHistoryOnExit` value to 1 in the `HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer\\Privacy` Registry key."
"T1071.001::[Neoichor] can use HTTP for C2 communications."
"T1082::[Neoichor] can collect the OS version and computer name from a compromised host."
"T1105::[Neoichor] can download additional files onto a compromised host."
"T1112::[Neoichor] has the ability to configure browser settings by modifying Registry entries under `HKEY_CURRENT_USER\\Software\\Microsoft\\Internet Explorer`."
"T1559.001::[Neoichor] can use the Internet Explorer (IE) COM interface to connect and receive commands from C2."
"T1614.001::[Neoichor] can identify the system language on a compromised host."
"T1105::[Nerex] creates a backdoor through which remote attackers can download files onto a compromised host."
"T1112::[Nerex] creates a Registry subkey that registers a new service."
"T1543.003::[Nerex] creates a Registry subkey that registers a new service."
"T1553.002::[Nerex] drops a signed Microsoft DLL to disk."
"T1003.001::[Net Crawler] uses credential dumpers such as [Mimikatz] and [Windows Credential Editor] to extract cached credentials from Windows systems."
"T1021.002::[Net Crawler] uses Windows admin shares to establish authenticated sessions to remote systems over SMB as part of lateral movement."
"T1110.002::[Net Crawler] uses a list of known credentials gathered through credential dumping to guess passwords to accounts as it spreads throughout a network."
"T1569.002::[Net Crawler] uses [PsExec] to perform remote service manipulation to execute a copy of itself as part of lateral movement."
"T1008::[NETEAGLE] will attempt to detect if the infected host is configured to a proxy. If so, [NETEAGLE] will send beacons via an HTTP POST request; otherwise it will send beacons via UDP/6000."
"T1041::[NETEAGLE] is capable of reading files over the C2 channel."
"T1057::[NETEAGLE] can send process listings over the C2 channel."
"T1059.003::[NETEAGLE] allows adversaries to execute shell commands on the infected host."
"T1071.001::[NETEAGLE] will attempt to detect if the infected host is configured to a proxy. If so, [NETEAGLE] will send beacons via an HTTP POST request. [NETEAGLE] will also use HTTP to download resources that contain an IP address and Port Number pair to connect to for further C2."
"T1071::Adversaries can also use [NETEAGLE] to establish an RDP connection with a controller over TCP/7519."
"T1083::[NETEAGLE] allows adversaries to enumerate and modify the infected host's file system. It supports searching for directories, creating directories, listing directory contents, reading and writing to files, retrieving file attributes, and retrieving volume information."
"T1095::If [NETEAGLE] does not detect a proxy configured on the infected machine, it will send beacons via UDP/6000. Also, after retrieving a C2 IP address and Port Number, [NETEAGLE] will initiate a TCP connection to this socket. The ensuing connection is a plaintext C2 channel in which commands are specified by DWORDs."
"T1547.001::The \"SCOUT\" variant of [NETEAGLE] achieves persistence by adding itself to the HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run Registry key."
"T1568::[NETEAGLE] can use HTTP to download resources that contain an IP address and port number pair to connect to for C2."
"T1573.001::[NETEAGLE] will decrypt resources it downloads with HTTP requests by using RC4 with the key \"ScoutEagle.\""
"T1010::[NetTraveler] reports window names along with keylogger information to provide application context."
"T1056.001::[NetTraveler] contains a keylogger."
"T1027::[Netwalker]'s PowerShell script has been obfuscated with multiple layers including base64 and hexadecimal encoding and XOR-encryption, as well as obfuscated PowerShell functions and variables. [Netwalker]'s DLL has also been embedded within the PowerShell script in hex format."
"T1047::[Netwalker] can use WMI to delete Shadow Volumes."
"T1055.001::The [Netwalker] DLL has been injected reflectively into the memory of a legitimate running process."
"T1059.001::[Netwalker] has been written in PowerShell and executed directly in memory, avoiding detection."
"T1059.003::Operators deploying [Netwalker] have used batch scripts to retrieve the [Netwalker] payload."
"T1082::[Netwalker] can determine the system architecture it is running on to choose which version of the DLL to use."
"T1105::Operators deploying [Netwalker] have used psexec and certutil to retrieve the [Netwalker] payload."
"T1106::[Netwalker] can use Windows API functions to inject the ransomware DLL."
"T1112::[Netwalker] can add the following registry entry: HKEY_CURRENT_USER\\SOFTWARE\\{8 random characters}."
"T1140::[Netwalker]'s PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the [Netwalker] DLL being loaded into memory."
"T1486::[Netwalker] can encrypt files on infected machines to extort victims."
"T1489::[Netwalker] can terminate system processes and services, some of which relate to backup software."
"T1490::[Netwalker] can delete the infected system's Shadow Volumes to prevent recovery."
"T1518.001::[Netwalker] can detect and terminate active security software-related processes on infected systems."
"T1562.001::[Netwalker] can detect and terminate active security software-related processes on infected systems."
"T1569.002::Operators deploying [Netwalker] have used psexec and certutil to retrieve the [Netwalker] payload."
"T1570::Operators deploying [Netwalker] have used psexec to copy the [Netwalker] payload across accessible systems."
"T1010::[NETWIRE] can discover and close windows on controlled systems."
"T1016::[NETWIRE] can collect the IP address of a compromised host."
"T1027.002::[NETWIRE] has used .NET packer tools to evade detection."
"T1027::[NETWIRE] has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names."
"T1036.001::The [NETWIRE] client has been signed by fake and invalid digital certificates."
"T1036.005::[NETWIRE] has masqueraded as legitimate software including TeamViewer and macOS Finder."
"T1049::[NETWIRE] can capture session logon details from a compromised host."
"T1053.003::[NETWIRE] can use crontabs to establish persistence."
"T1053.005::[NETWIRE] can create a scheduled task to establish persistence."
"T1055.012::The [NETWIRE] payload has been injected into benign Microsoft executables via process hollowing."
"T1055::[NETWIRE] can inject code into system processes including notepad.exe, svchost.exe, and vbc.exe."
"T1056.001::[NETWIRE] can perform keylogging."
"T1057::[NETWIRE] can discover processes on compromised hosts."
"T1059.001::The [NETWIRE] binary has been executed via PowerShell script."
"T1059.003::[NETWIRE] can issue commands using cmd.exe."
"T1059.004::[NETWIRE] has the ability to use /bin/bash and /bin/sh to execute commands."
"T1059.005::[NETWIRE] has been executed through use of VBScripts."
"T1071.001::[NETWIRE] has the ability to communicate over HTTP."
"T1074.001::[NETWIRE] has the ability to write collected data to a file created in the ./LOGS directory."
"T1082::[NETWIRE] can discover and collect victim system information."
"T1083::[NETWIRE] has the ability to search for files on the compromised host."
"T1090::[NETWIRE] can implement use of proxies to pivot traffic."
"T1095::[NETWIRE] can use TCP in C2 communications."
"T1102::[NETWIRE] has used web services including Paste.ee to host payloads."
"T1105::[NETWIRE] can downloaded payloads from C2 to the compromised host."
"T1106::[NETWIRE] can use Native API including CreateProcess GetProcessById, and WriteProcessMemory."
"T1112::[NETWIRE] stores its configuration file within the Registry."
"T1113::[NETWIRE] can capture the victim's screen."
"T1119::[NETWIRE] can automatically archive collected data."
"T1204.001::[NETWIRE] has been executed through convincing victims into clicking malicious links."
"T1204.002::[NETWIRE] has been executed through luring victims into opening malicious documents."
"T1543.001::[NETWIRE] can use launch agents for persistence."
"T1547.001::[NETWIRE] creates a Registry start-up entry to establish persistence."
"T1547.013::[NETWIRE] can use XDG Autostart Entries to establish persistence."
"T1547.015::[NETWIRE] can persist via startup options for Login items."
"T1555.003::[NETWIRE] has the ability to steal credentials from web browsers including Internet Explorer, Opera, Yandex, and Chrome."
"T1555::[NETWIRE] can retrieve passwords from messaging and mail client applications."
"T1560.003::[NETWIRE] has used a custom encryption algorithm to encrypt collected data."
"T1560::[NETWIRE] has the ability to compress archived screenshots."
"T1564.001::[NETWIRE] can copy itself to and launch itself from hidden folders."
"T1566.001::[NETWIRE] has been spread via e-mail campaigns utilizing malicious attachments."
"T1566.002::[NETWIRE] has been spread via e-mail campaigns utilizing malicious links."
"T1573.001::[NETWIRE] can use AES encryption for C2 data transferred."
"T1573::[NETWIRE] can encrypt C2 communications."
"T1090::[Ngrok] can be used to proxy connections to machines located behind NAT or firewalls."
"T1102::[Ngrok] has been used by threat actors to proxy C2 connections to ngrok service subdomains."
"T1567::[Ngrok] has been used by threat actors to configure servers for data exfiltration."
"T1568.002::[Ngrok] can provide DGA for C2 servers through the use of random URL strings that change every 12 hours."
"T1572::[Ngrok] can tunnel RDP and other services securely over internet connections."
"T1036.004::[Nidiran] can create a new service named msamger (Microsoft Security Accounts Manager), which mimics the legitimate Microsoft database by the same name."
"T1105::[Nidiran] can download and execute files."
"T1543.003::[Nidiran] can create a new service named msamger (Microsoft Security Accounts Manager)."
"T1005::[njRAT] can collect data from a local system."
"T1010::[njRAT] gathers information about opened windows during the initial infection."
"T1012::[njRAT] can read specific registry values."
"T1018::[njRAT] can identify remote hosts on connected networks."
"T1021.001::[njRAT] has a module for performing remote desktop access."
"T1027.004::[njRAT] has used AutoIt to compile the payload and main script into a single executable after delivery."
"T1027::[njRAT] has included a base64 encoded executable."
"T1033::[njRAT] enumerates the current user during the initial infection."
"T1041::[njRAT] has used HTTP to receive stolen information from the infected machine."
"T1056.001::[njRAT] is capable of logging keystrokes."
"T1057::[njRAT] can search a list of running processes for Tr.exe."
"T1059.001::[njRAT] has executed PowerShell commands via auto-run registry key persistence."
"T1059.003::[njRAT] can launch a command shell interface for executing commands."
"T1070.004::[njRAT] is capable of deleting files."
"T1070.009::[njRAT] is capable of manipulating and deleting registry keys, including those used for persistence."
"T1071.001::[njRAT] has used HTTP for C2 communications."
"T1082::[njRAT] enumerates the victim operating system and computer name during the initial infection."
"T1083::[njRAT] can browse file systems using a file manager module."
"T1091::[njRAT] can be configured to spread via removable drives."
"T1105::[njRAT] can download files to the victim’s machine."
"T1106::[njRAT] has used the ShellExecute() function within a script."
"T1112::[njRAT] can create, delete, or modify a specified Registry key or value."
"T1113::[njRAT] can capture screenshots of the victim’s machines."
"T1120::[njRAT] will attempt to detect if the victim system has a camera during the initial infection. [njRAT] can also detect any removable drives connected to the system."
"T1125::[njRAT] can access the victim's webcam."
"T1132.001::[njRAT] uses Base64 encoding for C2 traffic."
"T1547.001::[njRAT] has added persistence via the Registry key HKCU\\Software\\Microsoft\\CurrentVersion\\Run\\ and dropped a shortcut in %STARTUP%."
"T1555.003::[njRAT] has a module that steals passwords saved in victim web browsers."
"T1562.004::[njRAT] has modified the Windows firewall to allow itself to communicate through the firewall."
"T1568.001::[njRAT] has used a fast flux DNS for C2 IP resolution."
"T1571::[njRAT] has used port 1177 for HTTP C2 communications."
"T1016::[NOKKI] can gather information on the victim IP address."
"T1027::[NOKKI] uses Base64 encoding for strings."
"T1033::[NOKKI] can collect the username from the victim’s machine."
"T1036.005::[NOKKI] is written to %LOCALAPPDATA%\\MicroSoft Updatea\\svServiceUpdate.exe prior being executed in a new process in an apparent attempt to masquerade as a legitimate folder and file."
"T1056.004::[NOKKI] uses the Windows call SetWindowsHookEx and begins injecting it into every GUI process running on the victim's machine."
"T1070.004::[NOKKI] can delete files to cover tracks."
"T1071.001::[NOKKI] has used HTTP for C2 communications."
"T1071.002::[NOKKI] has used FTP for C2 communications."
"T1074.001::[NOKKI] can collect data from the victim and stage it in LOCALAPPDATA%\\MicroSoft Updatea\\uplog.tmp."
"T1082::[NOKKI] can gather information on drives and the operating system on the victim’s machine."
"T1105::[NOKKI] has downloaded a remote module for execution."
"T1124::[NOKKI] can collect the current timestamp of the victim's machine."
"T1140::[NOKKI] uses a unique, custom de-obfuscation technique."
"T1218.011::[NOKKI] has used rundll32 for execution."
"T1547.001::[NOKKI] has established persistence by writing the payload to the Registry key HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run."
"T1003.001::[NotPetya] contains a modified version of [Mimikatz] to help gather credentials that are later used for lateral movement."
"T1021.002::[NotPetya] can use [PsExec], which interacts with the ADMIN$ network share to execute commands on remote systems."
"T1036::[NotPetya] drops [PsExec] with the filename dllhost.dat."
"T1047::[NotPetya] can use wmic to help propagate itself across a network."
"T1053.005::[NotPetya] creates a task to reboot the system one hour after infection."
"T1070.001::[NotPetya] uses wevtutil to clear the Windows event logs."
"T1078.003::[NotPetya] can use valid credentials with [PsExec] or wmic to spread itself to remote systems."
"T1083::[NotPetya] searches for files ending with dozens of different file extensions prior to encryption."
"T1210::[NotPetya] can use two exploits in SMBv1, EternalBlue and EternalRomance, to spread itself to other remote systems on the network."
"T1218.011::[NotPetya] uses rundll32.exe to install itself on remote systems when accessed via [PsExec] or wmic."
"T1486::[NotPetya] encrypts user files and disk structures like the MBR with 2048-bit RSA."
"T1518.001::[NotPetya] determines if specific antivirus programs are running on an infected host machine."
"T1529::[NotPetya] will reboot the system one hour after infection."
"T1569.002::[NotPetya] can use [PsExec] to help propagate itself across a network."
"T1025::[ObliqueRAT] has the ability to extract data from removable devices connected to the endpoint."
"T1027.003::[ObliqueRAT] can hide its payload in BMP images hosted on compromised websites."
"T1030::[ObliqueRAT] can break large files of interest into smaller chunks to prepare them for exfiltration."
"T1033::[ObliqueRAT] can check for blocklisted usernames on infected endpoints."
"T1057::[ObliqueRAT] can check for blocklisted process names on a compromised host."
"T1074.001::[ObliqueRAT] can copy specific files, webcam captures, and screenshots to local directories."
"T1082::[ObliqueRAT] has the ability to check for blocklisted computer names on infected endpoints."
"T1083::[ObliqueRAT] has the ability to recursively enumerate files on an infected endpoint."
"T1113::[ObliqueRAT] can capture a screenshot of the current screen."
"T1120::[ObliqueRAT] can discover pluggable/removable drives to extract files from."
"T1125::[ObliqueRAT] can capture images from webcams on compromised hosts."
"T1204.001::[ObliqueRAT] has gained execution on targeted systems through luring users to click on links to malicious URLs."
"T1497.001::[ObliqueRAT] can halt execution if it identifies processes belonging to virtual machine software or analysis tools."
"T1547.001::[ObliqueRAT] can gain persistence by a creating a shortcut in the infected user's Startup directory."
"T1016::[OceanSalt] can collect the victim’s IP address."
"T1057::[OceanSalt] can collect the name and ID for every process running on the system."
"T1059.003::[OceanSalt] can create a reverse shell on the infected endpoint using cmd.exe."
"T1070.004::[OceanSalt] can delete files from the system."
"T1082::[OceanSalt] can collect the computer name from the system."
"T1083::[OceanSalt] can extract drive information from the endpoint and search files on the system."
"T1132.002::[OceanSalt] can encode data with a NOT operation before sending the data to the control server."
"T1566.001::[OceanSalt] has been delivered via spearphishing emails with Microsoft Office attachments."
"T1005::[Octopus] can exfiltrate files from the system using a documents collector tool."
"T1016::[Octopus] can collect the host IP address from the victim’s machine."
"T1033::[Octopus] can collect the username from the victim’s machine."
"T1036.005::[Octopus] has been disguised as legitimate programs, such as Java and Telegram Messenger."
"T1041::[Octopus] has uploaded stolen files and data from a victim's machine over its C2 channel."
"T1047::[Octopus] has used wmic.exe for local discovery information."
"T1071.001::[Octopus] has used HTTP GET and POST requests for C2 communications."
"T1074.001::[Octopus] has stored collected information in the Application Data directory on a compromised host."
"T1082::[Octopus] can collect system drive information, the computer name, the size of the disk, OS version, and OS architecture information."
"T1083::[Octopus] can collect information on the Windows directory and searches for compressed RAR files on the host."
"T1105::[Octopus] can download additional files and tools onto the victim’s machine."
"T1113::[Octopus] can capture screenshots of the victims’ machine."
"T1132.001::[Octopus] has encoded C2 communications in Base64."
"T1204.002::[Octopus] has relied upon users clicking on a malicious attachment delivered through spearphishing."
"T1547.001::[Octopus] achieved persistence by placing a malicious executable in the startup directory and has added the HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\Run key to the Registry."
"T1560.001::[Octopus] has compressed data before exfiltrating it using a tool called Abbrevia."
"T1566.001::[Octopus] has been delivered via spearsphishing emails."
"T1567.002::[Octopus] has exfiltrated data to file sharing sites."
"T1001.003::[Okrum] mimics HTTP protocol for C2 communication, while hiding the actual messages in the Cookie and Set-Cookie headers of the HTTP requests."
"T1003.001::[Okrum] was seen using MimikatzLite to perform credential dumping."
"T1003.005::[Okrum] was seen using modified Quarks PwDump to perform credential dumping."
"T1016::[Okrum] can collect network information, including the host IP address, DNS, and proxy information."
"T1027.003::[Okrum]'s payload is encrypted and embedded within its loader, or within a legitimate PNG file."
"T1033::[Okrum] can collect the victim username."
"T1036.004::[Okrum] can establish persistence by adding a new service NtmsSvc with the display name Removable Storage to masquerade as a legitimate Removable Storage Manager."
"T1041::Data exfiltration is done by [Okrum] using the already opened channel with the C2 server."
"T1049::[Okrum] was seen using NetSess to discover NetBIOS sessions."
"T1053.005::[Okrum]'s installer can attempt to achieve persistence by creating a scheduled task."
"T1056.001::[Okrum] was seen using a keylogger tool to capture keystrokes."
"T1059.003::[Okrum]'s backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version."
"T1070.004::[Okrum]'s backdoor deletes files after they have been successfully uploaded to C2 servers."
"T1071.001::[Okrum] uses HTTP for communication with its C2."
"T1082::[Okrum] can collect computer name, locale information, and information about the OS and architecture."
"T1083::[Okrum] has used DriveLetterView to enumerate drive information."
"T1090.002::[Okrum] can identify proxy servers configured and used by the victim, and use it to make HTTP requests to C2 its server."
"T1105::[Okrum] has built-in commands for uploading, downloading, and executing files to the system."
"T1124::[Okrum] can obtain the date and time of the compromised system."
"T1132.001::[Okrum] has used base64 to encode C2 communication."
"T1134.001::[Okrum] can impersonate a logged-on user's security context using a call to the ImpersonateLoggedOnUser API."
"T1140::[Okrum]'s loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption."
"T1497.001::[Okrum]'s loader can check the amount of physical memory and terminates itself if the host has less than 1.5 Gigabytes of physical memory in total."
"T1497.002::[Okrum] loader only executes the payload after the left mouse button has been pressed at least three times, in order to avoid being executed within virtualized or emulated environments."
"T1497.003::[Okrum]'s loader can detect presence of an emulator by using two calls to GetTickCount API, and checking whether the time has been accelerated."
"T1543.003::To establish persistence, [Okrum] can install itself as a new service named NtmSsvc."
"T1547.001::[Okrum] establishes persistence by creating a .lnk shortcut to itself in the Startup folder."
"T1547.009::[Okrum] can establish persistence by creating a .lnk shortcut to itself in the Startup folder."
"T1560.001::[Okrum] was seen using a RAR archiver tool to compress/decompress data."
"T1560.003::[Okrum] has used a custom implementation of AES encryption to encrypt collected data."
"T1564.001::Before exfiltration, [Okrum]'s backdoor has used hidden files to store logs and outputs from backdoor commands."
"T1569.002::[Okrum]'s loader can create a new service named NtmsSvc to execute the payload."
"T1573.001::[Okrum] uses AES to encrypt network traffic. The key can be hardcoded or negotiated with the C2 server in the registration phase."
"T1027::[OLDBAIT] obfuscates internal strings and unpacks them at startup."
"T1036.005::[OLDBAIT] installs itself in %ALLUSERPROFILE%\\\\Application Data\\Microsoft\\MediaPlayer\\updatewindws.exe; the directory name is missing a space and the file name is missing the letter \"o.\""
"T1071.001::[OLDBAIT] can use HTTP for C2."
"T1071.003::[OLDBAIT] can use SMTP for C2."
"T1555.003::[OLDBAIT] collects credentials from Internet Explorer, Mozilla Firefox, and Eudora."
"T1555::[OLDBAIT] collects credentials from several email clients."
"T1003.001::[Olympic Destroyer] contains a module that tries to obtain credentials from LSASS, similar to [Mimikatz]. These credentials are used with [PsExec] and [Windows Management Instrumentation] to help the malware propagate itself across a network."
"T1016::[Olympic Destroyer] uses API calls to enumerate the infected system's ARP table."
"T1018::[Olympic Destroyer] uses [Windows Management Instrumentation] to enumerate all systems in the network."
"T1021.002::[Olympic Destroyer] uses [PsExec] to interact with the ADMIN$ network share to execute commands on remote systems."
"T1047::[Olympic Destroyer] uses WMI to help propagate itself across a network."
"T1070.001::[Olympic Destroyer] will attempt to clear the System and Security event logs using wevtutil."
"T1135::[Olympic Destroyer] will attempt to enumerate mapped network shares to later attempt to wipe all files on those shares."
"T1485::[Olympic Destroyer] overwrites files locally and on remote shares."
"T1489::[Olympic Destroyer] uses the API call ChangeServiceConfigW to disable all services on the affected system."
"T1490::[Olympic Destroyer] uses the native Windows utilities vssadmin, wbadmin, and bcdedit to delete and disable operating system recovery features such as the Windows backup catalog and Windows Automatic Repair."
"T1529::[Olympic Destroyer] will shut down the compromised system after it is done modifying system configuration settings."
"T1555.003::[Olympic Destroyer] contains a module that tries to obtain stored credentials from web browsers."
"T1569.002::[Olympic Destroyer] utilizes [PsExec] to help propagate itself across a network."
"T1570::[Olympic Destroyer] attempts to copy itself to remote machines on the network."
"T1003::[OnionDuke] steals credentials from its victims."
"T1071.001::[OnionDuke] uses HTTP and HTTPS for C2."
"T1102.003::[OnionDuke] uses Twitter as a backup C2."
"T1140::[OnionDuke] can use a custom decryption algorithm to decrypt strings."
"T1499::[OnionDuke] has the capability to use a Denial of Service module."
"T1027.002::[OopsIE] uses the SmartAssembly obfuscator to pack an embedded .Net Framework assembly used for C2."
"T1027::[OopsIE] uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. [OopsIE] also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings."
"T1030::[OopsIE] exfiltrates command output and collected files to its C2 server in 1500-byte blocks."
"T1041::[OopsIE] can upload files from the victim's machine to its C2 server."
"T1047::[OopsIE] uses WMI to perform discovery techniques."
"T1053.005::[OopsIE] creates a scheduled task to run itself every three minutes."
"T1059.003::[OopsIE] uses the command prompt to execute commands on the victim's machine."
"T1059.005::[OopsIE] creates and uses a VBScript as part of its persistent execution."
"T1070.004::[OopsIE] has the capability to delete files and scripts from the victim's machine."
"T1071.001::[OopsIE] uses HTTP for C2 communications."
"T1074.001::[OopsIE] stages the output from command execution and collected files in specific folders before exfiltration."
"T1082::[OopsIE] checks for information on the CPU fan, temperature, mouse, hard disk, and motherboard as part of its anti-VM checks."
"T1105::[OopsIE] can download files from its C2 server to the victim's machine."
"T1124::[OopsIE] checks to see if the system is configured with \"Daylight\" time and checks for a specific region to be set for the timezone."
"T1132.001::[OopsIE] encodes data in hexadecimal format over the C2 channel."
"T1140::[OopsIE] concatenates then decompresses multiple resources to load an embedded .Net Framework assembly."
"T1497.001::[OopsIE] performs several anti-VM and sandbox checks on the victim's machine. One technique the group has used was to perform a WMI query SELECT * FROM MSAcpi_ThermalZoneTemperature to check the temperature to see if it’s running in a virtual environment."
"T1560.001::[OopsIE] compresses collected files with GZipStream before sending them to its C2 server."
"T1560.003::[OopsIE] compresses collected files with a simple character replacement scheme before sending them to its C2 server."
"T1016::[Orz] can gather victim proxy information."
"T1027::Some [Orz] strings are base64 encoded, such as the embedded DLL known as MockDll."
"T1055.012::Some [Orz] versions have an embedded DLL known as MockDll that uses process hollowing and [Regsvr32] to execute another payload."
"T1057::[Orz] can gather a process list from the victim."
"T1059.003::[Orz] can execute shell commands."
"T1070::[Orz] can overwrite Registry settings to reduce its visibility on the victim."
"T1082::[Orz] can gather the victim OS version and whether it is 64 or 32 bit."
"T1083::[Orz] can gather victim drive information."
"T1102.002::[Orz] has used Technet and Pastebin web pages for command and control."
"T1105::[Orz] can download files onto the victim."
"T1112::[Orz] can perform Registry operations."
"T1218.010::Some [Orz] versions have an embedded DLL known as MockDll that uses [Process Hollowing] and regsvr32 to execute another payload."
"T1518::[Orz] can gather the victim's Internet Explorer version."
"T1012::[OSInfo] queries the registry to look for information about Terminal Services."
"T1016::[OSInfo] discovers the current domain information."
"T1018::[OSInfo] performs a connection test to discover remote systems in the network"
"T1049::[OSInfo] enumerates the current network connections similar to  net use ."
"T1069.001::[OSInfo] has enumerated the local administrators group."
"T1069.002::[OSInfo] specifically looks for Domain Admins and power users within the domain."
"T1082::[OSInfo] discovers information about the infected machine."
"T1087.001::[OSInfo] enumerates local and domain users"
"T1087.002::[OSInfo] enumerates local and domain users"
"T1135::[OSInfo] discovers shares on the network"
"T1036.005::[OSX/Shlayer] can masquerade as a Flash Player update."
"T1059.004::[OSX/Shlayer] can use bash scripts to check the macOS version, download payloads, and extract bytes from files. [OSX/Shlayer] uses the command sh -c tail -c +1381... to extract bytes at an offset from a specified file. [OSX/Shlayer] uses the curl -fsL \"$url\" >$tmp_path command to download malicious payloads into a temporary directory."
"T1082::[OSX/Shlayer] has collected the IOPlatformUUID, session UID, and the OS version using the command sw_vers -productVersion."
"T1083::[OSX/Shlayer] has used the command appDir=\"$(dirname $(dirname \"$currentDir\"))\" and $(dirname \"$(pwd -P)\") to construct installation paths."
"T1105::[OSX/Shlayer] can download payloads, and extract bytes from files. [OSX/Shlayer] uses the curl -fsL \"$url\" >$tmp_path command to download malicious payloads into a temporary directory."
"T1140::[OSX/Shlayer] can base64-decode and AES-decrypt downloaded payloads."
"T1176::[OSX/Shlayer] can install malicious Safari browser extensions to serve ads."
"T1204.002::[OSX/Shlayer] has relied on users mounting and executing a malicious DMG file."
"T1222.002::[OSX/Shlayer] can use the chmod utility to set a file as executable, such as chmod 777 or chmod +x."
"T1548.004::[OSX/Shlayer] can escalate privileges to root by asking the user for credentials."
"T1553.001::If running with elevated privileges, [OSX/Shlayer] has used the spctl command to disable Gatekeeper protection for a downloaded file. [OSX/Shlayer] can also leverage system links pointing to bash scripts in the downloaded DMG file to bypass Gatekeeper, a flaw patched in macOS 11.3 and later versions. [OSX/Shlayer] has been Notarized by Apple, resulting in successful passing of additional Gatekeeper checks."
"T1564.001::[OSX/Shlayer] has executed a .command script from a hidden directory in a mounted DMG."
"T1564.009::[OSX/Shlayer] has used a resource fork to hide a compressed binary file of itself from the terminal, Finder, and potentially evade traditional scanners."
"T1564::[OSX/Shlayer] has used the mktemp utility to make random and unique filenames for payloads, such as export tmpDir=\"$(mktemp -d /tmp/XXXXXXXXXXXX)\" or mktemp -t Installer."
"T1005::[OutSteel] can collect information from a compromised host."
"T1020::[OutSteel] can automatically upload collected files to its C2 server."
"T1041::[OutSteel] can upload files from a compromised host over its C2 channel."
"T1057::[OutSteel] can identify running processes on a compromised host."
"T1059.003::[OutSteel] has used `cmd.exe` to scan a compromised host for specific file extensions."
"T1070.004::[OutSteel] can delete itself following the successful execution of a follow-on payload."
"T1071.001::[OutSteel] has used HTTP for C2 communications."
"T1083::[OutSteel] can search for specific file extensions, including zipped files."
"T1105::[OutSteel] can download files from its C2 server."
"T1119::[OutSteel] can automatically scan for and collect files with specific extensions."
"T1204.001::[OutSteel] has relied on a user to click a malicious link within a spearphishing email."
"T1204.002::[OutSteel] has relied on a user to execute a malicious attachment delivered via spearphishing."
"T1566.001::[OutSteel] has been distributed as a malicious attachment within a spearphishing email."
"T1566.002::[OutSteel] has been distributed through malicious links contained within spearphishing emails."
"T1036.005::[OwaAuth] uses the filename owaauth.dll, which is a legitimate file that normally resides in %ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\Auth\\; the malicious file by the same name is saved in %ProgramFiles%\\Microsoft\\Exchange Server\\ClientAccess\\Owa\\bin\\."
"T1056.001::[OwaAuth] captures and DES-encrypts credentials before writing the username and password to a log file, C:\\log.txt."
"T1070.006::[OwaAuth] has a command to timestop a file or directory."
"T1071.001::[OwaAuth] uses incoming HTTP requests with a username keyword and commands and handles them as instructions to perform actions."
"T1083::[OwaAuth] has a command to list its directory and logical drives."
"T1505.003::[OwaAuth] is a Web shell that appears to be exclusively used by [Threat Group-3390]. It is installed as an ISAPI filter on Exchange servers and shares characteristics with the [China Chopper] Web shell."
"T1505.004::[OwaAuth] has been loaded onto Exchange servers and disguised as an ISAPI filter (owaauth.dll). The IIS w3wp.exe process then loads the malicious DLL."
"T1560.003::[OwaAuth] DES-encrypts captured credentials using the key 12345678 before writing the credentials to a log file."
"T1005::[P.A.S. Webshell] has the ability to copy files on a compromised host."
"T1027::[P.A.S. Webshell] can use encryption and base64 encoding to hide strings and to enforce access control once deployed."
"T1046::[P.A.S. Webshell] can scan networks for open ports and listening services."
"T1059::[P.A.S. Webshell] has the ability to create reverse shells with Perl scripts."
"T1070.004::[P.A.S. Webshell] can delete scripts from a subdirectory of /tmp after they are run."
"T1071.001::[P.A.S. Webshell] can issue commands via HTTP POST."
"T1083::[P.A.S. Webshell] has the ability to list files and file characteristics including extension, size, ownership, and permissions."
"T1087.001::[P.A.S. Webshell] can display the /etc/passwd file on a compromised host."
"T1105::[P.A.S. Webshell] can upload and download files to and from compromised hosts."
"T1110.001::[P.A.S. Webshell] can use predefined users and passwords to execute brute force attacks against SSH, FTP, POP3, MySQL, MSSQL, and PostgreSQL services."
"T1140::[P.A.S. Webshell] can use a decryption mechanism to process a user supplied password and allow execution."
"T1213::[P.A.S. Webshell] has the ability to list and extract data from SQL databases."
"T1222.002::[P.A.S. Webshell] has the ability to modify file permissions."
"T1505.003::[P.A.S. Webshell] can gain remote access and execution on target web servers."
"T1518::[P.A.S. Webshell] can list PHP server configuration details."
"T1001.001::[P2P ZeuS] added junk data to outgoing UDP packets to peer implants."
"T1001.001::[P8RAT] can send randomly-generated data as part of its C2 communication."
"T1057::[P8RAT] can check for specific processes associated with virtual environments."
"T1105::[P8RAT] can download additional payloads to a target system."
"T1497.001::[P8RAT] can check the compromised host for processes associated with VMware or VirtualBox environments."
"T1497.003::[P8RAT] has the ability to \"sleep\" for a specified time to evade detection."
"T1027::[Pandora] has the ability to compress stings with QuickLZ."
"T1055::[Pandora] can start and inject code into a new `svchost` process."
"T1057::[Pandora] can monitor processes on a compromised host."
"T1068::[Pandora] can use CVE-2017-15303 to bypass Windows Driver Signature Enforcement (DSE) protection and load its driver."
"T1071.001::[Pandora] can communicate over HTTP."
"T1105::[Pandora] can load additional drivers and files onto a victim machine."
"T1112::[Pandora] can write an encrypted token to the Registry to enable processing of remote commands."
"T1205::[Pandora] can identify if incoming HTTP traffic contains a token and if so it will intercept the traffic and process the received command."
"T1543.003::[Pandora] has the ability to gain system privileges through Windows services."
"T1553.006::[Pandora] can use CVE-2017-15303 to disable Windows Driver Signature Enforcement (DSE) protection and load its driver."
"T1569.002::[Pandora] has the ability to install itself as a Windows service."
"T1573.001::[Pandora] has the ability to encrypt communications with D3DES."
"T1574.002::[Pandora] can use DLL side-loading to execute malicious payloads."
"T1005::[Pasam] creates a backdoor through which remote attackers can retrieve files."
"T1057::[Pasam] creates a backdoor through which remote attackers can retrieve lists of running processes."
"T1070.004::[Pasam] creates a backdoor through which remote attackers can delete files."
"T1082::[Pasam] creates a backdoor through which remote attackers can retrieve information such as hostname and free disk space."
"T1083::[Pasam] creates a backdoor through which remote attackers can retrieve lists of files."
"T1105::[Pasam] creates a backdoor through which remote attackers can upload files."
"T1547.008::[Pasam] establishes by infecting the Security Accounts Manager (SAM) DLL to load a malicious DLL dropped to disk."
"T1016::[Pay2Key] can identify the IP and MAC addresses of the compromised host."
"T1070.004::[Pay2Key] can remove its log file from disk."
"T1082::[Pay2Key] has the ability to gather the hostname of the victim machine."
"T1090.001::[Pay2Key] has designated machines in the compromised network to serve as reverse proxy pivot points to channel communications with C2."
"T1095::[Pay2Key] has sent its public key to the C2 server over TCP."
"T1486::[Pay2Key] can encrypt data on victim's machines using RSA and AES algorithms in order to extort a ransom payment for decryption."
"T1489::[Pay2Key] can stop the MS SQL service at the end of the encryption process to release files locked by the service."
"T1573.002::[Pay2Key] has used RSA encrypted communications with C2."
"T1016::[Penquin] can report the IP of the compromised host to attacker controlled infrastructure."
"T1027.005::[Penquin] can remove strings from binaries."
"T1027::[Penquin] has encrypted strings in the binary for obfuscation."
"T1036.005::[Penquin] has mimicked the Cron binary to hide itself on compromised systems."
"T1040::[Penquin] can sniff network traffic to look for packets matching specific conditions."
"T1041::[Penquin] can execute the command code do_upload to send files to C2."
"T1053.003::[Penquin] can use Cron to create periodic and pre-scheduled background jobs."
"T1059.004::[Penquin] can execute remote commands using bash scripts."
"T1070.004::[Penquin] can delete downloaded executables after running them."
"T1082::[Penquin] can report the file system type and disk space of a compromised host to C2."
"T1083::[Penquin] can use the command code do_vslist to send file names, size, and status to C2."
"T1095::The [Penquin] C2 mechanism is based on TCP and UDP packets."
"T1105::[Penquin] can execute the command code do_download to retrieve remote files from C2."
"T1205.002::[Penquin] installs a `TCP` and `UDP` filter on the `eth0` interface."
"T1205::[Penquin] will connect to C2 only after sniffing a \"magic packet\" value in TCP or UDP packets matching specific conditions."
"T1222.002::[Penquin] can add the executable flag to a downloaded file."
"T1573.002::[Penquin] can encrypt communications using the BlowFish algorithm and a symmetric key exchanged with Diffie Hellman."
"T1020::[Peppy] has the ability to automatically exfiltrate files and keylogs."
"T1056.001::[Peppy] can log keystrokes on compromised hosts."
"T1059.003::[Peppy] has the ability to execute shell commands."
"T1071.001::[Peppy] can use HTTP to communicate with C2."
"T1083::[Peppy] can identify specific files for exfiltration."
"T1105::[Peppy] can download and execute remote files."
"T1113::[Peppy] can take screenshots on targeted systems."
"T1059.003::[PHOREAL] is capable of creating reverse shell."
"T1095::[PHOREAL] communicates via ICMP for C2."
"T1112::[PHOREAL] is capable of manipulating the Registry."
"T1005::[Pillowmint] has collected credit card data using native API functions."
"T1012::[Pillowmint] has used shellcode which reads code stored in the registry keys \\REGISTRY\\SOFTWARE\\Microsoft\\DRM using the native Windows API as well as read HKEY_LOCAL_MACHINE\\System\\CurrentControlSet\\Services\\Tcpip\\Parameters\\Interfaces as part of its C2."
"T1027::[Pillowmint] has been compressed and stored within a registry key. [Pillowmint] has also obfuscated the AES key used for encryption."
"T1055.004::[Pillowmint] has used the NtQueueApcThread syscall to inject code into svchost.exe."
"T1057::[Pillowmint] can iterate through running processes every six seconds collecting a list of processes to capture from later."
"T1059.001::[Pillowmint] has used a PowerShell script to install a shim database."
"T1070.004::[Pillowmint] has deleted the filepath %APPDATA%\\Intel\\devmonsrv.exe."
"T1070.009::[Pillowmint] can uninstall the malicious service from an infected machine."
"T1106::[Pillowmint] has used multiple native Windows APIs to execute and conduct process injections."
"T1112::[Pillowmint] has stored its malicious payload in the registry key HKLM\\SOFTWARE\\Microsoft\\DRM."
"T1140::[Pillowmint] has been decompressed by included shellcode prior to being launched."
"T1546.011::[Pillowmint] has used a malicious shim database to maintain persistence."
"T1560::[Pillowmint] has encrypted stolen credit card information with AES and further encoded it with Base64."
"T1003::[PinchDuke] steals credentials from compromised hosts. [PinchDuke]'s credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by [PinchDuke] include ones associated many sources such as WinInet Credential Cache, and Lightweight Directory Access Protocol (LDAP)."
"T1005::[PinchDuke] collects user files from the compromised host based on predefined file extensions."
"T1071.001::[PinchDuke] transfers files from the compromised host via HTTP or HTTPS to a C2 server."
"T1082::[PinchDuke] gathers system configuration information."
"T1083::[PinchDuke] searches for files created within a certain timeframe and whose file extension matches a predefined list."
"T1555.003::[PinchDuke] steals credentials from compromised hosts. [PinchDuke]'s credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by [PinchDuke] include ones associated with many sources such as Netscape Navigator, Mozilla Firefox, Mozilla Thunderbird, and Internet Explorer."
"T1555::[PinchDuke] steals credentials from compromised hosts. [PinchDuke]'s credential stealing functionality is believed to be based on the source code of the Pinch credential stealing malware (also known as LdPinch). Credentials targeted by [PinchDuke] include ones associated with many sources such as The Bat!, Yahoo!, Mail.ru, Passport.Net, Google Talk, and Microsoft Outlook."
"T1005::[PingPull] can collect data from a compromised host."
"T1016::[PingPull] can retrieve the IP address of a compromised host."
"T1036.004::[PingPull] can mimic the names and descriptions of legitimate services such as `iphlpsvc`, `IP Helper`,  and `Onedrive` to evade detection."
"T1041::[PingPull] has the ability to exfiltrate stolen victim data through its C2 channel."
"T1059.003::[PingPull] can use `cmd.exe` to run various commands as a reverse shell."
"T1070.006::[PingPull] has the ability to timestomp a file."
"T1071.001::A [PingPull] variant can communicate with its C2 servers by using HTTPS."
"T1082::[PingPull] can retrieve the hostname of a compromised host."
"T1083::[PingPull] can enumerate storage volumes and folder contents of a compromised host."
"T1095::[PingPull] variants have the ability to communicate with C2 servers using ICMP or TCP."
"T1132.001::[PingPull] can encode C2 traffic with Base64."
"T1140::[PingPull] can decrypt received data from its C2 server by using AES."
"T1543.003::[PingPull] has the ability to install itself as a service."
"T1571::[PingPull] can use HTTPS over port 8080 for C2."
"T1573.001::[PingPull] can use AES, in cipher block chaining (CBC) mode padded with PKCS5, to encrypt C2 server communications."
"T1008::[PipeMon] can switch to an alternate C2 domain when a particular date has been reached."
"T1016::[PipeMon] can collect and send the local IP address, RDP information, and the network adapter physical address as a part of its C2 beacon."
"T1027::[PipeMon] modules are stored encrypted on disk."
"T1036.005::[PipeMon] modules are stored on disk with seemingly benign names including use of a file extension associated with a popular word processor."
"T1055.001::[PipeMon] can inject its modules into various processes using reflective DLL loading."
"T1057::[PipeMon] can iterate over the running processes to find a suitable injection target."
"T1082::[PipeMon] can collect and send OS version and computer name as a part of its C2 beacon."
"T1095::The [PipeMon] communication module can use a custom protocol based on TLS over TCP."
"T1105::[PipeMon] can install additional modules via C2 commands."
"T1106::[PipeMon]'s first stage has been executed by a call to CreateProcess with the decryption password in an argument. [PipeMon] has used a call to LoadLibrary to load its installer."
"T1112::[PipeMon] has stored its encrypted payload in the Registry."
"T1124::[PipeMon] can send time zone information from a compromised host to C2."
"T1129::[PipeMon] has used call to LoadLibrary to load its installer. [PipeMon] loads its modules using reflective loading or custom shellcode."
"T1134.002::[PipeMon] can attempt to gain administrative privileges using token impersonation."
"T1134.004::[PipeMon] can use parent PID spoofing to elevate privileges."
"T1140::[PipeMon] can decrypt password-protected executables."
"T1518.001::[PipeMon] can check for the presence of ESET and Kaspersky security software."
"T1543.003::[PipeMon] can establish persistence by registering a malicious DLL as an alternative Print Processor which is loaded when the print spooler service starts."
"T1547.012::The [PipeMon] installer has modified the Registry key HKLM\\SYSTEM\\CurrentControlSet\\Control\\Print\\Environments\\Windows x64\\Print Processors to install [PipeMon] as a Print Processor."
"T1548.002::[PipeMon] installer can use UAC bypass techniques to install the payload."
"T1553.002::[PipeMon], its installer, and tools are signed with stolen code-signing certificates."
"T1573.001::[PipeMon] communications are RC4 encrypted."
"T1016::[Pisloader] has a command to collect the victim's IP address."
"T1027::[Pisloader] obfuscates files by splitting strings into smaller sub-strings and including \"garbage\" strings that are never used. The malware also uses return-oriented programming (ROP) technique and single-byte XOR to obfuscate data."
"T1059.003::[Pisloader] uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell."
"T1071.004::[Pisloader] uses DNS as its C2 protocol."
"T1082::[Pisloader] has a command to collect victim system information, including the system name and OS version."
"T1083::[Pisloader] has commands to list drives on the victim machine and to list file information for a given directory."
"T1105::[Pisloader] has a command to upload a file to the victim machine."
"T1132.001::Responses from the [Pisloader] C2 server are base32-encoded."
"T1547.001::[Pisloader] establishes persistence via a Registry Run key."
"T1016::[PLAINTEE] uses the ipconfig /all command to gather the victim’s IP address."
"T1057::[PLAINTEE] performs the tasklist command to list running processes."
"T1059.003::[PLAINTEE] uses cmd.exe to execute commands on the victim’s machine."
"T1082::[PLAINTEE] collects general system enumeration data about the infected machine and checks the OS version."
"T1105::[PLAINTEE] has downloaded and executed additional plugins."
"T1112::[PLAINTEE] uses reg add to add a Registry Run key for persistence."
"T1547.001::[PLAINTEE] gains persistence by adding the Registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce."
"T1548.002::An older variant of [PLAINTEE] performs UAC bypass."
"T1573.001::[PLAINTEE] encodes C2 beacons using XOR."
"T1001.001::[PLEAD] samples were found to be highly obfuscated with junk code."
"T1010::[PLEAD] has the ability to list open windows on the compromised host."
"T1057::[PLEAD] has the ability to list processes on the compromised host."
"T1059.003::[PLEAD] has the ability to execute shell commands on the compromised host."
"T1070.004::[PLEAD] has the ability to delete files on the compromised host."
"T1071.001::[PLEAD] has used HTTP for communications with command and control (C2) servers."
"T1083::[PLEAD] has the ability to list drives and files on the compromised host."
"T1090::[PLEAD] has the ability to proxy network communications."
"T1105::[PLEAD] has the ability to upload and download files to and from an infected host."
"T1106::[PLEAD] can use `ShellExecute` to execute applications."
"T1204.001::[PLEAD] has been executed via malicious links in e-mails."
"T1204.002::[PLEAD] has been executed via malicious e-mail attachments."
"T1555.003::[PLEAD] can harvest saved credentials from browsers such as Google Chrome, Microsoft Internet Explorer, and Mozilla Firefox."
"T1555::[PLEAD] has the ability to steal saved passwords from Microsoft Outlook."
"T1573.001::[PLEAD] has used RC4 encryption to download modules."
"T1012::[PlugX] can enumerate and query for information contained within the Windows Registry."
"T1027::[PlugX] can use API hashing and modify the names of strings to evade detection."
"T1036.004::In one instance, [menuPass] added [PlugX] as a service with a display name of \"Corel Writing Tools Utility.\""
"T1036.005::[PlugX] has been disguised as legitimate Adobe and PotPlayer files."
"T1049::[PlugX] has a module for enumerating TCP and UDP network connections and associated processes using the netstat command."
"T1056.001::[PlugX] has a module for capturing keystrokes per process including window titles."
"T1057::[PlugX] has a module to list the processes running on a machine."
"T1059.003::[PlugX] allows actors to spawn a reverse shell on a victim."
"T1071.001::[PlugX] can be configured to use HTTP for command and control."
"T1071.004::[PlugX] can be configured to use DNS for command and control."
"T1083::[PlugX] has a module to enumerate drives and find files recursively."
"T1095::[PlugX] can be configured to use raw TCP or UDP for command and control."
"T1102.001::[PlugX] uses Pastebin to store C2 addresses."
"T1105::[PlugX] has a module to download and execute files on the compromised machine."
"T1106::[PlugX] can use the Windows API functions `GetProcAddress`, `LoadLibrary`, and `CreateProcess` to execute another process."
"T1112::[PlugX] has a module to create, delete, or modify Registry keys."
"T1113::[PlugX] allows the operator to capture screenshots."
"T1127.001::A version of [PlugX] loads as shellcode within a .NET Framework project using msbuild.exe, presumably to bypass application control techniques."
"T1135::[PlugX] has a module to enumerate network shares."
"T1140::[PlugX] decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer."
"T1497.001::[PlugX] checks if VMware tools is running in the background by searching for any process named \"vmtoolsd\"."
"T1543.003::[PlugX] can be added as a service to establish persistence. [PlugX] also has a module to change service configurations as well as start, control, and delete services."
"T1547.001::[PlugX] adds Run key entries in the Registry to establish persistence."
"T1564.001::[PlugX] can modify the characteristics of folders to hide them from the compromised user."
"T1573.001::[PlugX] can use RC4 encryption in C2 communications."
"T1574.001::[PlugX] has the ability to use DLL search order hijacking for installation on targeted systems."
"T1574.002::[PlugX] has used DLL side-loading to evade anti-virus."
"T1070.004::[pngdowner] deletes content from C2 communications that was saved to the user's temporary directory."
"T1071.001::[pngdowner] uses HTTP for command and control."
"T1552.001::If an initial connectivity check fails, [pngdowner] attempts to extract proxy details and credentials from Windows Protected Storage and from the IE Credentials Store. This allows the adversary to use the proxy credentials for subsequent requests if they enable outbound HTTP access."
"T1003.001::[PoetRAT] used voStro.exe, a compiled pypykatz (Python version of [Mimikatz]), to steal credentials."
"T1018::[PoetRAT] used Nmap for remote system discovery."
"T1027::[PoetRAT] has used a custom encryption scheme for communication between scripts and pyminifier to obfuscate scripts."
"T1033::[PoetRAT] sent username, computer name, and the previously generated UUID in reply to a \"who\" command from C2."
"T1041::[PoetRAT] has exfiltrated data over the C2 channel."
"T1048.003::[PoetRAT] has used [ftp] for exfiltration."
"T1048::[PoetRAT] has used a .NET tool named dog.exe to exiltrate information over an e-mail account."
"T1056.001::[PoetRAT] has used a Python tool named klog.exe for keylogging."
"T1057::[PoetRAT] has the ability to list all running processes."
"T1059.003::[PoetRAT] has called cmd through a Word document macro."
"T1059.005::[PoetRAT] has used Word documents with VBScripts to execute malicious activities."
"T1059.006::[PoetRAT] was executed with a Python script and worked in conjunction with additional Python-based post-exploitation tools."
"T1059::[PoetRAT] has executed a Lua script through a Lua interpreter for Windows."
"T1070.004::[PoetRAT] has the ability to overwrite scripts and delete itself if a sandbox environment is detected."
"T1071.001::[PoetRAT] has used HTTP and HTTPs for C2 communications."
"T1071.002::[PoetRAT] has used FTP for C2 communications."
"T1082::[PoetRAT] has the ability to gather information about the compromised host."
"T1083::[PoetRAT] has the ability to list files upon receiving the ls command from C2."
"T1105::[PoetRAT] has the ability to copy files and download/upload files into C2 channels using FTP and HTTPS."
"T1112::[PoetRAT] has made registry modifications to alter its behavior upon execution."
"T1113::[PoetRAT] has the ability to take screen captures."
"T1119::[PoetRAT] used file system monitoring to track modification and enable automatic exfiltration."
"T1125::[PoetRAT] has used a Python tool named Bewmac to record the webcam on compromised hosts."
"T1140::[PoetRAT] has used LZMA and base64 libraries to decode obfuscated scripts."
"T1204.002::[PoetRAT] has used spearphishing attachments to infect victims."
"T1497.001::[PoetRAT] checked the size of the hard drive to determine if it was being run in a sandbox environment. In the event of sandbox detection, it would delete itself by overwriting the malware scripts with the contents of \"License.txt\" and exiting."
"T1547.001::[PoetRAT] has added a registry key in the <RUN> hive for persistence."
"T1555.003::[PoetRAT] has used a Python tool named Browdec.exe to steal browser credentials."
"T1559.002::[PoetRAT] was delivered with documents using DDE to execute malicious code."
"T1560.001::[PoetRAT] has the ability to compress files with zip."
"T1564.001::[PoetRAT] has the ability to hide and unhide files."
"T1566.001::[PoetRAT] was distributed via malicious Word documents."
"T1571::[PoetRAT] used TLS to encrypt communications over port 143"
"T1573.002::[PoetRAT] used TLS to encrypt command and control (C2) communications."
"T1005::[PoisonIvy] creates a backdoor through which remote attackers can steal system information."
"T1010::[PoisonIvy] captures window titles."
"T1014::[PoisonIvy] starts a rootkit from a malicious file dropped to disk."
"T1027::[PoisonIvy] hides any strings related to its own indicators of compromise."
"T1055.001::[PoisonIvy] can inject a malicious DLL into a process."
"T1056.001::[PoisonIvy] contains a keylogger."
"T1059.003::[PoisonIvy] creates a backdoor through which remote attackers can open a command-line interface."
"T1074.001::[PoisonIvy] stages collected data in a text file."
"T1105::[PoisonIvy] creates a backdoor through which remote attackers can upload files."
"T1112::[PoisonIvy] creates a Registry subkey that registers a new system device."
"T1543.003::[PoisonIvy] creates a Registry subkey that registers a new service. [PoisonIvy] also creates a Registry entry modifying the Logical Disk Manager service to point to a malicious DLL dropped to disk."
"T1547.001::[PoisonIvy] creates run key Registry entries pointing to a malicious executable dropped to disk."
"T1547.014::[PoisonIvy] creates a Registry key in the Active Setup pointing to a malicious executable."
"T1573.001::[PoisonIvy] uses the Camellia cipher to encrypt communications."
"T1027.003::[PolyglotDuke] can use steganography to hide C2 information in images."
"T1027::[PolyglotDuke] can custom encrypt strings."
"T1071.001::[PolyglotDuke] has has used HTTP GET requests in C2 communications."
"T1102.001::[PolyglotDuke] can use Twitter, Reddit, Imgur and other websites to get a C2 URL."
"T1105::[PolyglotDuke] can retrieve payloads from the C2 server."
"T1106::[PolyglotDuke] can use LoadLibraryW and CreateProcess to load and execute code."
"T1112::[PolyglotDuke] can write encrypted JSON configuration files to the Registry."
"T1140::[PolyglotDuke] can use a custom algorithm to decrypt strings used by the malware."
"T1218.011::[PolyglotDuke] can be executed using rundll32.exe."
"T1027::[Pony] attachments have been delivered via compressed archive files. [Pony] also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult."
"T1036.005::[Pony] has used the Adobe Reader icon for the downloaded file to look more trustworthy."
"T1059.003::[Pony] has used batch scripts to delete itself after execution."
"T1070.004::[Pony] has used scripts to delete itself after execution."
"T1071.001::[Pony] has sent collected information to the C2 via HTTP POST request."
"T1082::[Pony] has collected the Service Pack, language, and region information to send to the C2."
"T1087.001::[Pony] has used the NetUserEnum function to enumerate local accounts."
"T1105::[Pony] can download additional files onto the infected system."
"T1106::[Pony] has used several Windows functions for various purposes."
"T1110.001::[Pony] has used a small dictionary of common passwords against a collected list of local accounts."
"T1204.001::[Pony] has attempted to lure targets into clicking links in spoofed emails from legitimate banks."
"T1204.002::[Pony] has attempted to lure targets into downloading an attached executable (ZIP, RAR, or CAB archives) or document (PDF or other MS Office format)."
"T1497.003::[Pony] has delayed execution using a built-in function to avoid detection and analysis."
"T1566.001::[Pony] has been delivered via spearphishing attachments."
"T1566.002::[Pony] has been delivered via spearphishing emails which contained malicious links."
"T1057::[POORAIM] can enumerate processes."
"T1082::[POORAIM] can identify system information, including battery status."
"T1083::[POORAIM] can conduct file browsing."
"T1102.002::[POORAIM] has used AOL Instant Messenger for C2."
"T1113::[POORAIM] can perform screen capturing."
"T1189::[POORAIM] has been delivered through compromised sites acting as watering holes."
"T1027::[POSHSPY] appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download."
"T1030::[POSHSPY] uploads data in 2048-byte chunks."
"T1059.001::[POSHSPY] uses PowerShell to execute various commands, one to execute its payload."
"T1070.006::[POSHSPY] modifies timestamps of all downloaded executables to match a randomly selected file created prior to 2013."
"T1105::[POSHSPY] downloads and executes additional PowerShell code and Windows binaries."
"T1546.003::[POSHSPY] uses a WMI event subscription to establish persistence."
"T1568.002::[POSHSPY] uses a DGA to derive command and control URLs from a word list."
"T1573.002::[POSHSPY] encrypts C2 traffic with AES and RSA."
"T1055.011::[Power Loader] overwrites Explorer’s Shell_TrayWnd extra window memory to redirect execution to a NTDLL function that is abused to assemble and execute a return-oriented programming (ROP) chain and create a malicious thread within Explorer.exe."
"T1010::[PowerDuke] has a command to get text of the current foreground window."
"T1016::[PowerDuke] has a command to get the victim's domain and NetBIOS name."
"T1027.003::[PowerDuke] uses steganography to hide backdoors in PNG files, which are also encrypted using the Tiny Encryption Algorithm (TEA)."
"T1033::[PowerDuke] has commands to get the current user's name and SID."
"T1057::[PowerDuke] has a command to list the victim's processes."
"T1059.003::[PowerDuke] runs cmd.exe /c and sends the output to its C2."
"T1070.004::[PowerDuke] has a command to write random data across a file and delete it."
"T1082::[PowerDuke] has commands to get information about the victim's name, build, version, serial number, and memory usage."
"T1083::[PowerDuke] has commands to get the current directory name as well as the size of a file. It also has commands to obtain information about logical drives, drive type, and free space."
"T1105::[PowerDuke] has a command to download a file."
"T1124::[PowerDuke] has commands to get the time the machine was built, the time, and the time zone."
"T1218.011::[PowerDuke] uses rundll32.exe to load."
"T1485::[PowerDuke] has a command to write random data across a file and delete it."
"T1547.001::[PowerDuke] achieves persistence by using various Registry Run keys."
"T1564.004::[PowerDuke] hides many of its backdoor payloads in an alternate data stream (ADS)."
"T1005::[PowerLess] has the ability to exfiltrate data, including Chrome and Edge browser database files, from compromised machines."
"T1056.001::[PowerLess] can use a module to log keystrokes."
"T1059.001::[PowerLess] is written in and executed via PowerShell without using powershell.exe."
"T1074.001::[PowerLess] can stage stolen browser data in `C:\\\\Windows\\\\Temp\\\\cup.tmp` and keylogger data in `C:\\\\Windows\\\\Temp\\\\Report.06E17A5A-7325-4325-8E5D-E172EBA7FC5BK`."
"T1105::[PowerLess] can download additional payloads to a compromised host."
"T1140::[PowerLess] can use base64 and AES ECB decryption prior to execution of downloaded modules."
"T1217::[PowerLess] can use a .NET browser information stealer module."
"T1560::[PowerLess] can encrypt browser database files prior to exfiltration."
"T1573::[PowerLess] can use an encrypted channel for C2 communications."
"T1027::[PowerPunch] can use Base64-encoded scripts."
"T1059.001::[PowerPunch] has the ability to execute through PowerShell."
"T1105::[PowerPunch] can download payloads from adversary infrastructure."
"T1480.001::[PowerPunch] can use the volume serial number from a target host to generate a unique XOR key for the next stage payload."
"T1016::[PowerShower] has the ability to identify the current Windows domain of the infected host."
"T1033::[PowerShower] has the ability to identify the current user on the infected host."
"T1041::[PowerShower] has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days."
"T1057::[PowerShower] has the ability to deploy a reconnaissance module to retrieve a list of the active processes."
"T1059.001::[PowerShower] is a backdoor written in PowerShell."
"T1059.005::[PowerShower] has the ability to save and execute VBScript."
"T1070.004::[PowerShower] has the ability to remove all files created during the dropper process."
"T1071.001::[PowerShower] has sent HTTP GET and POST requests to C2 servers to send information and receive instructions."
"T1082::[PowerShower] has collected system information on the infected host."
"T1112::[PowerShower] has added a registry key so future powershell.exe instances are spawned off-screen by default, and has removed all registry entries that are left behind during the dropper process."
"T1132.001::[PowerShower] has the ability to encode C2 communications with base64 encoding."
"T1547.001::[PowerShower] sets up persistence with a Registry run key."
"T1560.001::[PowerShower] has used 7Zip to compress .txt, .pdf, .xls or .doc files prior to exfiltration."
"T1564.003::[PowerShower] has added a registry key so future powershell.exe instances are spawned with coordinates for a window position off-screen by default."
"T1012::[POWERSOURCE] queries Registry keys in preparation for setting Run keys to achieve persistence."
"T1059.001::[POWERSOURCE] is a PowerShell backdoor."
"T1071.004::[POWERSOURCE] uses DNS TXT records for C2."
"T1105::[POWERSOURCE] has been observed being used to download [TEXTMATE] and the Cobalt Strike Beacon payload onto victims."
"T1547.001::[POWERSOURCE] achieves persistence by setting a Registry Run key, with the path depending on whether the victim account has user or administrator access."
"T1564.004::If the victim is using PowerShell 3.0 or later, [POWERSOURCE] writes its decoded payload to an alternate data stream (ADS) named kernel32.dll that is saved in %PROGRAMDATA%\\Windows\\."
"T1027::[PowerStallion] uses a XOR cipher to encrypt command output written to its OneDrive C2 server."
"T1057::[PowerStallion] has been used to monitor process lists."
"T1059.001::[PowerStallion] uses PowerShell loops to iteratively check for available commands in its OneDrive C2 server."
"T1070.006::[PowerStallion] modifies the MAC times of its local log files to match that of the victim's desktop.ini file."
"T1102.002::[PowerStallion] uses Microsoft OneDrive as a C2 server via a network drive mapped with net use."
"T1005::[POWERSTATS] can upload files from compromised hosts."
"T1016::[POWERSTATS] can retrieve IP, network adapter configuration information, and domain from compromised hosts."
"T1027.001::[POWERSTATS] has used useless code blocks to counter analysis."
"T1027::[POWERSTATS] uses character replacement, [PowerShell] environment variables, and XOR encoding to obfuscate code. [POWERSTATS]'s backdoor code is a multi-layer obfuscated, encoded, and compressed blob."
"T1029::[POWERSTATS] can sleep for a given number of seconds."
"T1033::[POWERSTATS] has the ability to identify the username on the compromised host."
"T1036.004::[POWERSTATS] has created a scheduled task named \"MicrosoftEdge\" to establish persistence."
"T1047::[POWERSTATS] can use WMI queries to retrieve data from compromised hosts."
"T1053.005::[POWERSTATS] has established persistence through a scheduled task using the command ”C:\\Windows\\system32\\schtasks.exe” /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR “c:\\Windows\\system32\\wscript.exe C:\\Windows\\temp\\Windows.vbe”."
"T1057::[POWERSTATS] has used get_tasklist to discover processes on the compromised host."
"T1059.001::[POWERSTATS] uses PowerShell for obfuscation and execution."
"T1059.005::[POWERSTATS] can use VBScript (VBE) code for execution."
"T1059.007::[POWERSTATS] can use JavaScript code for execution."
"T1070.004::[POWERSTATS] can delete all files on the C:\\, D:\\, E:\\ and, F:\\ drives using [PowerShell] Remove-Item commands."
"T1082::[POWERSTATS] can retrieve OS name/architecture and computer/domain name information from compromised hosts."
"T1087.001::[POWERSTATS] can retrieve usernames from compromised hosts."
"T1090.002::[POWERSTATS] has connected to C2 servers through proxies."
"T1105::[POWERSTATS] can retrieve and execute additional [PowerShell] payloads from the C2 server."
"T1113::[POWERSTATS] can retrieve screenshots from compromised hosts."
"T1132.001::[POWERSTATS] encoded C2 traffic with base64."
"T1140::[POWERSTATS] can deobfuscate the main backdoor code."
"T1218.005::[POWERSTATS] can use Mshta.exe to execute additional payloads on compromised hosts."
"T1518.001::[POWERSTATS] has detected security tools."
"T1559.001::[POWERSTATS] can use DCOM (targeting the 127.0.0.1 loopback address) to execute additional payloads on compromised hosts."
"T1559.002::[POWERSTATS] can use DDE to execute additional payloads on compromised hosts."
"T1562.001::[POWERSTATS] can disable Microsoft Office Protected View by changing Registry keys."
"T1573.002::[POWERSTATS] has encrypted C2 traffic with RSA."
"T1003.002::[POWERTON] has the ability to dump password hashes."
"T1059.001::[POWERTON] is written in PowerShell."
"T1071.001::[POWERTON] has used HTTP/HTTPS for C2 traffic."
"T1546.003::[POWERTON] can use WMI for persistence."
"T1547.001::[POWERTON] can install a Registry Run key for persistence."
"T1573.001::[POWERTON] has used AES for encrypting C2 traffic."
"T1036.005::[PowGoop] has used a DLL named Goopdate.dll to impersonate a legitimate Google update file."
"T1036::[PowGoop] has disguised a PowerShell script as a .dat file (goopdate.dat)."
"T1059.001::[PowGoop] has the ability to use PowerShell scripts to execute commands."
"T1071.001::[PowGoop] can send HTTP GET requests to malicious servers."
"T1132.002::[PowGoop] can use a modified Base64 encoding mechanism to send data to and from the C2 server."
"T1140::[PowGoop] can decrypt PowerShell scripts for execution."
"T1573::[PowGoop] can receive encrypted commands from C2."
"T1574.002::[PowGoop] can side-load `Goopdate.dll` into `GoogleUpdate.exe`."
"T1012::[POWRUNER] may query the Registry by running reg query on a victim."
"T1016::[POWRUNER] may collect network configuration data by running ipconfig /all on a victim."
"T1033::[POWRUNER] may collect information about the currently logged in user by running whoami on a victim."
"T1047::[POWRUNER] may use WMI when collecting information about a victim."
"T1049::[POWRUNER] may collect active network connections by running netstat -an on a victim."
"T1053.005::[POWRUNER] persists through a scheduled task that executes it every minute."
"T1057::[POWRUNER] may collect process information by running tasklist on a victim."
"T1059.001::[POWRUNER] is written in PowerShell."
"T1059.003::[POWRUNER] can execute commands from its C2 server."
"T1069.001::[POWRUNER] may collect local group information by running net localgroup administrators or a series of other commands on a victim."
"T1069.002::[POWRUNER] may collect domain group information by running net group /domain or a series of other commands on a victim."
"T1071.001::[POWRUNER] can use HTTP for C2 communications."
"T1071.004::[POWRUNER] can use DNS for C2 communications."
"T1082::[POWRUNER] may collect information about the system by running hostname and systeminfo on a victim."
"T1083::[POWRUNER] may enumerate user directories on a victim."
"T1087.002::[POWRUNER] may collect user account information by running net user /domain or a series of other commands on a victim."
"T1105::[POWRUNER] can download or upload files from its C2 server."
"T1113::[POWRUNER] can capture a screenshot from a victim."
"T1132.001::[POWRUNER] can use base64 encoded C2 communications."
"T1518.001::[POWRUNER] may collect information on the victim's anti-virus software."
"T1016::A module in [Prikormka] collects information from the victim about its IP addresses and MAC addresses."
"T1025::[Prikormka] contains a module that collects documents with certain extensions from removable media or fixed drives connected via USB."
"T1027::Some resources in [Prikormka] are encrypted with a simple XOR operation or encoded with Base64."
"T1033::A module in [Prikormka] collects information from the victim about the current user name."
"T1056.001::[Prikormka] contains a keylogger module that collects keystrokes and the titles of foreground windows."
"T1070.004::After encrypting its own log files, the log encryption module in [Prikormka] deletes the original, unencrypted files from the host."
"T1074.001::[Prikormka] creates a directory, %USERPROFILE%\\AppData\\Local\\SKC\\, which is used to store collected log files."
"T1082::A module in [Prikormka] collects information from the victim about Windows OS version, computer name, battery info, and physical memory."
"T1083::A module in [Prikormka] collects information about the paths, size, and creation time of files with specific file extensions, but not the actual content of the file."
"T1113::[Prikormka] contains a module that captures screenshots of the victim's desktop."
"T1120::A module in [Prikormka] collects information on available printers and disk drives."
"T1132.001::[Prikormka] encodes C2 traffic with Base64."
"T1218.011::[Prikormka] uses rundll32.exe to load its DLL."
"T1518.001::A module in [Prikormka] collects information from the victim about installed anti-virus software."
"T1547.001::[Prikormka] adds itself to a Registry Run key with the name guidVGA or guidVSA."
"T1555.003::A module in [Prikormka] gathers logins and passwords stored in applications on the victims, including Google Chrome, Mozilla Firefox, and several other browsers."
"T1555::A module in [Prikormka] collects passwords stored in applications installed on the victim."
"T1560::After collecting documents from removable media, [Prikormka] compresses the collected files, and encrypts it with Blowfish."
"T1573.001::[Prikormka] encrypts some C2 traffic with the Blowfish cipher."
"T1574.001::[Prikormka] uses DLL search order hijacking for persistence by saving itself as ntshrui.dll to the Windows directory so it will load before the legitimate ntshrui.dll saved in the System32 subdirectory."
"T1027.003::[ProLock] can use .jpg and .bmp files to store its payload."
"T1047::[ProLock] can use WMIC to execute scripts on targeted hosts."
"T1068::[ProLock] can use CVE-2019-0859 to escalate privileges on a compromised host."
"T1070.004::[ProLock] can remove files containing its payload after they are executed."
"T1197::[ProLock] can use BITS jobs to download its malicious payload."
"T1486::[ProLock] can encrypt files on a compromised host with RC6, and encrypts the key with RSA-1024."
"T1490::[ProLock] can use vssadmin.exe to remove volume shadow copies."
"T1021.005::[Proton] uses VNC to connect into systems."
"T1056.001::[Proton] uses a keylogger to capture keystrokes."
"T1056.002::[Proton] prompts users for their credentials."
"T1059.004::[Proton] uses macOS' .command file type to script actions."
"T1070.002::[Proton] removes logs from /var/logs and /Library/logs."
"T1070.004::[Proton] removes all files in the /tmp directory."
"T1113::[Proton] captures the content of the desktop with the screencapture binary."
"T1140::[Proton] uses an encrypted file to store commands and configuration values."
"T1543.001::[Proton] persists via Launch Agent."
"T1548.003::[Proton] modifies the tty_tickets line in the sudoers file."
"T1555.001::[Proton] gathers credentials in files for keychains."
"T1555.003::[Proton] gathers credentials for Google Chrome."
"T1555.005::[Proton] gathers credentials in files for 1password."
"T1560::[Proton] zips up files before exfiltrating them."
"T1562.001::[Proton] kills security tools like Wireshark that are running."
"T1005::[Proxysvc] searches the local system and gathers data."
"T1012::[Proxysvc] gathers product names from the Registry key: HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion ProductName and the processor description from the Registry key HKLM\\HARDWARE\\DESCRIPTION\\System\\CentralProcessor\\0 ProcessorNameString."
"T1016::[Proxysvc] collects the network adapter information and domain/username information based on current remote sessions."
"T1041::[Proxysvc] performs data exfiltration over the control server channel using a custom protocol."
"T1057::[Proxysvc] lists processes running on the system."
"T1059.003::[Proxysvc] executes a binary on the system and logs the results into a temp file by using: cmd.exe /c \"<file_path> > %temp%\\PM* .tmp 2>&1\"."
"T1070.004::[Proxysvc] can delete files indicated by the attacker and remove itself from disk using a batch file."
"T1071.001::[Proxysvc] uses HTTP over SSL to communicate commands with the control server."
"T1082::[Proxysvc] collects the OS version, country name, MAC address, computer name, physical memory statistics, and volume information for all drives on the system."
"T1083::[Proxysvc] lists files in directories."
"T1119::[Proxysvc] automatically collects data about the victim and sends it to the control server."
"T1124::As part of the data reconnaissance phase, [Proxysvc] grabs the system time to send back to the control server."
"T1485::[Proxysvc] can overwrite files indicated by the attacker before deleting them."
"T1569.002::[Proxysvc] registers itself as a service on the victim’s machine to run as a standalone process."
"T1027::[PS1] is distributed as a set of encrypted files and scripts."
"T1055.001::[PS1] can inject its payload DLL Into memory."
"T1059.001::[PS1] can utilize a PowerShell loader."
"T1105::[CostaBricks] can download additional payloads onto a compromised host."
"T1140::[PS1] can use an XOR key to decrypt a PowerShell loader and payload binary."
"T1041::[Psylo] exfiltrates data to its C2 server over the same protocol as C2 communications."
"T1070.006::[Psylo] has a command to conduct timestomping by setting a specified file’s timestamps to match those of a system file in the System32 directory."
"T1071.001::[Psylo] uses HTTPS for C2."
"T1083::[Psylo] has commands to enumerate all storage devices and to find all files that start with a particular string."
"T1105::[Psylo] has a command to download a file to the system from its C2 server."
"T1027.007::[Pteranodon] can use a dynamic Windows hashing algorithm to map API components."
"T1041::[Pteranodon] exfiltrates screenshot files to its C2 server."
"T1053.005::[Pteranodon] schedules tasks to invoke its components in order to establish persistence."
"T1059.003::[Pteranodon] can use `cmd.exe` for execution on victim systems."
"T1059.005::[Pteranodon] can use a malicious VBS file for execution."
"T1070.004::[Pteranodon] can delete files that may interfere with it executing. It also can delete temporary files and itself after the initial script executes."
"T1071.001::[Pteranodon] can use HTTP for C2."
"T1074.001::[Pteranodon] creates various subdirectories under %Temp%\\reports\\% and copies files to those subdirectories. It also creates a folder at C:\\Users\\<Username>\\AppData\\Roaming\\Microsoft\\store to store screenshot JPEG files."
"T1083::[Pteranodon] identifies files matching certain file extension and copies them to subdirectories it created."
"T1105::[Pteranodon] can download and execute additional files."
"T1106::[Pteranodon] has used various API calls."
"T1113::[Pteranodon] can capture screenshots at a configurable interval."
"T1140::[Pteranodon] can decrypt encrypted data strings prior to using them."
"T1218.005::[Pteranodon] can use mshta.exe to execute an HTA file hosted on a remote server."
"T1218.011::[Pteranodon] executes functions using rundll32.exe."
"T1497::[Pteranodon] has the ability to use anti-detection functions to identify sandbox environments."
"T1547.001::[Pteranodon] copies itself to the Startup folder to establish persistence."
"T1027::[PUNCHBUGGY] has hashed most its code's functions and encrypted payloads with base64 and XOR."
"T1036.005::[PUNCHBUGGY] mimics filenames from %SYSTEM%\\System32 to hide DLLs in %WINDIR% and/or %TEMP%."
"T1059.001::[PUNCHBUGGY] has used [PowerShell] scripts."
"T1059.006::[PUNCHBUGGY] has used python scripts."
"T1070.004::[PUNCHBUGGY] can delete files written to disk."
"T1071.001::[PUNCHBUGGY] enables remote interaction and can obtain additional code over HTTPS GET and POST requests."
"T1074.001::[PUNCHBUGGY] has saved information to a random temp file before exfil."
"T1082::[PUNCHBUGGY] can gather system information such as computer names."
"T1087.001::[PUNCHBUGGY] can gather user names."
"T1105::[PUNCHBUGGY] can download additional files and payloads to compromised hosts."
"T1129::[PUNCHBUGGY] can load a DLL using the LoadLibrary API."
"T1140::[PUNCHBUGGY] has used [PowerShell] to decode base64-encoded assembly."
"T1218.011::[PUNCHBUGGY] can load a DLL using Rundll32."
"T1518.001::[PUNCHBUGGY] can gather AVs registered in the system."
"T1546.009::[PUNCHBUGGY] can establish using a AppCertDLLs Registry key."
"T1547.001::[PUNCHBUGGY] has been observed using a Registry Run key."
"T1560.001::[PUNCHBUGGY] has Gzipped information and saved it to a random temp file before exfil."
"T1005::[PUNCHTRACK] scrapes memory for properly formatted payment card data."
"T1027::[PUNCHTRACK] is loaded and executed by a highly obfuscated launcher."
"T1074.001::[PUNCHTRACK] aggregates collected data in a tmp file."
"T1027::[PyDCrypt] has been compiled and encrypted with PyInstaller, specifically using the --key flag during the build phase."
"T1033::[PyDCrypt] has probed victim machines with whoami and has collected the username from the machine."
"T1036.005::[PyDCrypt] has dropped [DCSrv] under the `svchost.exe` name to disk."
"T1047::[PyDCrypt] has attempted to execute with WMIC."
"T1049::[PyDCrypt] has used [netsh] to find RPC connections on remote machines."
"T1059.001::[PyDCrypt] has attempted to execute with PowerShell."
"T1059.003::[PyDCrypt] has used `cmd.exe` for execution."
"T1059.006::[PyDCrypt], along with its functions, is written in Python."
"T1070.004::[PyDCrypt] will remove all created artifacts such as dropped executables."
"T1140::[PyDCrypt] has decrypted and dropped the [DCSrv] payload to disk."
"T1562.004::[PyDCrypt] has modified firewall rules to allow incoming SMB, NetBIOS, and RPC connections using `netsh.exe` on remote machines."
"T1003.001::[Pysa] can perform OS credential dumping using [Mimikatz]."
"T1016::[Pysa] can perform network reconnaissance using the Advanced IP Scanner tool."
"T1021.001::[Pysa] has laterally moved using RDP connections."
"T1036.005::[Pysa] has executed a malicious executable by naming it svchost.exe."
"T1046::[Pysa] can perform network reconnaissance using the Advanced Port Scanner tool."
"T1059.001::[Pysa] has used Powershell scripts to deploy its ransomware."
"T1059.006::[Pysa] has used Python scripts to deploy ransomware."
"T1070.004::[Pysa] has deleted batch files after execution."
"T1110::[Pysa] has used brute force attempts against a central management console, as well as some Active Directory accounts."
"T1112::[Pysa] has modified the registry key “SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System” and added the ransom note."
"T1486::[Pysa] has used RSA and AES-CBC encryption algorithm to encrypt a list of targeted file extensions."
"T1489::[Pysa] can stop services and processes."
"T1490::[Pysa] has the functionality to delete shadow copies."
"T1552.001::[Pysa] has extracted credentials from the password database before encrypting the files."
"T1562.001::[Pysa] has the capability to stop antivirus services and disable Windows Defender."
"T1569.002::[Pysa] has used [PsExec] to copy and execute the ransomware."
"T1005::[QakBot] can use a variety of commands, including esentutl.exe to steal sensitive data from Internet Explorer and Microsoft Edge, to acquire information that is subsequently exfiltrated."
"T1010::[QakBot] has the ability to enumerate windows on a compromised host."
"T1016.001::[QakBot] can measure the download speed on a targeted host."
"T1016::[QakBot] can use net config workstation, arp -a, and ipconfig /all to gather network configuration information."
"T1018::[QakBot] can identify remote systems through the net view command."
"T1027.001::[QakBot] can use large file sizes to evade detection."
"T1027.002::[QakBot] can encrypt and pack malicious payloads."
"T1027.005::[QakBot] can make small changes to itself in order to change its checksum and hash value."
"T1027::[QakBot] can use obfuscated and encoded scripts; it has also hidden code within Excel spreadsheets by turning the font color to white and splitting it across multiple cells."
"T1033::[QakBot] can identify the user name on a compromised system."
"T1036::The [QakBot] payload has been disguised as a PNG file."
"T1041::[QakBot] can send stolen information to C2 nodes including passwords, accounts, and emails."
"T1047::[QakBot] can execute WMI queries to gather information."
"T1049::[QakBot] can use netstat to enumerate current network connections."
"T1053.005::[QakBot] has the ability to create scheduled tasks for persistence."
"T1055.012::[QakBot] can use process hollowing to execute its main payload."
"T1055::[QakBot] can inject itself into processes including explore.exe, Iexplore.exe, and Mobsync.exe."
"T1056.001::[QakBot] can capture keystrokes on a compromised host."
"T1057::[QakBot] has the ability to check running processes."
"T1059.001::[QakBot] can use PowerShell to download and execute payloads."
"T1059.003::[QakBot] can use cmd.exe to launch itself and to execute multiple C2 commands."
"T1059.005::[QakBot] can use VBS to download and execute malicious files."
"T1059.007::The [QakBot] web inject module can inject Java Script into web banking pages visited by the victim."
"T1069.001::[QakBot] can use net localgroup to enable discovery of local groups."
"T1070.004::[QakBot] can delete folders and files including overwriting its executable with legitimate programs."
"T1071.001::[QakBot] has the ability to use HTTP and HTTPS in communication with C2 servers."
"T1074.001::[QakBot] has stored stolen emails and other data into new folders prior to exfiltration."
"T1082::[QakBot] can collect system information including the OS version and domain on a compromised host."
"T1083::[QakBot] can identify whether it has been run previously on a host by checking for a specified folder."
"T1090.002::[QakBot] has a module that can proxy C2 communications."
"T1091::[QakBot] has the ability to use removable drives to spread through compromised networks."
"T1095::[QakBot] has the ability use TCP to send or receive C2 packets."
"T1105::[QakBot] has the ability to download additional components and malware."
"T1106::[QakBot] can use GetProcAddress to help delete malicious strings from memory."
"T1110::[QakBot] can conduct brute force attacks to capture credentials."
"T1112::[QakBot] can store its configuration information in a randomly named subkey under HKCU\\Software\\Microsoft."
"T1114.001::[QakBot] can target and steal locally stored emails to support thread hijacking phishing campaigns."
"T1120::[QakBot] can identify peripheral devices on targeted systems."
"T1124::[QakBot] can identify the system time on a targeted host."
"T1132.001::[QakBot] can Base64 encode system information sent to C2."
"T1135::[QakBot] can use net share to identify network shares for use in lateral movement."
"T1140::[QakBot] can deobfuscate and re-assemble code strings for execution."
"T1185::[QakBot] can use advanced web injects to steal web banking credentials."
"T1204.001::[QakBot] has gained execution through users opening malicious links."
"T1204.002::[QakBot] has gained execution through users opening malicious attachments."
"T1210::[QakBot] can move laterally using worm-like functionality through exploitation of SMB."
"T1218.007::[QakBot] can use MSIExec to spawn multiple cmd.exe processes."
"T1218.010::[QakBot] can use Regsvr32 to execute malicious DLLs."
"T1218.011::[QakBot] can use Rundll32.exe to enable C2 communication."
"T1482::[QakBot] can run nltest /domain_trusts /all_trusts for domain trust discovery."
"T1497.001::[QakBot] can check the compromised host for the presence of multiple executables associated with analysis tools and halt execution if any are found."
"T1497.003::The [QakBot] dropper can delay dropping the payload to evade detection."
"T1518.001::[QakBot] can identify the installed antivirus product on a targeted system."
"T1518::[QakBot] can enumerate a list of installed programs."
"T1539::[QakBot] has the ability to capture web session cookies."
"T1547.001::[QakBot] can maintain persistence by creating an auto-run Registry key."
"T1553.002::[QakBot] can use signed loaders to evade detection."
"T1555.003::[QakBot] has collected usernames and passwords from Firefox and Chrome."
"T1562.001::[QakBot] has the ability to modify the Registry to add its binaries to the Windows Defender exclusion list."
"T1566.001::[QakBot] has spread through emails with malicious attachments."
"T1566.002::[QakBot] has spread through emails with malicious links."
"T1568.002::[QakBot] can use domain generation algorithms in C2 communication."
"T1572::The [QakBot] proxy module can encapsulate SOCKS5 protocol within its own proxy protocol."
"T1573.001::[QakBot] can RC4 encrypt strings in C2 communication."
"T1008::[QUADAGENT] uses multiple protocols (HTTPS, HTTP, DNS) for its C2 server as fallback channels if communication with one is unsuccessful."
"T1012::[QUADAGENT] checks if a value exists within a Registry key in the HKCU hive whose name is the same as the scheduled task it has created."
"T1016::[QUADAGENT] gathers the current domain the victim system belongs to."
"T1027::[QUADAGENT] was likely obfuscated using Invoke-Obfuscation."
"T1033::[QUADAGENT] gathers the victim username."
"T1036.005::[QUADAGENT] used the PowerShell filenames Office365DCOMCheck.ps1 and SystemDiskClean.ps1."
"T1053.005::[QUADAGENT] creates a scheduled task to maintain persistence on the victim’s machine."
"T1059.001::[QUADAGENT] uses PowerShell scripts for execution."
"T1059.003::[QUADAGENT] uses cmd.exe to execute scripts and commands on the victim’s machine."
"T1059.005::[QUADAGENT] uses VBScripts."
"T1070.004::[QUADAGENT] has a command to delete its Registry key and scheduled task."
"T1071.001::[QUADAGENT] uses HTTPS and HTTP for C2 communications."
"T1071.004::[QUADAGENT] uses DNS for C2 communications."
"T1112::[QUADAGENT] modifies an HKCU Registry key to store a session identifier unique to the compromised system as well as a pre-shared key used for encrypting and decrypting C2 communications."
"T1132.001::[QUADAGENT] encodes C2 communications with base64."
"T1140::[QUADAGENT] uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts."
"T1005::[QuietSieve] can collect files from a compromised host."
"T1016.001::[QuietSieve] can check C2 connectivity with a `ping` to 8.8.8.8 (Google public DNS)."
"T1071.001::[QuietSieve] can use HTTPS in C2 communications."
"T1083::[QuietSieve] can search files on the target host by extension, including doc, docx, xls, rtf, odt, txt, jpg, pdf, rar, zip, and 7z."
"T1105::[QuietSieve] can download and execute payloads on a target host."
"T1113::[QuietSieve] has taken screenshots every five minutes and saved them to the user's local Application Data folder under `Temp\\SymbolSourceSymbols\\icons` or `Temp\\ModeAuto\\icons`."
"T1120::[QuietSieve] can identify and search removable drives for specific file name extensions."
"T1135::[QuietSieve] can identify and search networked drives for specific file name extensions."
"T1564.003::[QuietSieve] has the ability to execute payloads in a hidden window."
"T1059.003::[Ragnar Locker] has used cmd.exe and batch scripts to execute commands."
"T1120::[Ragnar Locker] may attempt to connect to removable drives and mapped network drives."
"T1218.007::[Ragnar Locker] has been delivered as an unsigned MSI package that was executed with msiexec.exe."
"T1218.010::[Ragnar Locker] has used regsvr32.exe to execute components of VirtualBox."
"T1218.011::[Ragnar Locker] has used rundll32.exe to execute components of VirtualBox."
"T1486::[Ragnar Locker] encrypts files on the local machine and mapped drives prior to displaying a note demanding a ransom."
"T1489::[Ragnar Locker] has attempted to stop services associated with business applications and databases to release the lock on files used by these applications so they may be encrypted."
"T1490::[Ragnar Locker] can delete volume shadow copies using vssadmin delete shadows /all /quiet."
"T1543.003::[Ragnar Locker] has used sc.exe to create a new service for the VirtualBox driver."
"T1562.001::[Ragnar Locker] has attempted to terminate/stop processes and services associated with endpoint security products."
"T1564.006::[Ragnar Locker] has used VirtualBox and a stripped Windows XP virtual machine to run itself. The use of a shared folder specified in the configuration enables [Ragnar Locker] to encrypt files on the host operating system, including files on any mapped drives."
"T1569.002::[Ragnar Locker] has used sc.exe to execute a service that it creates."
"T1614::Before executing malicious code, [Ragnar Locker] checks the Windows API GetLocaleInfoW and doesn't encrypt files if it finds a former Soviet country."
"T1027.002::[Raindrop] used a custom packer for its [Cobalt Strike] payload, which was compressed using the LZMA algorithm."
"T1027.003::[Raindrop] used steganography to locate the start of its encoded payload within legitimate 7-Zip code."
"T1027::[Raindrop] encrypted its payload using a simple XOR algorithm with a single-byte key."
"T1036.005::[Raindrop] was installed under names that resembled legitimate Windows file and directory names."
"T1036::[Raindrop] was built to include a modified version of 7-Zip source code (including associated export names) and Far Manager source code."
"T1140::[Raindrop] decrypted its [Cobalt Strike] payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample."
"T1497.003::After initial installation, [Raindrop] runs a computation to delay execution."
"T1005::[RainyDay] can use a file exfiltration tool to collect recently changed files on a compromised host."
"T1007::[RainyDay] can create and register a service for execution."
"T1008::[RainyDay] has the ability to switch between TCP and HTTP for C2 if one method is not working."
"T1027::[RainyDay] has downloaded as a XOR-encrypted payload."
"T1036.004::[RainyDay] has named services and scheduled tasks to appear benign including \"ChromeCheck\" and \"googleupdate.\""
"T1036.005::[RainyDay] has used names to mimic legitimate software including \"vmtoolsd.exe\" to spoof Vmtools."
"T1053.005::[RainyDay] can use scheduled tasks to achieve persistence."
"T1057::[RainyDay] can enumerate processes on a target system."
"T1059.003::[RainyDay] can use the Windows Command Shell for execution."
"T1070.004::[RainyDay] has the ability to uninstall itself by deleting its service and files."
"T1071.001::[RainyDay] can use HTTP in C2 communications."
"T1074.001::[RainyDay] can use a file exfiltration tool to copy files to C:\\ProgramData\\Adobe\\temp prior to exfiltration."
"T1083::[RainyDay] can use a file exfiltration tool to collect recently changed files with specific extensions."
"T1090::[RainyDay] can use proxy tools including boost_proxy_client for reverse proxy functionality."
"T1095::[RainyDay] can use TCP in C2 communications."
"T1105::[RainyDay] can download files to a compromised host."
"T1106::The file collection tool used by [RainyDay] can utilize native API including ReadDirectoryChangeW for folder monitoring."
"T1113::[RainyDay] has the ability to capture screenshots."
"T1140::[RainyDay] can decrypt its payload via a XOR key."
"T1543.003::[RainyDay] can use services to establish persistence."
"T1555.003::[RainyDay] can use tools to collect credentials from web browsers."
"T1555.004::[RainyDay] can use the QuarksPwDump tool to obtain local passwords and domain cached credentials."
"T1567.002::[RainyDay] can use a file exfiltration tool to upload specific files to Dropbox."
"T1573.001::[RainyDay] can use RC4 to encrypt C2 communications."
"T1574.002::[RainyDay] can use side-loading to run malicious executables."
"T1005::[Ramsay] can collect Microsoft Word documents from the target's file system, as well as .txt, .doc, and .xls files from the Internet Explorer cache."
"T1014::[Ramsay] has included a rootkit to evade defenses."
"T1016::[Ramsay] can use [ipconfig] and [Arp] to collect network configuration information, including routing information and ARP tables."
"T1025::[Ramsay] can collect data from removable media and stage it for exfiltration."
"T1027.003::[Ramsay] has PE data embedded within JPEG files contained within Word documents."
"T1027::[Ramsay] has base64-encoded its portable executable and hidden itself under a JPG header. [Ramsay] can also embed information within document footers."
"T1036.005::[Ramsay] has masqueraded as a 7zip installer."
"T1036::[Ramsay] has masqueraded as a JPG image file."
"T1039::[Ramsay] can collect data from network drives and stage it for exfiltration."
"T1046::[Ramsay] can scan for systems that are vulnerable to the EternalBlue exploit."
"T1049::[Ramsay] can use netstat to enumerate network connections."
"T1053.005::[Ramsay] can schedule tasks via the Windows COM API to maintain persistence."
"T1055.001::[Ramsay] can use ImprovedReflectiveDLLInjection to deploy components."
"T1057::[Ramsay] can gather a list of running processes by using [Tasklist]."
"T1059.005::[Ramsay] has included embedded Visual Basic scripts in malicious documents."
"T1071.001::[Ramsay] has used HTTP for C2."
"T1074.001::[Ramsay] can stage data prior to exfiltration in %APPDATA%\\Microsoft\\UserSetting and %APPDATA%\\Microsoft\\UserSetting\\MediaCache."
"T1080::[Ramsay] can spread itself by infecting other portable executable files on networks shared drives."
"T1082::[Ramsay] can detect system information--including disk names, total space, and remaining space--to create a hardware profile GUID which acts as a system identifier for operators."
"T1083::[Ramsay] can collect directory and file lists."
"T1091::[Ramsay] can spread itself by infecting other portable executable files on removable drives."
"T1106::[Ramsay] can use Windows API functions such as WriteFile, CloseHandle, and GetCurrentHwProfile during its collection and file storage operations. [Ramsay] can execute its embedded components via CreateProcessA and ShellExecute."
"T1113::[Ramsay] can take screenshots every 30 seconds as well as when an external removable storage device is connected."
"T1119::[Ramsay] can conduct an initial scan for Microsoft Word documents on the local system, removable media, and connected network drives, before tagging and collecting them. It can continue tagging documents to collect with follow up scans."
"T1120::[Ramsay] can scan for removable media which may contain documents for collection."
"T1132.001::[Ramsay] has used base64 to encode its C2 traffic."
"T1135::[Ramsay] can scan for network drives which may contain documents for collection."
"T1140::[Ramsay] can extract its agent from the body of a malicious document."
"T1203::[Ramsay] has been embedded in documents exploiting CVE-2017-0199, CVE-2017-11882, and CVE-2017-8570."
"T1204.002::[Ramsay] has been executed through malicious e-mail attachments."
"T1546.010::[Ramsay] can insert itself into the address space of other applications using the AppInit DLL Registry key."
"T1547.001::[Ramsay] has created Registry Run keys to establish persistence."
"T1548.002::[Ramsay] can use [UACMe] for privilege escalation."
"T1559.001::[Ramsay] can use the Windows COM API to schedule tasks and maintain persistence."
"T1559.002::[Ramsay] has been delivered using OLE objects in malicious documents."
"T1560.001::[Ramsay] can compress and archive collected files using WinRAR."
"T1560.003::[Ramsay] can store collected documents in a custom container after encrypting and compressing them using RC4 and WinRAR."
"T1566.001::[Ramsay] has been distributed through spearphishing emails with malicious attachments."
"T1574.001::[Ramsay] can hijack outdated Windows application dependencies with malicious versions of its own DLL payload."
"T1055.001::After decrypting itself in memory, [RARSTONE] downloads a DLL file from its C2 server and loads it in the memory space of a hidden Internet Explorer process. This “downloaded” file is actually not dropped onto the system."
"T1083::[RARSTONE] obtains installer properties from Uninstall Registry Key entries to obtain information about installed applications and how to uninstall certain applications."
"T1095::[RARSTONE] uses SSL to encrypt its communication with its C2 server."
"T1105::[RARSTONE] downloads its backdoor component from a C2 server and loads it directly into memory."
"T1007::[RATANKBA] uses tasklist /svc to display running tasks."
"T1012::[RATANKBA] uses the command reg query “HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\InternetSettings”."
"T1016::[RATANKBA] gathers the victim’s IP address via the ipconfig -all command."
"T1018::[RATANKBA] runs the net view /domain and net view commands."
"T1033::[RATANKBA] runs the whoami and query user commands."
"T1047::[RATANKBA] uses WMI to perform process monitoring."
"T1049::[RATANKBA] uses netstat -ano to search for specific IP address ranges."
"T1055.001::[RATANKBA] performs a reflective DLL injection using a given pid."
"T1057::[RATANKBA] lists the system’s processes."
"T1059.001::There is a variant of [RATANKBA] that uses a PowerShell script instead of the traditional PE form."
"T1059.003::[RATANKBA] uses cmd.exe to execute commands."
"T1071.001::[RATANKBA] uses HTTP/HTTPS for command and control communication."
"T1082::[RATANKBA] gathers information about the OS architecture, OS name, and OS version/Service pack."
"T1087.001::[RATANKBA] uses the net user command."
"T1105::[RATANKBA] uploads and downloads information."
"T1005::[RawPOS] dumps memory from specific processes on a victim system, parses the dumped files, and scrapes them for credit card data."
"T1036.004::New services created by [RawPOS] are made to appear like legitimate Windows services, with names such as \"Windows Management Help Service\", \"Microsoft Support\", and \"Windows Advanced Task Manager\"."
"T1074.001::Data captured by [RawPOS] is placed in a temporary file under a directory named \"memdump\"."
"T1543.003::[RawPOS] installs itself as a service to maintain persistence."
"T1560.003::[RawPOS] encodes credit card data it collected from the victim with XOR."
"T1005::[RCSession] can collect data from a compromised host."
"T1027::[RCSession] can compress and obfuscate its strings to evade detection on a compromised host."
"T1033::[RCSession] can gather system owner information, including user and administrator privileges."
"T1036::[RCSession] has used a file named English.rtf to appear benign on victim hosts."
"T1055.012::[RCSession] can launch itself from a hollowed svchost.exe process."
"T1056.001::[RCSession] has the ability to capture keystrokes on a compromised host."
"T1057::[RCSession] can identify processes based on PID."
"T1059.003::[RCSession] can use `cmd.exe` for execution on compromised hosts."
"T1070.004::[RCSession] can remove files from a targeted system."
"T1071.001::[RCSession] can use HTTP in C2 communications."
"T1082::[RCSession] can gather system information from a compromised host."
"T1095::[RCSession] has the ability to use TCP and UDP in C2 communications."
"T1105::[RCSession] has the ability to drop additional files to an infected machine."
"T1106::[RCSession] can use WinSock API for communication including WSASend and WSARecv."
"T1112::[RCSession] can write its configuration file to the Registry."
"T1113::[RCSession] can capture screenshots from a compromised host."
"T1218.007::[RCSession] has the ability to execute inside the msiexec.exe process."
"T1547.001::[RCSession] has the ability to modify a Registry Run key to establish persistence."
"T1548.002::[RCSession] can bypass UAC to escalate privileges."
"T1573::[RCSession] can use an encrypted beacon to check in with C2."
"T1574.002::[RCSession] can be installed via DLL side-loading."
"T1001.002::[RDAT] can process steganographic images attached to email messages to send and receive C2 commands. [RDAT] can also embed additional messages within BMP images to communicate with the [RDAT] operator."
"T1001::[RDAT] has used encoded data within subdomains as AES ciphertext to communicate from the host to the C2."
"T1008::[RDAT] has used HTTP if DNS C2 communications were not functioning."
"T1027.003::[RDAT] can also embed data within a BMP image prior to exfiltration."
"T1030::[RDAT] can upload a file via HTTP POST response to the C2 split into 102,400-byte portions. [RDAT] can also download data from the C2 which is split into 81,920-byte portions."
"T1036.004::[RDAT] has used Windows Video Service as a name for malicious services."
"T1036.005::[RDAT] has masqueraded as VMware.exe."
"T1041::[RDAT] can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel."
"T1059.003::[RDAT] has executed commands using cmd.exe /c."
"T1070.004::[RDAT] can issue SOAP requests to delete already processed C2 emails. [RDAT] can also delete itself from the infected system."
"T1071.001::[RDAT] can use HTTP communications for C2, as well as using the WinHTTP library to make requests to the Exchange Web Services API."
"T1071.003::[RDAT] can use email attachments for C2 communications."
"T1071.004::[RDAT] has used DNS to communicate with the C2."
"T1105::[RDAT] can download files via DNS."
"T1113::[RDAT] can take a screenshot on the infected system."
"T1132.001::[RDAT] can communicate with the C2 via base32-encoded subdomains."
"T1132.002::[RDAT] can communicate with the C2 via subdomains that utilize base64 with character substitutions."
"T1140::[RDAT] can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server."
"T1543.003::[RDAT] has created a service when it is installed on the victim machine."
"T1573.001::[RDAT] has used AES ciphertext to encode C2 communications."
"T1056.004::[RDFSNIFFER] hooks several Win32 API functions to hijack elements of the remote system management user-interface."
"T1070.004::[RDFSNIFFER] has the capability of deleting local files."
"T1106::[RDFSNIFFER] has used several Win32 API functions to interact with the victim machine."
"T1012::[Reaver] queries the Registry to determine the correct Startup path to use for persistence."
"T1016::[Reaver] collects the victim's IP address."
"T1027::[Reaver] encrypts some of its files with XOR."
"T1033::[Reaver] collects the victim's username."
"T1070.004::[Reaver] deletes the original dropped file from the victim."
"T1071.001::Some [Reaver] variants use HTTP for C2."
"T1082::[Reaver] collects system information from the victim, including CPU speed, computer name, volume serial number, ANSI code page, OEM code page identifier for the OS, Microsoft Windows version, and memory information."
"T1095::Some [Reaver] variants use raw TCP for C2."
"T1218.002::[Reaver] drops and executes a malicious CPL file as its payload."
"T1543.003::[Reaver] installs itself as a new service."
"T1547.001::[Reaver] creates a shortcut file and saves it in a Startup folder to establish persistence."
"T1547.009::[Reaver] creates a shortcut file and saves it in a Startup folder to establish persistence."
"T1560.003::[Reaver] encrypts collected data with an incremental XOR key prior to exfiltration."
"T1016::[RedLeaves] can obtain information about network parameters."
"T1027::A [RedLeaves] configuration file is encrypted with a simple XOR key, 0x53."
"T1033::[RedLeaves] can obtain information about the logged on user both locally and for Remote Desktop sessions."
"T1049::[RedLeaves] can enumerate drives and Remote Desktop sessions."
"T1059.003::[RedLeaves] can receive and execute commands with cmd.exe. It can also provide a reverse shell."
"T1070.004::[RedLeaves] can delete specified files."
"T1071.001::[RedLeaves] can communicate to its C2 over HTTP and HTTPS if directed."
"T1082::[RedLeaves] can gather extended system information including the hostname, OS version number, platform, memory information, time elapsed since system startup, and CPU information."
"T1083::[RedLeaves] can enumerate and search for files and directories."
"T1105::[RedLeaves] is capable of downloading a file from a specified URL."
"T1113::[RedLeaves] can capture screenshots."
"T1547.001::[RedLeaves] attempts to add a shortcut file in the Startup folder to achieve persistence. If this fails, it attempts to add Registry Run keys."
"T1547.009::[RedLeaves] attempts to add a shortcut file in the Startup folder to achieve persistence."
"T1555.003::[RedLeaves] can gather browser usernames and passwords."
"T1571::[RedLeaves] can use HTTP over non-standard ports, such as 995, for C2."
"T1573.001::[RedLeaves] has encrypted C2 traffic with RC4, previously using keys of 88888888 and babybear."
"T1574.001::[RedLeaves] is launched through use of DLL search order hijacking to load a malicious dll."
"T1027.003::[RegDuke] can hide data in images, including use of the Least Significant Bit (LSB)."
"T1027::[RegDuke] can use control-flow flattening or the commercially available .NET Reactor for obfuscation."
"T1059.001::[RegDuke] can extract and execute PowerShell scripts from C2 communications."
"T1102.002::[RegDuke] can use Dropbox as its C2 server."
"T1105::[RegDuke] can download files from C2."
"T1112::[RegDuke] can store its encryption key in the Registry."
"T1140::[RegDuke] can decrypt strings with a key either stored in the Registry or hardcoded in the code."
"T1546.003::[RegDuke] can persist using a WMI consumer that is launched every time a process named WINWORD.EXE is started."
"T1021.002::The [Regin] malware platform can use Windows admin shares to move laterally."
"T1036.001::[Regin] stage 1 modules for 64-bit systems have been found to be signed with fake certificates masquerading as originating from Microsoft Corporation and Broadcom Corporation."
"T1040::[Regin] appears to have functionality to sniff for credentials passed over HTTP, SMTP, and SMB."
"T1056.001::[Regin] contains a keylogger."
"T1071.001::The [Regin] malware platform supports many standard protocols, including HTTP and HTTPS."
"T1071::The [Regin] malware platform supports many standard protocols, including SMB."
"T1090.002::[Regin] leveraged several compromised universities as proxies to obscure its origin."
"T1095::The [Regin] malware platform can use ICMP to communicate between infected computers."
"T1112::[Regin] appears to have functionality to modify remote Registry information."
"T1564.004::The [Regin] malware platform uses Extended Attributes to store encrypted executables."
"T1564.005::[Regin] has used a hidden file system to store some of its components."
"T1010::[Remexi] has a command to capture active windows on the machine and retrieve window titles."
"T1027::[Remexi] obfuscates its configuration data with XOR."
"T1041::[Remexi] performs exfiltration over [BITSAdmin], which is also used for the C2 channel."
"T1047::[Remexi] executes received commands with wmic.exe (for WMI commands)."
"T1053.005::[Remexi] utilizes scheduled tasks as a persistence mechanism."
"T1056.001::[Remexi] gathers and exfiltrates keystrokes from the machine."
"T1059.003::[Remexi] silently executes received commands with cmd.exe."
"T1059.005::[Remexi] uses AutoIt and VBS scripts throughout its execution process."
"T1071.001::[Remexi] uses [BITSAdmin] to communicate with the C2 server over HTTP."
"T1083::[Remexi] searches for files on the system."
"T1113::[Remexi] takes screenshots of windows of interest."
"T1115::[Remexi] collects text from the clipboard."
"T1140::[Remexi] decrypts the configuration data using XOR with 25-character keys."
"T1547.001::[Remexi] utilizes Run Registry keys in the HKLM hive as a persistence mechanism."
"T1547.004::[Remexi] achieves persistence using Userinit by adding the Registry key HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Userinit."
"T1560::[Remexi] encrypts and adds all gathered browser data into files for upload to C2."
"T1053.005::[RemoteCMD] can execute commands remotely by creating a new schedule task on the remote system"
"T1105::[RemoteCMD] copies a file over to the remote system before execution."
"T1569.002::[RemoteCMD] can execute commands remotely by creating a new service on the remote system."
"T1003.002::[Remsec] can dump the SAM database."
"T1016::[Remsec] can obtain information about network configuration, including the routing table, ARP cache, and DNS cache."
"T1018::[Remsec] can ping or traceroute a remote host."
"T1025::[Remsec] has a package that collects documents from any inserted USB sticks."
"T1027::Some data in [Remsec] is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded."
"T1033::[Remsec] can obtain information about the current user."
"T1036.005::The [Remsec] loader implements itself with the name Security Support Provider, a legitimate Windows function. Various [Remsec] .exe files mimic legitimate file names used by Microsoft, Symantec, Kaspersky, Hewlett-Packard, and VMWare. [Remsec] also disguised malicious modules using similar filenames as custom network encryption software on victims."
"T1046::[Remsec] has a plugin that can perform ARP scanning as well as port scanning."
"T1048.003::[Remsec] can exfiltrate data via a DNS tunnel or email, separately from its C2 channel."
"T1049::[Remsec] can obtain a list of active connections and open ports."
"T1052.001::[Remsec] contains a module to move data from airgapped networks to Internet-connected systems by using a removable USB device."
"T1053::[Remsec] schedules the execution one of its modules by creating a new scheduler task."
"T1055.001::[Remsec] can perform DLL injection."
"T1056.001::[Remsec] contains a keylogger component."
"T1057::[Remsec] can obtain a process list from the victim."
"T1068::[Remsec] has a plugin to drop and execute vulnerable Outpost Sandbox or avast! Virtualization drivers in order to gain kernel mode privileges."
"T1070.004::[Remsec] is capable of deleting files on the victim. It also securely removes itself after collecting and exfiltrating data."
"T1071.001::[Remsec] is capable of using HTTP and HTTPS for C2."
"T1071.003::[Remsec] is capable of using SMTP for C2."
"T1071.004::[Remsec] is capable of using DNS for C2."
"T1082::[Remsec] can obtain the OS version information, computer name, processor architecture, machine role, and OS edition."
"T1083::[Remsec] is capable of listing contents of folders on the victim. [Remsec] also searches for custom network encryption software on victims."
"T1087.001::[Remsec] can obtain a list of users."
"T1095::[Remsec] is capable of using ICMP, TCP, and UDP for C2."
"T1105::[Remsec] contains a network loader to receive executable modules from remote attackers and run them on the local victim. It can also upload and download files over HTTP and HTTPS."
"T1518.001::[Remsec] has a plugin to detect active drivers of some security products."
"T1556.002::[Remsec] harvests plain-text credentials as a password filter registered on domain controllers."
"T1562.004::[Remsec] can add or remove applications or ports on the Windows firewall or disable it entirely."
"T1003::[Revenge RAT] has a plugin for credential harvesting."
"T1016::[Revenge RAT] collects the IP address and MAC address from the system."
"T1021.001::[Revenge RAT] has a plugin to perform RDP access."
"T1033::[Revenge RAT] gathers the username from the system."
"T1053.005::[Revenge RAT] schedules tasks to run malicious scripts at different intervals."
"T1056.001::[Revenge RAT] has a plugin for keylogging."
"T1059.001::[Revenge RAT] uses the PowerShell command Reflection.Assembly to load itself into memory to aid in execution."
"T1059.003::[Revenge RAT] uses cmd.exe to execute commands and run scripts on the victim's machine."
"T1082::[Revenge RAT] collects the CPU information, OS information, and system language."
"T1102.002::[Revenge RAT] used blogpost.com as its primary command and control server during a campaign."
"T1105::[Revenge RAT] has the ability to upload and download files."
"T1113::[Revenge RAT] has a plugin for screen capture."
"T1123::[Revenge RAT] has a plugin for microphone interception."
"T1125::[Revenge RAT] has the ability to access the webcam."
"T1132.001::[Revenge RAT] uses Base64 to encode information sent to the C2 server."
"T1202::[Revenge RAT] uses the [Forfiles] utility to execute commands on the system."
"T1218.005::[Revenge RAT] uses mshta.exe to run malicious scripts on the system."
"T1547.001::[Revenge RAT] creates a Registry key at HKCU\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Winlogon\\Shell to survive a system reboot."
"T1007::[REvil] can enumerate active services."
"T1012::[REvil] can query the Registry to get random file extensions to append to encrypted files."
"T1027::[REvil] has used encrypted strings and configuration files."
"T1036.005::[REvil] can mimic the names of known executables."
"T1041::[REvil] can exfiltrate host and malware information to C2 servers."
"T1047::[REvil] can use WMI to monitor for and kill specific processes listed in its configuration file."
"T1055::[REvil] can inject itself into running processes on a compromised host."
"T1059.001::[REvil] has used PowerShell to delete volume shadow copies and download files."
"T1059.003::[REvil] can use the Windows command line to delete volume shadow copies and disable recovery."
"T1059.005::[REvil] has used obfuscated VBA macros for execution."
"T1069.002::[REvil] can identify the domain membership of a compromised host."
"T1070.004::[REvil] can mark its binary code for deletion after reboot."
"T1071.001::[REvil] has used HTTP and HTTPS in communication with C2."
"T1082::[REvil] can identify the username, machine name, system language, keyboard layout, OS version, and system drive information on a compromised host."
"T1083::[REvil] has the ability to identify specific files and directories that are not to be encrypted."
"T1105::[REvil] can download a copy of itself from an attacker controlled IP address to the victim machine."
"T1106::[REvil] can use Native API for execution and to retrieve active services."
"T1112::[REvil] can save encryption parameters and system information to the Registry."
"T1134.001::[REvil] can obtain the token from the user that launched the explorer.exe process to avoid affecting the desktop of the SYSTEM user."
"T1134.002::[REvil] can launch an instance of itself with administrative rights using runas."
"T1140::[REvil] can decode encrypted strings to enable execution of commands and payloads."
"T1189::[REvil] has infected victim machines through compromised websites and exploit kits."
"T1204.002::[REvil] has been executed via malicious MS Word e-mail attachments."
"T1485::[REvil] has the capability to destroy files and folders."
"T1486::[REvil] can encrypt files on victim systems and demands a ransom to decrypt the files."
"T1489::[REvil] has the capability to stop services and kill processes."
"T1490::[REvil] can use vssadmin to delete volume shadow copies and bcdedit to disable recovery features."
"T1562.001::[REvil] can connect to and disable the Symantec server on the victim's network."
"T1562.009::[REvil] can force a reboot in safe mode with networking."
"T1566.001::[REvil] has been distributed via malicious e-mail attachments including MS Word Documents."
"T1573.002::[REvil] has encrypted C2 communications with the ECIES algorithm."
"T1614.001::[REvil] can check the system language using GetUserDefaultUILanguage and GetSystemDefaultUILanguage. If the language is found in the list, the process terminates."
"T1033::[RGDoor] executes the whoami on the victim’s machine."
"T1059.003::[RGDoor] uses cmd.exe to execute commands on the victim’s machine."
"T1071.001::[RGDoor] uses HTTP for C2 communications."
"T1105::[RGDoor] uploads and downloads files to and from the victim’s machine."
"T1140::[RGDoor] decodes Base64 strings and decrypts strings using a custom XOR algorithm."
"T1505.004::[RGDoor] establishes persistence on webservers as an IIS module."
"T1560.003::[RGDoor] encrypts files with XOR before sending them back to the C2 server."
"T1016::[Rifdoor] has the ability to identify the IP address of the compromised host."
"T1027.001::[Rifdoor] has added four additional bytes of data upon launching, then saved the changed version as C:\\ProgramData\\Initech\\Initech.exe."
"T1027::[Rifdoor] has encrypted strings with a single byte XOR algorithm."
"T1033::[Rifdoor] has the ability to identify the username on the compromised host."
"T1082::[Rifdoor] has the ability to identify the Windows version on the compromised host."
"T1204.002::[Rifdoor] has been executed from malicious Excel or Word documents containing macros."
"T1547.001::[Rifdoor] has created a new registry entry at HKEY_CURRENT_USERS\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\Graphics with a value of C:\\ProgramData\\Initech\\Initech.exe /run."
"T1566.001::[Rifdoor] has been distributed in e-mails with malicious Excel or Word documents."
"T1573.001::[Rifdoor] has encrypted command and control (C2) communications with a stream cipher."
"T1071.001::[APT12] has used [RIPTIDE], a RAT that uses HTTP to communicate."
"T1573.001::[APT12] has used the [RIPTIDE] RAT, which communicates over HTTP with a payload encrypted with RC4."
"T1005::[Rising Sun] has collected data and files from a compromised host."
"T1012::[Rising Sun] has identified the OS product name from a compromised host by searching the registry for `SOFTWARE\\MICROSOFT\\Windows NT\\ CurrentVersion | ProductName`."
"T1016.001::[Rising Sun] can test a connection to a specified network IP address over a specified port number."
"T1016::[Rising Sun] can detect network adapter and IP address information."
"T1027::Configuration data used by [Rising Sun] has been encrypted using an RC4 stream algorithm."
"T1033::[Rising Sun] can detect the username of the infected host."
"T1041::[Rising Sun] can send data gathered from the infected machine via HTTP POST request to the C2."
"T1057::[Rising Sun] can enumerate all running processes and process information on an infected machine."
"T1059.003::[Rising Sun] has executed commands using `cmd.exe /c “<command> > <%temp%>\\AM<random>. tmp” 2>&1`."
"T1070.004::[Rising Sun] can delete files and artifacts it creates."
"T1070::[Rising Sun] can clear a memory blog in the process by overwriting it with junk bytes."
"T1071.001::[Rising Sun] has used HTTP and HTTPS for command and control."
"T1082::[Rising Sun] can detect the computer name, operating system, and drive information, including drive type, total number of bytes on disk, total number of free bytes on disk, and name of a specified volume."
"T1083::[Rising Sun] can enumerate information about files from the infected system, including file size, attributes, creation time, last access time, and write time. [Rising Sun] can enumerate the compilation timestamp of Windows executable files."
"T1106::[Rising Sun] used dynamic API resolutions to various Windows APIs by leveraging `LoadLibrary()` and `GetProcAddress()`."
"T1140::[Rising Sun] has decrypted itself using a single-byte XOR scheme. Additionally, [Rising Sun] can decrypt its configuration data at runtime."
"T1560.003::[Rising Sun] can archive data using RC4 encryption and Base64 encoding prior to exfiltration."
"T1564.001::[Rising Sun] can modify file attributes to hide files."
"T1573.002::[Rising Sun] variants can use SSL for encrypting C2 communications."
"T1059.003::[RobbinHood] uses cmd.exe on the victim's computer."
"T1070.005::[RobbinHood] disconnects all network shares from the computer with the command net use * /DELETE /Y."
"T1486::[RobbinHood] will search for an RSA encryption key and then perform its encryption process on the system files."
"T1489::[RobbinHood] stops 181 Windows services on the system before beginning the encryption process."
"T1490::[RobbinHood] deletes shadow copies to ensure that all the data cannot be restored easily."
"T1562.001::[RobbinHood] will search for Windows services that are associated with antivirus software on the system and kill the process."
"T1542.003::[ROCKBOOT] is a Master Boot Record (MBR) bootkit that uses the MBR to establish persistence."
"T1016::[RogueRobin] gathers the IP address and domain from the victim’s machine."
"T1027::The PowerShell script with the [RogueRobin] payload was obfuscated using the COMPRESS technique in Invoke-Obfuscation."
"T1033::[RogueRobin] collects the victim’s username and whether that user is an admin."
"T1047::[RogueRobin] uses various WMI queries to check if the sample is running in a sandbox."
"T1057::[RogueRobin] checks the running processes for evidence it may be running in a sandbox environment. It specifically enumerates processes for Wireshark and Sysinternals."
"T1059.001::[RogueRobin] uses a command prompt to run a PowerShell script from Excel."
"T1059.003::[RogueRobin] uses Windows Script Components."
"T1082::[RogueRobin] gathers BIOS versions and manufacturers, the number of CPU cores, the total physical memory, and the computer name."
"T1102.002::[RogueRobin] has used Google Drive as a Command and Control channel."
"T1105::[RogueRobin] can save a new file to the system from the C2 server."
"T1113::[RogueRobin] has a command named $screenshot that may be responsible for taking screenshots of the victim machine."
"T1132.001::[RogueRobin] base64 encodes strings that are sent to the C2 over its DNS tunnel."
"T1140::[RogueRobin] decodes an embedded executable using base64 and decompresses it."
"T1218.010::[RogueRobin] uses regsvr32.exe to run a .sct file for execution."
"T1497.001::[RogueRobin] uses WMI to check BIOS version for VBOX, bochs, qemu, virtualbox, and vm to check for evidence that the script might be executing within an analysis environment."
"T1518.001::[RogueRobin] enumerates running processes to search for Wireshark and Windows Sysinternals suite."
"T1547.001::[RogueRobin] created a shortcut in the Windows startup folder to launch a PowerShell script each time the user logs in to establish persistence."
"T1547.009::[RogueRobin] establishes persistence by creating a shortcut (.LNK file) in the Windows startup folder to run a script each time the user logs in."
"T1005::[ROKRAT] can collect host data and specific file types."
"T1010::[ROKRAT] can use  the `GetForegroundWindow` and `GetWindowText` APIs to discover where the user is typing."
"T1012::[ROKRAT] can access the HKLM\\System\\CurrentControlSet\\Services\\mssmbios\\Data\\SMBiosData Registry key to obtain the System manufacturer value to identify the machine type."
"T1027::[ROKRAT] can encrypt data prior to exfiltration by using an RSA public key."
"T1033::[ROKRAT] can collect the username from a compromised host."
"T1041::[ROKRAT] can send collected files back over same C2 channel."
"T1055::[ROKRAT] can use `VirtualAlloc`, `WriteProcessMemory`, and then `CreateRemoteThread` to execute shellcode within the address space of `Notepad.exe`."
"T1056.001::[ROKRAT] can use  `SetWindowsHookEx` and `GetKeyNameText` to capture keystrokes."
"T1057::[ROKRAT] can list the current running processes on the system."
"T1059.005::[ROKRAT] has used Visual Basic for execution."
"T1070.004::[ROKRAT] can request to delete files."
"T1071.001::[ROKRAT] can use HTTP and HTTPS for command and control communication."
"T1082::[ROKRAT] can gather the hostname and the OS version to ensure it doesn’t run on a Windows XP or Windows Server 2003 systems."
"T1083::[ROKRAT] has the ability to gather a list of files and directories on the infected system."
"T1102.002::[ROKRAT] has used legitimate social networking sites and cloud platforms (including but not limited to Twitter, Yandex, Dropbox, and Mediafire) for C2 communications."
"T1105::[ROKRAT] can retrieve additional malicious payloads from its C2 server."
"T1106::[ROKRAT] can use a variety of API calls to execute shellcode."
"T1112::[ROKRAT] can modify the `HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\` registry key so it can bypass the VB object model (VBOM) on a compromised host."
"T1113::[ROKRAT] can capture screenshots of the infected system using the `gdi32` library."
"T1115::[ROKRAT] can extract clipboard data from a compromised host."
"T1123::[ROKRAT] has an audio capture and eavesdropping module."
"T1140::[ROKRAT] can decrypt strings using the victim's hostname as the key."
"T1204.002::[ROKRAT] has relied upon users clicking on a malicious attachment delivered through spearphishing."
"T1480.001::[ROKRAT] relies on a specific victim hostname to execute and decrypt important strings."
"T1497.001::[ROKRAT] can check for VMware-related files and DLLs related to sandboxes."
"T1555.003::[ROKRAT] can steal credentials stored in Web browsers by querying the sqlite database."
"T1555.004::[ROKRAT] can steal credentials by leveraging the Windows Vault mechanism."
"T1566.001::[ROKRAT] has been delivered via spearphishing emails that contain a malicious Hangul Office or Microsoft Word document."
"T1567.002::[ROKRAT] can send collected data to cloud storage services such as PCloud."
"T1622::[ROKRAT] can check for debugging tools."
"T1005::[Rover] searches for files on local drives based on a predefined list of file extensions."
"T1020::[Rover] automatically searches for files on local drives based on a predefined list of file extensions and sends them to the command and control server every 60 minutes. [Rover] also automatically sends keylogger files and screenshots to the C2 server on a regular timeframe."
"T1025::[Rover] searches for files on attached removable drives based on a predefined list of file extensions every five seconds."
"T1056.001::[Rover] has keylogging functionality."
"T1074.001::[Rover] copies files from removable drives to C:\\system."
"T1083::[Rover] automatically searches for files on local drives based on a predefined list of file extensions."
"T1112::[Rover] has functionality to remove Registry Run key persistence as a cleanup procedure."
"T1113::[Rover] takes screenshots of the compromised system's desktop and saves them to C:\\system\\screenshot.bmp for exfiltration every 60 minutes."
"T1119::[Rover] automatically collects files from the local system and removable drives based on a predefined list of file extensions on a regular timeframe."
"T1547.001::[Rover] persists by creating a Registry entry in HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\."
"T1102.001::[RTM] has used an RSS feed on Livejournal to update a list of encrypted C2 server names."
"T1189::[RTM] has distributed its malware via the RIG and SUNDOWN exploit kits, as well as online advertising network Yandex.Direct."
"T1204.002::[RTM] has attempted to lure victims into opening e-mail attachments to execute malicious code."
"T1219::[RTM] has used a modified version of TeamViewer and Remote Utilities for remote access."
"T1547.001::[RTM] has used Registry run keys to establish persistence for the [RTM] Trojan and other tools, such as a modified version of TeamViewer remote desktop software."
"T1566.001::[RTM] has used spearphishing attachments to distribute its malware."
"T1574.001::[RTM] has used search order hijacking to force TeamViewer to load a malicious DLL."
"T1056.001::[RunningRAT] captures keystrokes and sends them back to the C2 server."
"T1059.003::[RunningRAT] uses a batch file to kill a security program task and then attempts to remove itself."
"T1070.001::[RunningRAT] contains code to clear event logs."
"T1070.004::[RunningRAT] contains code to delete files from the victim’s machine."
"T1082::[RunningRAT] gathers the OS version, logical drives information, processor information, and volume information."
"T1115::[RunningRAT] contains code to open and copy data from the clipboard."
"T1547.001::[RunningRAT] adds itself to the Registry key Software\\Microsoft\\Windows\\CurrentVersion\\Run to establish persistence upon reboot."
"T1560::[RunningRAT] contains code to compress files."
"T1562.001::[RunningRAT] kills antimalware running process."
"T1016::[Ryuk] has called GetIpNetTable in attempt to identify all mounted drives and hosts that have Address Resolution Protocol (ARP) entries."
"T1021.002::[Ryuk] has used the C$ network share for lateral movement."
"T1027::[Ryuk] can use anti-disassembly and code transformation obfuscation techniques."
"T1036.005::[Ryuk] has constructed legitimate appearing installation folder paths by calling GetWindowsDirectoryW and then inserting a null byte at the fourth character of the path. For Windows Vista or higher, the path would appear as C:\\Users\\Public."
"T1036::[Ryuk] can create .dll files that actually contain a Rich Text File format document."
"T1053.005::[Ryuk] can remotely create a scheduled task to execute itself on a system."
"T1055::[Ryuk] has injected itself into remote processes to encrypt files using a combination of VirtualAlloc, WriteProcessMemory, and CreateRemoteThread."
"T1057::[Ryuk] has called CreateToolhelp32Snapshot to enumerate all running processes."
"T1059.003::[Ryuk] has used cmd.exe to create a Registry entry to establish persistence."
"T1078.002::[Ryuk] can use stolen domain admin accounts to move laterally within a victim domain."
"T1082::[Ryuk] has called GetLogicalDrives to emumerate all mounted drives, and GetDriveTypeW to determine the drive type."
"T1083::[Ryuk] has enumerated files and folders on all mounted drives."
"T1106::[Ryuk] has used multiple native APIs including ShellExecuteW to run executables,GetWindowsDirectoryW to create folders, and VirtualAlloc, WriteProcessMemory, and CreateRemoteThread for process injection."
"T1134::[Ryuk] has attempted to adjust its token privileges to have the SeDebugPrivilege."
"T1205::[Ryuk] has used Wake-on-Lan to power on turned off systems for lateral movement."
"T1222.001::[Ryuk] can launch icacls <path> /grant Everyone:F /T /C /Q to delete every access-based restrictions on files and directories."
"T1486::[Ryuk] has used a combination of symmetric (AES) and asymmetric (RSA) encryption to encrypt files. Files have been encrypted with their own AES key and given a file extension of .RYK. Encrypted directories have had a ransom note of RyukReadMe.txt written to the directory."
"T1489::[Ryuk] has called kill.bat for stopping services, disabling services and killing processes."
"T1490::[Ryuk] has used vssadmin Delete Shadows /all /quiet to to delete volume shadow copies and vssadmin resize shadowstorage to force deletion of shadow copies created by third-party applications."
"T1547.001::[Ryuk] has used the Windows command line to create a Registry entry under HKEY_CURRENT_USER\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run to establish persistence."
"T1562.001::[Ryuk] has stopped services related to anti-virus."
"T1614.001::[Ryuk] has been observed to query the registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\Nls\\Language and the value InstallLanguage. If the machine has the value 0x419 (Russian), 0x422 (Ukrainian), or 0x423 (Belarusian), it stops execution."
"T1007::[S-Type] runs the command net start on a victim."
"T1008::[S-Type] primarily uses port 80 for C2, but falls back to ports 443 or 8080 if initial communication fails."
"T1016::[S-Type] has used `ipconfig /all` on a compromised host."
"T1027.002::Some [S-Type] samples have been packed with UPX."
"T1033::[S-Type] has run tests to determine the privilege level of the compromised user."
"T1036.005::[S-Type] may save itself as a file named `msdtc.exe`, which is also the name of the legitimate Microsoft Distributed Transaction Coordinator service binary."
"T1041::[S-Type] has uploaded data and files from a compromised host to its C2 servers."
"T1059.003::[S-Type] has provided the ability to execute shell commands on a compromised host."
"T1070.004::[S-Type] has deleted files it has created on a compromised host."
"T1070::[S-Type] has deleted accounts it has created."
"T1071.001::[S-Type] uses HTTP for C2."
"T1082::The initial beacon packet for [S-Type] contains the operating system version and file system of the victim."
"T1087.001::[S-Type] has run the command `net user` on a victim."
"T1105::[S-Type] can download additional files onto a compromised host."
"T1106::[S-Type] has used Windows APIs, including `GetKeyboardType`, `NetUserAdd`, and `NetUserDel`."
"T1132.001::[S-Type] uses Base64 encoding for C2 traffic."
"T1136.001::[S-Type] may create a temporary user on the system named `Lost_{Unique Identifier}` with the password `pond~!@6”{Unique Identifier}`."
"T1547.001::[S-Type] may create a .lnk file to itself that is saved in the Start menu folder. It may also create the Registry key HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ IMJPMIJ8.1{3 characters of Unique Identifier}."
"T1547.009::[S-Type] may create the file %HOMEPATH%\\Start Menu\\Programs\\Startup\\Realtek {Unique Identifier}.lnk, which points to the malicious `msdtc.exe` file already created in the `%CommonFiles%` directory."
"T1614.001::[S-Type] has attempted to determine if a compromised system was using a Japanese keyboard via the `GetKeyboardType` API call."
"T1005::[Saint Bot] can collect files and information from a compromised host."
"T1012::[Saint Bot] has used `check_registry_keys` as part of its environmental checks."
"T1016::[Saint Bot] can collect the IP address of a victim machine."
"T1027.002::[Saint Bot] has been packed using a dark market crypter."
"T1027::[Saint Bot] has been obfuscated to help avoid detection."
"T1033::[Saint Bot] can collect the username from a compromised host."
"T1036.005::[Saint Bot] has been disguised as a legitimate executable, including as Windows SDK."
"T1036::[Saint Bot] has renamed malicious binaries as `wallpaper.mp4` and `slideshow.mp4` to avoid detection."
"T1053.005::[Saint Bot] has created a scheduled task named \"Maintenance\" to establish persistence."
"T1055.001::[Saint Bot] has injected its DLL component into `EhStorAurhn.exe`."
"T1055.004::[Saint Bot] has written its payload into a newly-created `EhStorAuthn.exe` process using `ZwWriteVirtualMemory` and executed it using `NtQueueApcThread` and `ZwAlertResumeThread`."
"T1055.012::The [Saint Bot] loader has used API calls to spawn `MSBuild.exe` in a suspended state before injecting the decrypted [Saint Bot] binary into it."
"T1057::[Saint Bot] has enumerated running processes on a compromised host to determine if it is running under the process name `dfrgui.exe`."
"T1059.001::[Saint Bot] has used PowerShell for execution."
"T1059.003::[Saint Bot] has used `cmd.exe` and `.bat` scripts for execution."
"T1059.005::[Saint Bot] has used `.vbs` scripts for execution."
"T1070.004::[Saint Bot] can run a batch script named `del.bat` to remove any [Saint Bot] payload-linked files from a compromise system if anti-analysis or locale checks fail."
"T1071.001::[Saint Bot] has used HTTP for C2 communications."
"T1082::[Saint Bot] can identify the OS version, CPU, and other details from a victim's machine."
"T1083::[Saint Bot] can search a compromised host for specific files."
"T1105::[Saint Bot] can download additional files onto a compromised host."
"T1106::[Saint Bot] has used different API calls, including `GetProcAddress`, `VirtualAllocEx`, `WriteProcessMemory`, `CreateProcessA`, and `SetThreadContext`."
"T1132.001::[Saint Bot] has used Base64 to encode its C2 communications."
"T1140::[Saint Bot] can deobfuscate strings and files for execution."
"T1204.001::[Saint Bot] has relied on users to click on a malicious link delivered via a spearphishing."
"T1204.002::[Saint Bot] has relied upon users to execute a malicious attachment delivered via spearphishing."
"T1218.004::[Saint Bot] had used `InstallUtil.exe` to download and deploy executables."
"T1218.010::[Saint Bot] has used `regsvr32` to execute scripts."
"T1497.001::[Saint Bot] has run several virtual machine and sandbox checks, including checking if `Sbiedll.dll` is present in a list of loaded modules, comparing the machine name to `HAL9TH` and the user name to `JohnDoe`, and checking the BIOS version for known virtual machine identifiers."
"T1497.003::[Saint Bot] has used the command `timeout 20` to pause the execution of its initial loader."
"T1547.001::[Saint Bot] has established persistence by being copied to the Startup directory or through the `\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` registry key."
"T1548.002::[Saint Bot] has attempted to bypass UAC using `fodhelper.exe` to escalate privileges."
"T1566.001::[Saint Bot] has been distributed as malicious attachments within spearphishing emails."
"T1566.002::[Saint Bot] has been distributed through malicious links contained within spearphishing emails."
"T1614::[Saint Bot] has conducted system locale checks to see if the compromised host is in Russia, Ukraine, Belarus, Armenia, Kazakhstan, or Moldova."
"T1622::[Saint Bot] has used `is_debugger_present` as part of its environmental checks."
"T1027::[Sakula] uses single-byte XOR obfuscation to obfuscate many of its files."
"T1059.003::[Sakula] calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. [Sakula] also has the capability to invoke a reverse shell."
"T1070.004::Some [Sakula] samples use cmd.exe to delete temporary files."
"T1071.001::[Sakula] uses HTTP for C2."
"T1105::[Sakula] has the capability to download files."
"T1218.011::[Sakula] calls cmd.exe to run various DLL files via rundll32."
"T1543.003::Some [Sakula] samples install themselves as services for persistence by calling WinExec with the net start argument."
"T1547.001::Most [Sakula] samples maintain persistence by setting the Registry Run key SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\ in the HKLM or HKCU hive, with the Registry value and file name varying by sample."
"T1548.002::[Sakula] contains UAC bypass code for both 32- and 64-bit systems."
"T1573.001::[Sakula] encodes C2 traffic with single-byte XOR keys."
"T1574.002::[Sakula] uses DLL side-loading, typically using a digitally signed sample of Kaspersky Anti-Virus (AV) 6.0 for Windows Workstations or McAfee's Outlook Scan About Box to load malicious DLL files."
"T1027.001::[SamSam] has used garbage code to pad some of its malware components."
"T1027::[SamSam] has been seen using AES or DES to encrypt payloads and payload components."
"T1059.003::[SamSam] uses custom batch scripts to execute some of its components."
"T1070.004::[SamSam] has been seen deleting its own files and payloads to make analysis of the attack more difficult."
"T1486::[SamSam] encrypts victim files using RSA-2048 encryption and demands a ransom be paid in Bitcoin to decrypt those files."
"T1005::[SDBbot] has the ability to access the file system on a compromised host."
"T1016::[SDBbot] has the ability to determine the domain name and whether a proxy is configured on a compromised host."
"T1021.001::[SDBbot] has the ability to use RDP to connect to victim's machines."
"T1027.002::[SDBbot] has used a packed installer file."
"T1027::[SDBbot] has the ability to XOR the strings for its installer component with a hardcoded 128 byte key."
"T1033::[SDBbot] has the ability to identify the user on a compromised host."
"T1041::[SDBbot] has sent collected data from a compromised host to its C2 servers."
"T1055.001::[SDBbot] has the ability to inject a downloaded DLL into a newly created rundll32.exe process."
"T1057::[SDBbot] can enumerate a list of running processes on a compromised machine."
"T1059.003::[SDBbot] has the ability to use the command shell to execute commands on a compromised host."
"T1070.004::[SDBbot] has the ability to delete files from a compromised host."
"T1070::[SDBbot] has the ability to clean up and remove data structures from a compromised host."
"T1082::[SDBbot] has the ability to identify the OS version, OS bit information and computer name."
"T1083::[SDBbot] has the ability to get directory listings or drive information on a compromised host."
"T1090::[SDBbot] has the ability to use port forwarding to establish a proxy between a target host and C2."
"T1095::[SDBbot] has the ability to communicate with C2 with TCP over port 443."
"T1105::[SDBbot] has the ability to download a DLL from C2 to a compromised host."
"T1125::[SDBbot] has the ability to record video on a compromised host."
"T1140::[SDBbot] has the ability to decrypt and decompress its payload to enable code execution."
"T1218.011::[SDBbot] has used rundll32.exe to execute DLLs."
"T1546.011::[SDBbot] has the ability to use application shimming for persistence if it detects it is running as admin on Windows XP or 7, by creating a shim database to patch services.exe."
"T1546.012::[SDBbot] has the ability to use image file execution options for persistence if it detects it is running with admin privileges on a Windows version newer than Windows 7."
"T1547.001::[SDBbot] has the ability to add a value to the Registry Run key to establish persistence if it detects it is running with regular user privilege."
"T1614::[SDBbot] can collected the country code of a compromised machine."
"T1027.002::[SeaDuke] has been packed with the UPX packer."
"T1059.001::[SeaDuke] uses a module to execute Mimikatz with PowerShell to perform [Pass the Ticket]."
"T1059.003::[SeaDuke] is capable of executing commands."
"T1070.004::[SeaDuke] can securely delete files, including deleting itself from the victim."
"T1071.001::[SeaDuke] uses HTTP and HTTPS for C2."
"T1078::Some [SeaDuke] samples have a module to extract email from Microsoft Exchange servers using compromised credentials."
"T1105::[SeaDuke] is capable of uploading and downloading files."
"T1114.002::Some [SeaDuke] samples have a module to extract email from Microsoft Exchange servers using compromised credentials."
"T1132.001::[SeaDuke] C2 traffic is base64-encoded."
"T1546.003::[SeaDuke] uses an event filter in WMI code to execute a previously dropped executable shortly after system startup."
"T1547.001::[SeaDuke] is capable of persisting via the Registry Run key or a .lnk file stored in the Startup directory."
"T1547.009::[SeaDuke] is capable of persisting via a .lnk file stored in the Startup directory."
"T1550.003::Some [SeaDuke] samples have a module to use pass the ticket with Kerberos for authentication."
"T1560.002::[SeaDuke] compressed data with zlib prior to sending it over C2."
"T1573.001::[SeaDuke] C2 traffic has been encrypted with RC4 and AES."
"T1027::[Seasalt] obfuscates configuration data."
"T1036.004::[Seasalt] has masqueraded as a service called \"SaSaut\" with a display name of \"System Authorization Service\" in an apparent attempt to masquerade as a legitimate service."
"T1057::[Seasalt] has a command to perform a process listing."
"T1059.003::[Seasalt] uses cmd.exe to create a reverse shell on the infected endpoint."
"T1070.004::[Seasalt] has a command to delete a specified file."
"T1071.001::[Seasalt] uses HTTP for C2 communications."
"T1083::[Seasalt] has the capability to identify the drive type on a victim."
"T1105::[Seasalt] has a command to download additional files."
"T1543.003::[Seasalt] is capable of installing itself as a service."
"T1547.001::[Seasalt] creates a Registry entry to ensure infection after reboot under HKLM\\Software\\Microsoft\\Windows\\currentVersion\\Run."
"T1059.003::[SEASHARPEE] can execute commands on victims."
"T1070.006::[SEASHARPEE] can timestomp files on victims using a Web shell."
"T1105::[SEASHARPEE] can download remote files onto victims."
"T1505.003::[SEASHARPEE] is a Web shell."
"T1021.001::[ServHelper] has commands for adding a remote desktop user and sending RDP traffic to the attacker through a reverse SSH tunnel."
"T1033::[ServHelper] will attempt to enumerate the username of the victim."
"T1053.005::[ServHelper] contains modules that will use [schtasks] to carry out malicious operations."
"T1059.001::[ServHelper] has the ability to execute a PowerShell script to get information from the infected host."
"T1059.003::[ServHelper] can execute shell commands against [cmd]."
"T1070.004::[ServHelper] has a module to delete itself from the infected machine."
"T1071.001::[ServHelper] uses HTTP for C2."
"T1082::[ServHelper] will attempt to enumerate Windows version and system architecture."
"T1105::[ServHelper] may download additional files to execute."
"T1136.001::[ServHelper] has created a new user and added it to the \"Remote Desktop Users\" and \"Administrators\" groups."
"T1218.011::[ServHelper] contains a module for downloading and executing DLLs that leverages rundll32.exe."
"T1547.001::[ServHelper] may attempt to establish persistence via the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ run key."
"T1573.002::[ServHelper] may set up a reverse SSH tunnel to give the attacker access to services running on the victim, such as RDP."
"T1059.003::[Seth-Locker] can execute commands via the command line shell."
"T1105::[Seth-Locker] has the ability to download and execute files on a compromised host."
"T1486::[Seth-Locker] can encrypt files on a targeted system, appending them with the suffix .seth."
"T1016::[ShadowPad] has collected the domain name of the victim system."
"T1027::[ShadowPad] has encrypted its payload, a virtual file system, and various files."
"T1029::[ShadowPad] has sent data back to C2 every 8 hours."
"T1033::[ShadowPad] has collected the username of the victim system."
"T1055.001::[ShadowPad] has injected a DLL into svchost.exe."
"T1055::[ShadowPad] has injected an install module into a newly created process."
"T1057::[ShadowPad] has collected the PID of a malicious process."
"T1070::[ShadowPad] has deleted arbitrary Registry values."
"T1071.001::[ShadowPad] communicates over HTTP to retrieve a string that is decoded into a C2 server URL."
"T1071.002::[ShadowPad] has used FTP for C2 communications."
"T1071.004::[ShadowPad] has used DNS tunneling for C2 communications."
"T1082::[ShadowPad] has discovered system information including memory status, CPU frequency, OS versions, and volume serial numbers."
"T1095::[ShadowPad] has used UDP for C2 communications."
"T1105::[ShadowPad] has downloaded code from a C2 server."
"T1112::[ShadowPad] maintains a configuration block and virtual file system in the Registry."
"T1124::[ShadowPad] has collected the current date and time of the victim system."
"T1132.002::[ShadowPad] has encoded data as readable Latin characters."
"T1140::[ShadowPad] has decrypted a binary blob to start execution."
"T1568.002::[ShadowPad] uses a DGA that is based on the day of the month for C2 servers."
"T1012::[Shamoon] queries several Registry keys to identify hard disk partitions to overwrite."
"T1016::[Shamoon] obtains the target's IP address and local network segment."
"T1018::[Shamoon] scans the C-class subnet of the IPs on the victim's interfaces."
"T1021.002::[Shamoon] accesses network share(s), enables share access to the target device, copies an executable payload to the target system, and uses a [Scheduled Task/Job] to execute the malware."
"T1027::[Shamoon] contains base64-encoded strings."
"T1036.004::[Shamoon] creates a new service named “ntssrv” that attempts to appear legitimate; the service's display name is “Microsoft Network Realtime Inspection Service” and its description is “Helps guard against time change attempts targeting known and newly discovered vulnerabilities in network time protocols.” Newer versions create the \"MaintenaceSrv\" service, which misspells the word \"maintenance.\""
"T1053.005::[Shamoon] copies an executable payload to the target system by using [SMB/Windows Admin Shares] and then scheduling an unnamed task to execute the malware."
"T1070.006::[Shamoon] can change the modified time for files to evade forensic detection."
"T1071.001::[Shamoon] has used HTTP for C2."
"T1078.002::If [Shamoon] cannot access shares using current privileges, it attempts access using hard coded, domain-specific credentials gathered earlier in the intrusion."
"T1082::[Shamoon] obtains the victim's operating system version and keyboard layout and sends the information to the C2 server."
"T1105::[Shamoon] can download an executable to run on the victim."
"T1112::Once [Shamoon] has access to a network share, it enables the RemoteRegistry service on the target system. It will then connect to the system with RegConnectRegistryW and modify the Registry to disable UAC remote restrictions by setting SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Policies\\System\\LocalAccountTokenFilterPolicy to 1."
"T1124::[Shamoon] obtains the system time and will only activate if it is greater than a preset date."
"T1134.001::[Shamoon] can impersonate tokens using LogonUser, ImpersonateLoggedOnUser, and ImpersonateNamedPipeClient."
"T1140::[Shamoon] decrypts ciphertext using an XOR cipher and a base64-encoded string."
"T1485::[Shamoon] attempts to overwrite operating system files and disk structures with image files."
"T1486::[Shamoon] has an operational mode for encrypting data instead of overwriting it."
"T1529::[Shamoon] will reboot the infected system once the wiping functionality has been completed."
"T1543.003::[Shamoon] creates a new service named “ntssrv” to execute the payload. Newer versions create the \"MaintenaceSrv\" and \"hdv_725x\" services."
"T1548.002::[Shamoon] attempts to disable UAC remote restrictions by modifying the Registry."
"T1561.002::[Shamoon] has been seen overwriting features of disk structure such as the MBR."
"T1569.002::[Shamoon] creates a new service named “ntssrv” to execute the payload. [Shamoon] can also spread via [PsExec]."
"T1570::[Shamoon] attempts to copy itself to remote machines on the network."
"T1005::[Shark] can upload files to its C2."
"T1008::[Shark] can update its configuration to use a different C2 server."
"T1012::[Shark] can query `HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography MachineGuid` to retrieve the machine GUID."
"T1027::[Shark] can use encrypted and encoded files for C2 configuration."
"T1029::[Shark] can pause C2 communications for a specified time."
"T1036.005::[Shark] binaries have been named `audioddg.pdb` and `Winlangdb.pdb` in order to appear legitimate."
"T1041::[Shark] has the ability to upload files from the compromised host over a DNS or HTTP C2 channel."
"T1059.003::[Shark] has the ability to use `CMD` to execute commands."
"T1070.004::[Shark] can delete files downloaded to the compromised host."
"T1071.001::[Shark] has the ability to use HTTP in C2 communications."
"T1071.004::[Shark] can use DNS in C2 communications."
"T1074::[Shark] has stored information in folders named `U1` and `U2` prior to exfiltration."
"T1082::[Shark] can collect the GUID of a targeted machine."
"T1105::[Shark]  can download additional files from its C2 via HTTP or DNS."
"T1140::[Shark] can extract and decrypt downloaded .zip files."
"T1497.001::[Shark] can stop execution if the screen width of the targeted machine is not over 600 pixels."
"T1568.002::[Shark] can send DNS C2 communications using a unique domain generation algorithm."
"T1047::[SharpStage] can use WMI for execution."
"T1053.005::[SharpStage] has a persistence component to write a scheduled task for the payload."
"T1059.001::[SharpStage] can execute arbitrary commands with PowerShell."
"T1059.003::[SharpStage] can execute arbitrary commands with the command line."
"T1082::[SharpStage] has checked the system settings to see if Arabic is the configured language."
"T1102::[SharpStage] has used a legitimate web service for evading detection."
"T1105::[SharpStage] has the ability to download and execute additional payloads via a DropBox API."
"T1113::[SharpStage] has the ability to capture the victim's screen."
"T1140::[SharpStage] has decompressed data received from the C2 server."
"T1547.001::[SharpStage] has the ability to create persistence for the malware using the Registry autorun key and startup folder."
"T1614.001::[SharpStage]  has been used to target Arabic-speaking users and used code that checks if the compromised machine has the Arabic language installed."
"T1016::[SHARPSTATS] has the ability to identify the domain of the compromised host."
"T1027::[SHARPSTATS] has used base64 encoding and XOR to obfuscate PowerShell scripts."
"T1033::[SHARPSTATS] has the ability to identify the username on the compromised host."
"T1059.001::[SHARPSTATS] has the ability to employ a custom PowerShell script."
"T1082::[SHARPSTATS] has the ability to identify the IP address, machine name, and OS of the compromised host."
"T1105::[SHARPSTATS] has the ability to upload and download files."
"T1124::[SHARPSTATS] has the ability to identify the current date and time on the compromised host."
"T1005::[ShimRat] has the capability to upload collected files to a C2."
"T1008::[ShimRat] has used a secondary C2 location if the first was unavailable."
"T1027.002::[ShimRat]'s loader has been packed with the compressed [ShimRat] core DLL and the legitimate DLL for it to hijack."
"T1027::[ShimRat] has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file."
"T1029::[ShimRat] can sleep when instructed to do so by the C2."
"T1036.004::[ShimRat] can impersonate Windows services and antivirus products to avoid detection on compromised systems."
"T1059.003::[ShimRat] can be issued a command shell function from the C2."
"T1070.004::[ShimRat] can uninstall itself from compromised hosts, as well create and modify directories, delete, move, copy, and rename files."
"T1071.001::[ShimRat] communicated over HTTP and HTTPS with C2 servers."
"T1083::[ShimRat] can list directories."
"T1090.002::[ShimRat] can use pre-configured HTTP proxies."
"T1105::[ShimRat] can download additional files."
"T1106::[ShimRat] has used Windows API functions to install the service and shim."
"T1112::[ShimRat] has registered two registry keys for shim databases."
"T1135::[ShimRat] can enumerate connected drives for infected host machines."
"T1140::[ShimRat] has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system."
"T1543.003::[ShimRat] has installed a Windows service to maintain persistence on victim machines."
"T1546.011::[ShimRat] has installed shim databases in the AppPatch folder."
"T1547.001::[ShimRat] has installed a registry based start-up key HKCU\\Software\\microsoft\\windows\\CurrentVersion\\Run to maintain persistence should other methods fail."
"T1548.002::[ShimRat] has hijacked the cryptbase.dll within migwiz.exe to escalate privileges. This prevented the User Access Control window from appearing."
"T1574::[ShimRat] can hijack the cryptbase.dll within migwiz.exe to escalate privileges and bypass UAC controls."
"T1091::[APT30] may have used the [SHIPSHAPE] malware to move onto air-gapped networks. [SHIPSHAPE] targets removable drives to spread to other systems by modifying the drive to use Autorun to execute or by hiding legitimate document files and copying an executable to the folder with the same name as the legitimate document."
"T1547.001::[SHIPSHAPE] achieves persistence by creating a shortcut in the Startup folder."
"T1547.009::[SHIPSHAPE] achieves persistence by creating a shortcut in the Startup folder."
"T1018::[SHOTPUT] has a command to list all servers in the domain, as well as one to locate domain controllers on a domain."
"T1027::[SHOTPUT] is obscured using XOR encoding and appended to a valid GIF file."
"T1049::[SHOTPUT] uses [netstat] to list TCP connection status."
"T1057::[SHOTPUT] has a command to obtain a process listing."
"T1083::[SHOTPUT] has a command to obtain a directory listing."
"T1087.001::[SHOTPUT] has a command to retrieve information about connected users."
"T1082::[SHUTTERSPEED] can collect system information."
"T1105::[SHUTTERSPEED] can download and execute an arbitary executable."
"T1113::[SHUTTERSPEED] can capture screenshots."
"T1012::[Sibot] has queried the registry for proxy server information."
"T1016::[Sibot] checked if the compromised system is configured to use proxies."
"T1027::[Sibot] has obfuscated scripts used in execution."
"T1036.005::[Sibot] has downloaded a DLL to the C:\\windows\\system32\\drivers\\ folder and renamed it with a .sys extension."
"T1047::[Sibot] has used WMI to discover network connections and configurations. [Sibot] has also used the Win32_Process class to execute a malicious DLL."
"T1049::[Sibot] has retrieved a GUID associated with a present LAN connection on a compromised machine."
"T1053.005::[Sibot] has been executed via a scheduled task."
"T1059.005::[Sibot] executes commands using VBScript."
"T1070.004::[Sibot] will delete itself if a certain server response is received."
"T1070::[Sibot] will delete an associated registry key if a certain server response is received."
"T1071.001::[Sibot] communicated with its C2 server via HTTP GET requests."
"T1102::[Sibot] has used a legitimate compromised website to download DLLs to the victim's machine."
"T1105::[Sibot] can download and execute a payload onto a compromised system."
"T1112::[Sibot] has installed a second-stage script in the HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\sibot registry key."
"T1140::[Sibot] can decrypt data received from a C2 and save to a file."
"T1218.005::[Sibot] has been executed via MSHTA application."
"T1218.011::[Sibot] has executed downloaded DLLs with rundll32.exe."
"T1001::[SideTwist] can embed C2 responses in the source code of a fake Flickr webpage."
"T1005::[SideTwist] has the ability to upload files from a compromised host."
"T1008::[SideTwist] has primarily used port 443 for C2 but can use port 80 as a fallback."
"T1016::[SideTwist] has the ability to collect the domain name on a compromised host."
"T1033::[SideTwist] can collect the username on a targeted system."
"T1041::[SideTwist] has exfiltrated data over its C2 channel."
"T1059.003::[SideTwist] can execute shell commands on a compromised host."
"T1071.001::[SideTwist] has used HTTP GET and POST requests over port 443 for C2."
"T1082::[SideTwist] can collect the computer name of a targeted system."
"T1083::[SideTwist] has the ability to search for specific files."
"T1105::[SideTwist] has the ability to download additional files."
"T1106::[SideTwist] can use GetUserNameW, GetComputerNameW, and GetComputerNameExW to gather information."
"T1132.001::[SideTwist] has used Base64 for encoded C2 traffic."
"T1140::[SideTwist] can decode and decrypt messages received from C2."
"T1573.001::[SideTwist] can encrypt C2 communications with a randomly generated key."
"T1027::[Siloscape] itself is obfuscated and uses obfuscated API calls."
"T1059.003::[Siloscape] can run cmd through an IRC channel."
"T1068::[Siloscape] has leveraged a vulnerability in Windows containers to perform an [Escape to Host]."
"T1069::[Siloscape] checks for Kubernetes node permissions."
"T1071::[Siloscape] connects to an IRC server for C2."
"T1083::[Siloscape] searches for the Kubernetes config file and other related files using a regular expression."
"T1090.003::[Siloscape] uses Tor to communicate with C2."
"T1106::[Siloscape] makes various native API calls."
"T1134.001::[Siloscape] impersonates the main thread of CExecSvc.exe by calling NtImpersonateThread."
"T1140::[Siloscape] has decrypted the password of the C2 server with a simple byte by byte XOR. [Siloscape] also writes both an archive of [Tor] and the unzip binary to disk from data embedded within the payload using Visual Studio’s Resource Manager."
"T1190::[Siloscape] is executed after the attacker gains initial access to a Windows container using a known vulnerability."
"T1518::[Siloscape] searches for the kubectl binary."
"T1609::[Siloscape] can send kubectl commands to victim clusters through an IRC channel and can run kubectl locally to spread once within a victim cluster."
"T1611::[Siloscape] maps the host’s C drive to the container by creating a global symbolic link to the host through the calling of NtSetInformationSymbolicLink."
"T1556.001::[Skeleton Key] is used to patch an enterprise domain controller authentication process with a backdoor password. It allows adversaries to bypass the standard authentication system to use a defined password for all accounts authenticating to that domain controller."
"T1014::[Skidmap] is a kernel-mode rootkit that has the ability to hook system calls to hide specific files and fake network and CPU-related statistics to make the CPU load of the infected machine always appear low."
"T1027::[Skidmap] has encrypted it's main payload using 3DES."
"T1036.005::[Skidmap] has created a fake rm binary to replace the legitimate Linux binary."
"T1053.003::[Skidmap] has installed itself via crontab."
"T1057::[Skidmap] has monitored critical processes to ensure resiliency."
"T1059.004::[Skidmap] has used pm.sh to download and install its main payload."
"T1082::[Skidmap] has the ability to check whether the infected system’s OS is Debian or RHEL/CentOS to determine which cryptocurrency miner it should use."
"T1083::[Skidmap] has checked for the existence of specific files including /usr/sbin/setenforce and  /etc/selinux/config. It also has the ability to monitor the cryptocurrency miner file and process."
"T1098.004::[Skidmap] has the ability to add the public key of its handlers to the authorized_keys file to maintain persistence on an infected host."
"T1105::[Skidmap] has the ability to download files on an infected host."
"T1140::[Skidmap] has the ability to download, unpack, and decrypt tar.gz files ."
"T1496::[Skidmap] is a kernel-mode rootkit used for cryptocurrency mining."
"T1518.001::[Skidmap] has the ability to check if /usr/sbin/setenforce exists. This file controls what mode SELinux is in."
"T1547.006::[Skidmap] has the ability to install several loadable kernel modules (LKMs) on infected machines."
"T1556.003::[Skidmap] has the ability to replace the pam_unix.so file on an infected machine with its own malicious version that accepts a specific backdoor password for all users."
"T1562.001::[Skidmap] has the ability to set SELinux to permissive mode."
"T1001::[SLOTHFULMEDIA] has hashed a string containing system information prior to exfiltration via POST requests."
"T1005::[SLOTHFULMEDIA] has uploaded files and information from victim machines."
"T1007::[SLOTHFULMEDIA] has the capability to enumerate services."
"T1033::[SLOTHFULMEDIA] has collected the username from a victim machine."
"T1036.004::[SLOTHFULMEDIA] has named a service it establishes on victim machines as \"TaskFrame\" to hide its malicious purpose."
"T1036.005::[SLOTHFULMEDIA] has mimicked the names of known executables, such as mediaplayer.exe."
"T1041::[SLOTHFULMEDIA] has sent system information to a C2 server via HTTP and HTTPS POST requests."
"T1049::[SLOTHFULMEDIA] can enumerate open ports on a victim machine."
"T1055::[SLOTHFULMEDIA] can inject into running processes on a compromised host."
"T1056.001::[SLOTHFULMEDIA] has a keylogging capability."
"T1057::[SLOTHFULMEDIA] has enumerated processes by ID, name, or privileges."
"T1059.003::[SLOTHFULMEDIA] can open a command line to execute commands."
"T1070.004::[SLOTHFULMEDIA] has deleted itself and the 'index.dat' file on a compromised machine to remove recent Internet history from the system."
"T1071.001::[SLOTHFULMEDIA] has used HTTP and HTTPS for C2 communications."
"T1082::[SLOTHFULMEDIA] has collected system name, OS version, adapter information, memory usage, and disk information from a victim machine."
"T1083::[SLOTHFULMEDIA] can enumerate files and directories."
"T1105::[SLOTHFULMEDIA] has downloaded files onto a victim machine."
"T1112::[SLOTHFULMEDIA] can add, modify, and/or delete registry keys. It has changed the proxy configuration of a victim system by modifying the HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap registry."
"T1113::[SLOTHFULMEDIA] has taken a screenshot of a victim's desktop, named it \"Filter3.jpg\", and stored it in the local directory."
"T1489::[SLOTHFULMEDIA] has the capability to stop processes and services."
"T1543.003::[SLOTHFULMEDIA] has created a service on victim machines named \"TaskFrame\" to establish persistence."
"T1564.001::[SLOTHFULMEDIA] has been created with a hidden attribute to insure it's not visible to the victim."
"T1569.002::[SLOTHFULMEDIA] has the capability to start services."
"T1082::[SLOWDRIFT] collects and sends system information to its C2."
"T1102.002::[SLOWDRIFT] uses cloud based services for C2."
"T1105::[SLOWDRIFT] downloads additional payloads."
"T1016::[Small Sieve] can obtain the IP address of a victim host."
"T1027::[Small Sieve] has the ability to use a custom hex byte swapping encoding scheme combined with an obfuscated Base64 function to protect program strings and Telegram credentials."
"T1033::[Small Sieve] can obtain the id of a logged in user."
"T1036.005::[Small Sieve] can use variations of Microsoft and Outlook spellings, such as \"Microsift\", in its file names to avoid detection."
"T1059.003::[Small Sieve] can use `cmd.exe` to execute commands on a victim's system."
"T1059.006::[Small Sieve] can use Python scripts to execute commands."
"T1071.001::[Small Sieve] can contact actor-controlled C2 servers by using the Telegram API over HTTPS."
"T1102.002::[Small Sieve] has the ability to use the Telegram Bot API from Telegram Messenger to send and receive messages."
"T1105::[Small Sieve] has the ability to download files."
"T1132.002::[Small Sieve] can use a custom hex byte swapping encoding scheme to obfuscate tasking traffic."
"T1480::[Small Sieve] can only execute correctly if the word `Platypus` is passed to it on the command line."
"T1547.001::[Small Sieve] has the ability to add itself to `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookMicrosift` for persistence."
"T1573.002::[Small Sieve] can use SSL/TLS for its HTTPS Telegram Bot API-based C2 channel."
"T1027::[Smoke Loader] uses a simple one-byte XOR method to obfuscate values in the malware."
"T1053.005::[Smoke Loader] launches a scheduled task."
"T1055.012::[Smoke Loader] spawns a new copy of c:\\windows\\syswow64\\explorer.exe and then replaces the executable code in memory with malware."
"T1055::[Smoke Loader] injects into the Internet Explorer process."
"T1059.005::[Smoke Loader] adds a Visual Basic script in the Startup folder to deploy the payload."
"T1071.001::[Smoke Loader] uses HTTP for C2."
"T1083::[Smoke Loader] recursively searches through directories for files."
"T1105::[Smoke Loader] downloads a new version of itself once it has installed. It also downloads additional plugins."
"T1114.001::[Smoke Loader] searches through Outlook files and directories (e.g., inbox, sent, templates, drafts, archives, etc.)."
"T1140::[Smoke Loader] deobfuscates its code."
"T1497.001::[Smoke Loader] scans processes to perform anti-VM checks."
"T1547.001::[Smoke Loader] adds a Registry Run key for persistence and adds a script in the Startup folder to deploy the payload."
"T1552.001::[Smoke Loader] searches for files named logins.json to parse for credentials."
"T1555.003::[Smoke Loader] searches for credentials stored from web browsers."
"T1027.009::The [SMOKEDHAM] source code is embedded in the dropper as an encrypted string."
"T1033::[SMOKEDHAM] has used whoami commands to identify system owners."
"T1041::[SMOKEDHAM] has exfiltrated data to its C2 server."
"T1056.001::[SMOKEDHAM] can continuously capture keystrokes."
"T1059.001::[SMOKEDHAM] can execute Powershell commands sent from its C2 server."
"T1071.001::[SMOKEDHAM] has communicated with its C2 servers via HTTPS and HTTP POST requests."
"T1082::[SMOKEDHAM] has used the systeminfo command on a compromised host."
"T1087.001::[SMOKEDHAM] has used net.exe user and net.exe users to enumerate local accounts on a compromised host."
"T1090.004::[SMOKEDHAM] has used a fronted domain to obfuscate its hard-coded C2 server domain."
"T1098::[SMOKEDHAM] has added created user accounts to local Admin groups."
"T1102::[SMOKEDHAM] has used Google Drive and Dropbox to host files downloaded by victims via malicious links."
"T1105::[SMOKEDHAM] has used Powershell to download UltraVNC and [Ngrok] from third-party file sharing sites."
"T1112::[SMOKEDHAM] has modified registry keys for persistence, to enable credential caching for credential access, and to facilitate lateral movement via RDP."
"T1113::[SMOKEDHAM] can capture screenshots of the victim’s desktop."
"T1132.001::[SMOKEDHAM] has encoded its C2 traffic with Base64."
"T1136.001::[SMOKEDHAM] has created user accounts and added them to local Admin groups."
"T1204.001::[SMOKEDHAM] has relied upon users clicking on a malicious link delivered through phishing."
"T1547.001::[SMOKEDHAM] has used reg.exe to create a Registry Run key."
"T1564.002::[SMOKEDHAM] has modified the Registry to hide created user accounts from the Windows logon screen."
"T1573.001::[SMOKEDHAM] has encrypted its C2 traffic with RC4."
"T1598.003::[SMOKEDHAM] has been delivered via malicious links in phishing emails."
"T1059.003::[SNUGRIDE] is capable of executing commands and spawning a reverse shell."
"T1071.001::[SNUGRIDE] communicates with its C2 server over HTTP."
"T1547.001::[SNUGRIDE] establishes persistence through a Registry Run key."
"T1573.001::[SNUGRIDE] encrypts C2 traffic using AES with a static key."
"T1055.001::[Socksbot] creates a suspended svchost process and injects its DLL into it."
"T1057::[Socksbot] can list all running processes."
"T1059.001::[Socksbot] can write and execute PowerShell scripts."
"T1090::[Socksbot] can start SOCKS proxy threads."
"T1113::[Socksbot] can take screenshots."
"T1012::[SodaMaster] has the ability to query the Registry to detect a key specific to VMware."
"T1027::[SodaMaster] can use \"stackstrings\" for obfuscation."
"T1033::[SodaMaster] can identify the username on a compromised host."
"T1057::[SodaMaster] can search a list of running processes."
"T1082::[SodaMaster] can enumerate the host name and OS version on a target system."
"T1105::[SodaMaster] has the ability to download additional payloads from C2 to the targeted system."
"T1106::[SodaMaster] can use RegOpenKeyW to access the Registry."
"T1497.001::[SodaMaster] can check for the presence of the Registry key HKEY_CLASSES_ROOT\\\\Applications\\\\VMwareHostOpen.exe before proceeding to its main functionality."
"T1497.003::[SodaMaster] has the ability to put itself to \"sleep\" for a specified time."
"T1573.001::[SodaMaster] can use RC4 to encrypt C2 communications."
"T1573.002::[SodaMaster] can use a hardcoded RSA key to encrypt some of its C2 traffic."
"T1005::[SombRAT] has collected data and files from a compromised host."
"T1007::[SombRAT] can enumerate services on a victim machine."
"T1027::[SombRAT] can encrypt strings with XOR-based routines and use a custom AES storage format for plugins, configuration, C2 domains, and harvested data."
"T1033::[SombRAT] can execute getinfo  to identify the username on a compromised host."
"T1036::[SombRAT] can use a legitimate process name to hide itself."
"T1041::[SombRAT] has uploaded collected data and files from a compromised host to its C2 server."
"T1055.001::[SombRAT] can execute loadfromfile, loadfromstorage, and loadfrommem to inject a DLL  from disk, storage, or memory respectively."
"T1057::[SombRAT] can use the getprocesslist command to enumerate processes on a compromised host."
"T1070.004::[SombRAT] has the ability to run cancel or closeanddeletestorage to remove all files from storage and delete the storage temp file on a compromised host."
"T1071.004::[SombRAT] can communicate over DNS with the C2 server."
"T1074.001::[SombRAT] can store harvested data in a custom database under the %TEMP% directory."
"T1082::[SombRAT] can execute getinfo to enumerate the computer name and OS version of a compromised system."
"T1083::[SombRAT] can execute enum to enumerate files in storage on a compromised system."
"T1090::[SombRAT] has the ability to use an embedded SOCKS proxy in C2 communications."
"T1095::[SombRAT] has the ability to use TCP sockets to send data and ICMP to ping the C2 server."
"T1105::[SombRAT] has the ability to download and execute additional payloads."
"T1106::[SombRAT] has the ability to respawn itself using ShellExecuteW and CreateProcessW."
"T1124::[SombRAT] can execute getinfo  to discover the current time on a compromised host."
"T1140::[SombRAT] can run upload to decrypt and upload files from storage."
"T1560.003::[SombRAT] has encrypted collected data with AES-256 using a hardcoded key."
"T1564.010::[SombRAT] has the ability to modify its process memory to hide process command-line arguments."
"T1568.002::[SombRAT] can use a custom DGA to generate a subdomain for C2."
"T1573.001::[SombRAT] has encrypted its C2 communications with AES."
"T1573.002::[SombRAT] can SSL encrypt C2 traffic."
"T1016::[SoreFang] can collect the TCP/IP, DNS, DHCP, and network adapter configuration on a compromised host via ipconfig.exe /all."
"T1027::[SoreFang] has the ability to encode and RC6 encrypt data sent to C2."
"T1053.005::[SoreFang] can gain persistence through use of scheduled tasks."
"T1057::[SoreFang] can enumerate processes on a victim machine through use of [Tasklist]."
"T1069.002::[SoreFang] can enumerate domain groups by executing net.exe group /domain."
"T1071.001::[SoreFang] can use HTTP in C2 communications."
"T1082::[SoreFang] can collect the hostname, operating system configuration, product ID, and disk space on victim machines by executing [Systeminfo]."
"T1083::[SoreFang] has the ability to list directories."
"T1087.001::[SoreFang] can collect usernames from the local system via net.exe user."
"T1087.002::[SoreFang] can enumerate domain accounts via net.exe user /domain."
"T1105::[SoreFang] can download additional payloads from C2."
"T1140::[SoreFang] can decode and decrypt exfiltrated data sent to C2."
"T1190::[SoreFang] can gain access by exploiting a Sangfor SSL VPN vulnerability that allows for the placement and delivery of malicious update binaries."
"T1010::[SOUNDBITE] is capable of enumerating application windows."
"T1071.004::[SOUNDBITE] communicates via DNS for C2."
"T1082::[SOUNDBITE] is capable of gathering system information."
"T1083::[SOUNDBITE] is capable of enumerating and manipulating files and directories."
"T1112::[SOUNDBITE] is capable of modifying the Registry."
"T1052.001::[SPACESHIP] copies staged data to removable drives when they are inserted into the system."
"T1074.001::[SPACESHIP] identifies files with certain extensions and copies them to a directory in the user's profile."
"T1083::[SPACESHIP] identifies files and directories for collection by searching for specific file extensions or file modification time."
"T1547.001::[SPACESHIP] achieves persistence by creating a shortcut in the current user's Startup folder."
"T1547.009::[SPACESHIP] achieves persistence by creating a shortcut in the current user's Startup folder."
"T1560.003::Data [SPACESHIP] copies to the staging area is compressed with zlib. Bytes are rotated by four positions and XOR'ed with 0x23."
"T1027.002::[Spark] has been packed with Enigma Protector to obfuscate its contents."
"T1033::[Spark] has run the whoami command and has a built-in command to identify the user logged in."
"T1041::[Spark] has exfiltrated data over the C2 channel."
"T1059.003::[Spark] can use cmd.exe to run commands."
"T1071.001::[Spark] has used HTTP POST requests to communicate with its C2 server to receive commands."
"T1082::[Spark] can collect the hostname, keyboard layout, and language from the system."
"T1132.001::[Spark] has encoded communications with the C2 server with base64."
"T1140::[Spark] has used a custom XOR algorithm to decrypt the payload."
"T1497.002::[Spark] has used a splash screen to check whether an user actively clicks on the screen before running malicious code."
"T1614.001::[Spark] has checked the results of the GetKeyboardLayoutList and the language name returned by GetLocaleInfoA to make sure they contain the word “Arabic” before executing."
"T1016::[SpeakUp] uses the ifconfig -a command."
"T1027::[SpeakUp] encodes its second-stage payload with Base64."
"T1033::[SpeakUp] uses the whoami command."
"T1046::[SpeakUp] checks for availability of specific ports on servers."
"T1049::[SpeakUp] uses the arp -a command."
"T1053.003::[SpeakUp] uses cron tasks to ensure persistence."
"T1059.006::[SpeakUp] uses Python scripts."
"T1059::[SpeakUp] uses Perl scripts."
"T1070.004::[SpeakUp] deletes files to remove evidence on the machine."
"T1071.001::[SpeakUp] uses POST and GET requests over HTTP to communicate with its main C&C server."
"T1082::[SpeakUp] uses the cat /proc/cpuinfo | grep -c “cpu family” 2>&1 command to gather system information."
"T1105::[SpeakUp] downloads and executes additional files from a remote server."
"T1110.001::[SpeakUp] can perform brute forcing using a pre-defined list of usernames and passwords in an attempt to log in to administrative panels."
"T1132.001::[SpeakUp] encodes C&C communication using Base64."
"T1203::[SpeakUp] attempts to exploit the following vulnerabilities in order to execute its malicious script: CVE-2012-0874, CVE-2010-1871, CVE-2017-10271, CVE-2018-2894, CVE-2016-3088, JBoss AS 3/4/5/6, and the Hadoop YARN ResourceManager."
"T1005::[SpicyOmelette] has collected data and other information from a compromised host."
"T1016::[SpicyOmelette] can identify the IP of a compromised system."
"T1018::[SpicyOmelette] can identify payment systems, payment gateways, and ATM systems in compromised environments."
"T1059.007::[SpicyOmelette] has the ability to execute arbitrary JavaScript code on a compromised host."
"T1082::[SpicyOmelette] can identify the system name of a compromised host."
"T1105::[SpicyOmelette] can download malicious files from threat actor controlled AWS URL's."
"T1204.001::[SpicyOmelette] has been executed through malicious links within spearphishing emails."
"T1518.001::[SpicyOmelette] can check for the presence of 29 different antivirus tools."
"T1518::[SpicyOmelette] can enumerate running software on a targeted system."
"T1553.002::[SpicyOmelette] has been signed with valid digital certificates."
"T1566.002::[SpicyOmelette] has been distributed via emails containing a malicious link that appears to be a PDF document."
"T1027::[SQLRat] has used a character insertion obfuscation technique, making the script appear to contain Chinese characters."
"T1053.005::[SQLRat] has created scheduled tasks in %appdata%\\Roaming\\Microsoft\\Templates\\."
"T1059.001::[SQLRat] has used PowerShell to create a Meterpreter session."
"T1059.003::[SQLRat] has used SQL to execute JavaScript and VB scripts on the host system."
"T1070.004::[SQLRat] has used been observed deleting scripts once used."
"T1105::[SQLRat] can make a direct SQL connection to a Microsoft database controlled by the attackers, retrieve an item from the bindata table, then write and execute the file on disk."
"T1140::[SQLRat] has scripts that are responsible for deobfuscating additional scripts."
"T1204.002::[SQLRat] relies on users clicking on an embedded image to execute the scripts."
"T1016::[Squirrelwaffle] has collected the victim’s external IP address."
"T1027.002::[Squirrelwaffle] has been packed with a custom packer to hide payloads."
"T1027::[Squirrelwaffle] has been obfuscated with a XOR-based algorithm."
"T1033::[Squirrelwaffle] can collect the user name from a compromised host."
"T1041::[Squirrelwaffle] has exfiltrated victim data using HTTP POST requests to its C2 servers."
"T1059.001::[Squirrelwaffle] has used PowerShell to execute its payload."
"T1059.003::[Squirrelwaffle] has used `cmd.exe` for execution."
"T1059.005::[Squirrelwaffle] has used malicious VBA macros in Microsoft Word documents and Excel spreadsheets that execute an `AutoOpen` subroutine."
"T1071.001::[Squirrelwaffle] has used HTTP POST requests for C2 communications."
"T1082::[Squirrelwaffle] has gathered victim computer information and configurations."
"T1105::[Squirrelwaffle] has downloaded and executed additional encoded payloads."
"T1132.001::[Squirrelwaffle] has encoded its communications to C2 servers using Base64."
"T1140::[Squirrelwaffle] has decrypted files and payloads using a XOR-based algorithm."
"T1204.001::[Squirrelwaffle] has relied on victims to click on a malicious link send via phishing campaigns."
"T1204.002::[Squirrelwaffle] has relied on users enabling malicious macros within Microsoft Excel and Word attachments."
"T1218.010::[Squirrelwaffle] has been executed using `regsvr32.exe`."
"T1218.011::[Squirrelwaffle] has been executed using `rundll32.exe`."
"T1497::[Squirrelwaffle] has contained a hardcoded list of IP addresses to block that belong to sandboxes and analysis platforms."
"T1560.003::[Squirrelwaffle] has encrypted collected data using a XOR-based algorithm."
"T1566.001::[Squirrelwaffle] has been distributed via malicious Microsoft Office documents within spam emails."
"T1566.002::[Squirrelwaffle] has been distributed through phishing emails containing a malicious URL."
"T1008::[SslMM] has a hard-coded primary and backup C2 string."
"T1033::[SslMM] sends the logged-on username to its hard-coded C2."
"T1036.005::To establish persistence, [SslMM] identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut."
"T1056.001::[SslMM] creates a new thread implementing a keylogging facility using Windows Keyboard Accelerators."
"T1082::[SslMM] sends information to its hard-coded C2, including OS version, service pack information, processor speed, system name, and OS install date."
"T1134::[SslMM] contains a feature to manipulate process privileges and tokens."
"T1547.001::To establish persistence, [SslMM] identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut."
"T1547.009::To establish persistence, [SslMM] identifies the Start Menu Startup directory and drops a link to its own executable disguised as an “Office Start,” “Yahoo Talk,” “MSN Gaming Z0ne,” or “MSN Talk” shortcut."
"T1562.001::[SslMM] identifies and kills anti-malware processes."
"T1036.005::[Starloader] has masqueraded as legitimate software update packages such as Adobe Acrobat Reader and Intel."
"T1140::[Starloader] decrypts and executes shellcode from a file called Stars.jps."
"T1005::[STARWHALE] can collect data from an infected local host."
"T1016::[STARWHALE] has the ability to collect the IP address of an infected host."
"T1027::[STARWHALE] has been obfuscated with hex-encoded strings."
"T1033::[STARWHALE] can gather the username from an infected host."
"T1041::[STARWHALE] can exfiltrate collected data to its C2 servers."
"T1059.003::[STARWHALE] has the ability to execute commands via `cmd.exe`."
"T1059.005::[STARWHALE] can use the VBScript function `GetRef` as part of its persistence mechanism."
"T1071.001::[STARWHALE] has the ability to contact actor-controlled C2 servers via HTTP."
"T1074.001::[STARWHALE] has stored collected data in a file called `stari.txt`."
"T1082::[STARWHALE] can gather the computer name of an infected host."
"T1132.001::[STARWHALE] has the ability to hex-encode collected data from an infected host."
"T1204.002::[STARWHALE] has relied on victims opening a malicious Excel file for execution."
"T1543.003::[STARWHALE] has the ability to create the following Windows service to establish persistence on an infected host: `sc create Windowscarpstss binpath= \"cmd.exe /c cscript.exe c:\\\\windows\\\\system32\\\\w7_1.wsf humpback_whale\" start= \"auto\" obj= \"LocalSystem\"`."
"T1547.001::[STARWHALE] can establish persistence by installing itself in the startup folder, whereas the GO variant has created a `HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run\\OutlookM` registry key."
"T1012::[StoneDrill] has looked in the registry to find the default browser path."
"T1027::[StoneDrill] has obfuscated its module with an alphabet-based table or XOR encryption."
"T1047::[StoneDrill] has used the WMI command-line (WMIC) utility to run tasks."
"T1055::[StoneDrill] has relied on injecting its payload directly into the process memory of the victim's preferred browser."
"T1059.005::[StoneDrill] has several VBS scripts used throughout the malware's lifecycle."
"T1070.004::[StoneDrill] has been observed deleting the temporary files once they fulfill their task."
"T1082::[StoneDrill] has the capability to discover the system OS, Windows version, architecture and environment."
"T1105::[StoneDrill] has downloaded and dropped temporary files containing scripts; it additionally has a function to upload files from the victims machine."
"T1113::[StoneDrill] can take screenshots."
"T1124::[StoneDrill] can obtain the current date and time of the victim machine."
"T1485::[StoneDrill] has a disk wiper module that targets files other than those in the Windows directory."
"T1497::[StoneDrill] has used several anti-emulation techniques to prevent automated analysis by emulators or sandboxes."
"T1518.001::[StoneDrill] can check for antivirus and antimalware programs."
"T1561.001::[StoneDrill] can wipe the accessible physical or logical drives of the infected machine."
"T1561.002::[StoneDrill] can wipe the master boot record of an infected computer."
"T1027::[StreamEx] obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data."
"T1057::[StreamEx] has the ability to enumerate processes."
"T1059.003::[StreamEx] has the ability to remotely execute commands."
"T1082::[StreamEx] has the ability to enumerate system information."
"T1083::[StreamEx] has the ability to enumerate drive types."
"T1112::[StreamEx] has the ability to modify the Registry."
"T1218.011::[StreamEx] uses rundll32 to call an exported function."
"T1518.001::[StreamEx] has the ability to scan for security tools such as firewalls and antivirus tools."
"T1543.003::[StreamEx] establishes persistence by installing a new service pointing to its DLL and setting the service to auto-start."
"T1005::[StrifeWater] can collect data from a compromised host."
"T1033::[StrifeWater] can collect the user name from the victim's machine."
"T1036.005::[StrifeWater] has been named `calc.exe` to appear as a legitimate calculator program."
"T1041::[StrifeWater] can send data and files from a compromised host to its C2 server."
"T1053::[StrifeWater] has create a scheduled task named `Mozilla\\Firefox Default Browser Agent 409046Z0FF4A39CB` for persistence."
"T1059.003::[StrifeWater] can execute shell commands using `cmd.exe`."
"T1070.004::[StrifeWater] can self delete to cover its tracks."
"T1082::[StrifeWater] can collect the OS version, architecture, and machine name to create a unique token for the infected host."
"T1083::[StrifeWater] can enumerate files on a compromised host."
"T1105::[StrifeWater] can download updates and auxiliary modules."
"T1106::[StrifeWater] can use a variety of APIs for execution."
"T1113::[StrifeWater] has the ability to take screen captures."
"T1124::[StrifeWater] can collect the time zone from the victim's machine."
"T1497.003::[StrifeWater] can modify its sleep time responses from the default of 20-22 seconds."
"T1573.001::[StrifeWater] can encrypt C2 traffic using XOR with a hard coded key."
"T1036.004::[PROMETHIUM] has named services to appear legitimate."
"T1036.005::[PROMETHIUM] has disguised malicious installer files by bundling them with legitimate software installers."
"T1078.003::[PROMETHIUM] has created admin accounts on a compromised host."
"T1189::[PROMETHIUM] has used watering hole attacks to deliver malicious versions of legitimate installers."
"T1204.002::[PROMETHIUM] has attempted to get users to execute compromised installation files for legitimate software including compression applications, security software, browsers, file recovery applications, and other tools and utilities."
"T1205.001::[PROMETHIUM] has used a script that configures the knockd service and firewall to only accept C2 connections from systems that use a specified sequence of knock ports."
"T1543.003::[PROMETHIUM] has created new services and modified existing services for persistence."
"T1547.001::[PROMETHIUM] has used Registry run keys to establish persistence."
"T1553.002::[PROMETHIUM] has signed code with self-signed certificates."
"T1587.002::[PROMETHIUM] has created self-signed certificates to sign malicious installers."
"T1587.003::[PROMETHIUM] has created self-signed digital certificates for use in HTTPS C2 traffic."
"T1008::[Stuxnet] has the ability to generate new C2 domains."
"T1012::[Stuxnet] searches the Registry for indicators of security programs."
"T1014::[Stuxnet] uses a Windows rootkit to mask its binaries and other relevant files."
"T1016::[Stuxnet] collects the IP address of a compromised system."
"T1021.002::[Stuxnet] propagates to available network shares."
"T1021::[Stuxnet] can propagate via peer-to-peer communication and updates using RPC."
"T1027::[Stuxnet] uses encrypted configuration blocks and writes encrypted files to disk."
"T1041::[Stuxnet] sends compromised victim information via HTTP."
"T1047::[Stuxnet] used WMI with an explorer.exe token to execute on a remote share."
"T1053.005::[Stuxnet] schedules a network job to execute two minutes after host infection."
"T1055.001::[Stuxnet] injects an entire DLL into an existing, newly created, or preselected trusted process."
"T1068::[Stuxnet] used MS10-073 and an undisclosed Task Scheduler vulnerability to escalate privileges on local Windows machines."
"T1070.004::[Stuxnet] uses an RPC server that contains a routine for file deletion and also removes itself from the system through a DLL export by deleting specific files."
"T1070.006::[Stuxnet] extracts and writes driver files that match the times of other legitimate files."
"T1070::[Stuxnet] can delete OLE Automation and SQL stored procedures used to store malicious payloads."
"T1071.001::[Stuxnet] uses HTTP to communicate with a command and control server."
"T1078.001::[Stuxnet] infected WinCC machines via a hardcoded database server password."
"T1078.002::[Stuxnet] attempts to access network resources with a domain account’s credentials."
"T1080::[Stuxnet] infects remote servers via network shares and by infecting WinCC database views with malicious code."
"T1082::[Stuxnet] collects system information including computer and domain names, OS version, and S7P paths."
"T1083::[Stuxnet] uses a driver to scan for specific filesystem driver objects."
"T1087.001::[Stuxnet] enumerates user accounts of the local host."
"T1087.002::[Stuxnet] enumerates user accounts of the domain."
"T1090.001::[Stuxnet] installs an RPC server for P2P communications."
"T1091::[Stuxnet] can propagate via removable media using an autorun.inf file or the CVE-2010-2568 LNK vulnerability."
"T1106::[Stuxnet] uses the SetSecurityDescriptorDacl API to reduce object integrity levels."
"T1112::[Stuxnet] can create registry keys to load driver files."
"T1120::[Stuxnet] enumerates removable drives for infection."
"T1124::[Stuxnet] collects the time and date of a system when it is infected."
"T1129::[Stuxnet] calls LoadLibrary then executes exports from a DLL."
"T1132.001::[Stuxnet] transforms encrypted binary data into an ASCII string in order to use it as a URL parameter value."
"T1134.001::[Stuxnet] attempts to impersonate an anonymous token to enumerate bindings in the service control manager."
"T1135::[Stuxnet] enumerates the directories of a network resource."
"T1140::[Stuxnet] decrypts resources that are loaded into memory and executed."
"T1210::[Stuxnet] propagates using the MS10-061 Print Spooler and MS08-067 Windows Server Service vulnerabilities."
"T1480::[Stuxnet] checks for specific operating systems on 32-bit machines, Registry keys, and dates for vulnerabilities, and will exit execution if the values are not met."
"T1505.001::[Stuxnet] used xp_cmdshell to store and execute SQL code."
"T1518.001::[Stuxnet] enumerates the currently running processes related to a variety of security products."
"T1543.003::[Stuxnet] uses a driver registered as a boot start service as the main load-point."
"T1553.002::[Stuxnet] used a digitally signed driver with a compromised Realtek certificate."
"T1560.003::[Stuxnet] encrypts exfiltrated data via C2 with static 31-byte long XOR keys."
"T1562::[Stuxnet] reduces the integrity level of objects to allow write actions."
"T1570::[Stuxnet] uses an RPC server that contains a file dropping routine and support for payload version updates for P2P communications within a victim network."
"T1573.001::[Stuxnet] encodes the payload of system information sent to the command and control servers using a one byte 0xFF XOR key. [Stuxnet] also uses a 31-byte long static byte string to XOR data sent to command and control servers. The servers use a different static key to encrypt replies to the implant."
"T1036.004::[SUGARDUMP]'s scheduled task has been named `MicrosoftInternetExplorerCrashRepoeterTaskMachineUA` or `MicrosoftEdgeCrashRepoeterTaskMachineUA`, depending on the Windows OS version."
"T1036.005::[SUGARDUMP] has been named `CrashReporter.exe` to appear as a legitimate Mozilla executable."
"T1041::[SUGARDUMP] has sent stolen credentials and other data to its C2 server."
"T1053.005::[SUGARDUMP] has created scheduled tasks called `MicrosoftInternetExplorerCrashRepoeterTaskMachineUA` and `MicrosoftEdgeCrashRepoeterTaskMachineUA`, which were configured to execute `CrashReporter.exe` during user logon."
"T1071.001::A [SUGARDUMP] variant has used HTTP for C2."
"T1071.003::A [SUGARDUMP] variant used SMTP for C2."
"T1074.001::[SUGARDUMP] has stored collected data under `%<malware_execution_folder>%\\\\CrashLog.txt`."
"T1083::[SUGARDUMP] can search for and collect data from specific Chrome, Opera, Microsoft Edge, and Firefox files, including any folders that have the string `Profile` in its name."
"T1204.002::Some [SUGARDUMP] variants required a user to enable a macro within a malicious .xls file for execution."
"T1217::[SUGARDUMP] has collected browser bookmark and history information."
"T1518::[SUGARDUMP] can identify Chrome, Opera, Edge Chromium, and Firefox browsers, including version number, on a compromised host."
"T1555.003::[SUGARDUMP] variants have harvested credentials from browsers such as Firefox, Chrome, Opera, and Edge."
"T1560.003::[SUGARDUMP] has encrypted collected data using AES CBC mode and encoded it using Base64."
"T1016.001::[SUGARUSH] has checked for internet connectivity from an infected host before attempting to establish a new TCP connection."
"T1059.003::[SUGARUSH] has used `cmd` for execution on an infected host."
"T1095::[SUGARUSH] has used TCP for C2."
"T1543.003::[SUGARUSH] has created a service named `Service1` for persistence."
"T1571::[SUGARUSH] has used port 4585 for a TCP connection to its C2."
"T1001.001::[SUNBURST] added junk bytes to its C2 over HTTP."
"T1001.002::[SUNBURST] C2 data attempted to appear as benign XML related to .NET assemblies or as a faux JSON blob."
"T1001.003::[SUNBURST] masqueraded its network traffic as the Orion Improvement Program (OIP) protocol."
"T1005::[SUNBURST] collected information from a compromised host."
"T1007::[SUNBURST] collected a list of service names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists."
"T1012::[SUNBURST] collected the registry value HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Cryptography\\MachineGuid from compromised hosts."
"T1016::[SUNBURST] collected all network interface MAC addresses that are up and not loopback devices, as well as IP address, DHCP configuration, and domain information."
"T1027.005::[SUNBURST] source code used generic variable names and pre-obfuscated strings, and was likely sanitized of developer comments before being added to [SUNSPOT]."
"T1027::[SUNBURST] strings were compressed and encoded in Base64."
"T1033::[SUNBURST] collected the username from a compromised host."
"T1036.005::[SUNBURST] created VBScripts that were named after existing services or folders to blend into legitimate activities."
"T1047::[SUNBURST] used the WMI query Select * From Win32_SystemDriver to retrieve a driver listing."
"T1057::[SUNBURST] collected a list of process names that were hashed using a FNV-1a + XOR algorithm to check against similarly-hashed hardcoded blocklists."
"T1059.005::[SUNBURST] used VBScripts to initiate the execution of payloads."
"T1070.004::[SUNBURST] had a command to delete files."
"T1070.007::[SUNBURST] also removed the firewall rules it created during execution."
"T1070.009::[SUNBURST] removed IFEO registry values to clean up traces of persistence."
"T1070::[SUNBURST] removed HTTP proxy registry values to clean up traces of execution."
"T1071.001::[SUNBURST] communicated via HTTP GET or HTTP POST requests to third party servers for C2."
"T1071.004::[SUNBURST] used DNS for C2 traffic designed to mimic normal SolarWinds API communications."
"T1082::[SUNBURST] collected hostname, OS version, and device uptime."
"T1083::[SUNBURST] had commands to enumerate files and directories."
"T1105::[SUNBURST] delivered different payloads, including [TEARDROP] in at least one instance."
"T1112::[SUNBURST] had commands that allow an attacker to write or delete registry keys, and was observed stopping services by setting their HKLM\\SYSTEM\\CurrentControlSet\\services\\\\[service_name]\\\\Start registry entries to value 4."
"T1132.001::[SUNBURST] used Base64 encoding in its C2 traffic."
"T1218.011::[SUNBURST] used Rundll32 to execute payloads."
"T1497.001::[SUNBURST] checked the domain name of the compromised host to verify it was running in a real environment."
"T1497.003::[SUNBURST] remained dormant after initial access for a period of up to two weeks."
"T1518.001::[SUNBURST] checked for a variety of antivirus/endpoint detection agents prior to execution."
"T1546.012::[SUNBURST] created an Image File Execution Options (IFEO) Debugger registry value for the process dllhost.exe to trigger the installation of [Cobalt Strike]."
"T1553.002::[SUNBURST] was digitally signed by SolarWinds from March - May 2020."
"T1562.001::[SUNBURST] attempted to disable software security services following checks against a FNV-1a + XOR hashed hardcoded blocklist."
"T1568::[SUNBURST] dynamically resolved C2 infrastructure for randomly-generated subdomains within a parent domain."
"T1573.001::[SUNBURST] encrypted C2 traffic using a single-byte-XOR cipher."
"T1027::[SUNSPOT] encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for [SUNBURST] source code and data extracted from the SolarWinds Orion <MsBuild.exe process."
"T1036.005::[SUNSPOT] was identified on disk with a filename of taskhostsvc.exe and it created an encrypted log file at C:\\Windows\\Temp\\vmware-vmdmp.log."
"T1057::[SUNSPOT] monitored running processes for instances of MsBuild.exe by hashing the name of each running process and comparing it to the corresponding value 0x53D525. It also extracted command-line arguments and individual arguments from the running MsBuild.exe process to identify the directory path of the Orion software Visual Studio solution."
"T1070.004::Following the successful injection of [SUNBURST], [SUNSPOT] deleted a temporary file it created named InventoryManager.bk after restoring the original SolarWinds Orion source code to the software library."
"T1083::[SUNSPOT] enumerated the Orion software Visual Studio solution directory path."
"T1106::[SUNSPOT] used Windows API functions such as MoveFileEx and NtQueryInformationProcess as part of the [SUNBURST] injection process."
"T1134::[SUNSPOT] modified its security token to grants itself debugging privileges by adding SeDebugPrivilege."
"T1140::[SUNSPOT] decrypts [SUNBURST], which was stored in AES128-CBC encrypted blobs."
"T1195.002::[SUNSPOT] malware was designed and used to insert [SUNBURST] into software builds of the SolarWinds Orion IT management product."
"T1480::[SUNSPOT] only replaces SolarWinds Orion source code if the MD5 checksums of both the original source code file and backdoored replacement source code match hardcoded values."
"T1565.001::[SUNSPOT] created a copy of the SolarWinds Orion software source file with a .bk extension to backup the original content, wrote [SUNBURST] using the same filename but with a .tmp extension, and then moved [SUNBURST] using MoveFileEx to the original filename with a .cs extension so it could be compiled within Orion software."
"T1027::[SUPERNOVA] contained Base64-encoded strings."
"T1036.005::[SUPERNOVA] has masqueraded as a legitimate SolarWinds DLL."
"T1071.001::[SUPERNOVA] had to receive an HTTP GET request containing a specific set of parameters in order to execute."
"T1203::[SUPERNOVA] was installed via exploitation of a SolarWinds Orion API authentication bypass vulnerability (CVE-2020-10148)."
"T1505.003::[SUPERNOVA] is a Web shell."
"T1007::[Sykipot] may use net start to display running services."
"T1016::[Sykipot] may use ipconfig /all to gather system network configuration details."
"T1018::[Sykipot] may use net view /domain to display hostnames of available systems on a network."
"T1049::[Sykipot] may use netstat -ano to display active network connections."
"T1055.001::[Sykipot] injects itself into running instances of outlook.exe, iexplore.exe, or firefox.exe."
"T1056.001::[Sykipot] contains keylogging functionality to steal passwords."
"T1057::[Sykipot] may gather a list of running processes by running tasklist /v."
"T1087.002::[Sykipot] may use net group \"domain admins\" /domain to display accounts in the \"domain admins\" permissions group and net localgroup \"administrators\" to list local system administrator group membership."
"T1111::[Sykipot] is known to contain functionality that enables targeting of smart card technologies to proxy authentication for connections to restricted network resources using detected hardware tokens."
"T1547.001::[Sykipot] has been known to establish persistence by adding programs to the Run Registry key."
"T1573.002::[Sykipot] uses SSL for encrypting C2 communications."
"T1007::[SynAck] enumerates all running services."
"T1012::[SynAck] enumerates Registry keys associated with event logs."
"T1027::[SynAck] payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering."
"T1033::[SynAck] gathers user names from infected hosts."
"T1055.013::[SynAck] abuses NTFS transactions to launch and conceal malicious processes."
"T1057::[SynAck] enumerates all running processes."
"T1070.001::[SynAck] clears event logs."
"T1082::[SynAck] gathers computer names, OS version info, and also checks installed keyboard layouts to estimate if it has been launched from a certain list of countries."
"T1083::[SynAck] checks its directory location in an attempt to avoid launching in a sandbox."
"T1106::[SynAck] parses the export tables of system DLLs to locate and call various Windows API functions."
"T1112::[SynAck] can manipulate Registry keys."
"T1486::[SynAck] encrypts the victims machine followed by asking the victim to pay a ransom."
"T1497.001::[SynAck] checks its directory location in an attempt to avoid launching in a sandbox."
"T1614.001::[SynAck] lists all the keyboard layouts installed on the victim’s system using GetKeyboardLayoutList API and checks against a hardcoded language code list. If a match if found, SynAck sleeps for 300 seconds and then exits without encrypting files."
"T1205::[SYNful Knock] can be sent instructions via special packets to change its functionality. Code for new functionality can be included in these messages."
"T1556.004::[SYNful Knock] has the capability to add its own custom backdoor password when it modifies the operating system of the affected network device."
"T1601.001::[SYNful Knock] is malware that is inserted into a network device by patching the operating system image."
"T1016::[Sys10] collects the local IP address of the victim and sends it to the C2."
"T1033::[Sys10] collects the account name of the logged-in user and sends it to the C2."
"T1069.001::[Sys10] collects the group name of the logged-in user and sends it to the C2."
"T1071.001::[Sys10] uses HTTP for C2."
"T1082::[Sys10] collects the computer name, OS versioning information, and OS install date and sends the information to the C2."
"T1573.001::[Sys10] uses an XOR 0x1 loop to encrypt its C2 domain."
"T1057::[SYSCON] has the ability to use [Tasklist] to list running processes."
"T1059.003::[SYSCON] has the ability to execute commands through [cmd] on a compromised host."
"T1071.002::[SYSCON] has the ability to use FTP in C2 communications."
"T1082::[SYSCON] has the ability to use [Systeminfo] to identify system information."
"T1204.002::[SYSCON] has been executed by luring victims to open malicious e-mail attachments."
"T1027.002::[SysUpdate] can use packed binaries."
"T1027::[SysUpdate] can encrypt and encode its configuration file."
"T1047::[SysUpdate] can use WMI for execution on a compromised host."
"T1070.004::[SysUpdate] can delete its configuration file from the targeted system."
"T1082::[SysUpdate] can determine whether a system has a 32 bit or 64 bit architecture."
"T1083::[SysUpdate] can search files on a compromised host."
"T1105::[SysUpdate] has the ability to download files to a compromised host."
"T1112::[SysUpdate] can write its configuration file to Software\\Classes\\scConfig in either HKEY_LOCAL_MACHINE or HKEY_CURRENT_USER."
"T1113::[SysUpdate] has the ability to capture screenshots."
"T1140::[SysUpdate] can deobfuscate packed binaries in memory."
"T1543.003::[SysUpdate] can create a service to establish persistence."
"T1547.001::[SysUpdate] can use a Registry Run key to establish persistence."
"T1564.001::[SysUpdate] has the ability to set file attributes to hidden."
"T1569.002::[SysUpdate] can manage services and processes."
"T1574.002::[SysUpdate] can load DLLs through vulnerable legitimate executables."
"T1016::[T9000] gathers and beacons the MAC and IP addresses during installation."
"T1033::[T9000] gathers and beacons the username of the logged in account during installation. It will also gather the username of running processes to determine if it is running as SYSTEM."
"T1082::[T9000] gathers and beacons the operating system build number and CPU Architecture (32-bit/64-bit) during installation."
"T1113::[T9000] can take screenshots of the desktop and target application windows, saving them to user directories as one byte XOR encrypted .dat files."
"T1119::[T9000] searches removable storage devices for files with a pre-defined list of file extensions (e.g. * .doc, *.ppt, *.xls, *.docx, *.pptx, *.xlsx). Any matching files are encrypted and written to a local user directory."
"T1120::[T9000] searches through connected drives for removable storage devices."
"T1123::[T9000] uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\\Intel\\Skype."
"T1124::[T9000] gathers and beacons the system time during installation."
"T1125::[T9000] uses the Skype API to record audio and video calls. It writes encrypted data to %APPDATA%\\Intel\\Skype."
"T1518.001::[T9000] performs checks for various antivirus and security products during installation."
"T1546.010::If a victim meets certain criteria, [T9000] uses the AppInit_DLL functionality to achieve persistence by ensuring that every user mode process that is spawned will load its malicious DLL, ResN32.dll. It does this by creating the following Registry keys: HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\AppInit_DLLs – %APPDATA%\\Intel\\ResN32.dll and HKLM\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\LoadAppInit_DLLs – 0x1."
"T1560.003::[T9000] encrypts collected data using a single byte XOR key."
"T1574.002::During the [T9000] installation process, it drops a copy of the legitimate Microsoft binary igfxtray.exe. The executable contains a side-loading weakness which is used to load a portion of the malware."
"T1001.003::[TAINTEDSCRIBE] has used FakeTLS for session authentication."
"T1008::[TAINTEDSCRIBE] can randomly pick one of five hard-coded IP addresses for C2 communication; if one of the IP fails, it will wait 60 seconds and then try another IP address."
"T1018::The [TAINTEDSCRIBE] command and execution module can perform target system enumeration."
"T1027.001::[TAINTEDSCRIBE] can execute FileRecvWriteRand to append random bytes to the end of a file received from C2."
"T1036.005::The [TAINTEDSCRIBE] main executable has disguised itself as Microsoft’s Narrator."
"T1057::[TAINTEDSCRIBE] can execute ProcessList for process discovery."
"T1059.003::[TAINTEDSCRIBE] can enable Windows CLI access and execute files."
"T1070.004::[TAINTEDSCRIBE] can delete files from a compromised host."
"T1070.006::[TAINTEDSCRIBE] can change the timestamp of specified filenames."
"T1082::[TAINTEDSCRIBE] can use DriveList to retrieve drive information."
"T1083::[TAINTEDSCRIBE] can use DirectoryList to enumerate files in a specified directory."
"T1105::[TAINTEDSCRIBE] can download additional modules from its C2 server."
"T1124::[TAINTEDSCRIBE] can execute GetLocalTime for time discovery."
"T1547.001::[TAINTEDSCRIBE] can copy itself into the current user’s Startup folder as “Narrator.exe” for persistence."
"T1560::[TAINTEDSCRIBE] has used FileReadZipSend to compress a file and send to C2."
"T1573.001::[TAINTEDSCRIBE] uses a Linear Feedback Shift Register (LFSR) algorithm for network encryption."
"T1005::[TajMahal] has the ability to steal documents from the local system including the print spooler queue."
"T1016::[TajMahal] has the ability to identify the MAC address on an infected host."
"T1020::[TajMahal] has the ability to manage an automated queue of egress files and commands sent to its C2."
"T1025::[TajMahal] has the ability to steal written CD images and files of interest from previously connected removable drives when they become available again."
"T1027::[TajMahal] has used an encrypted Virtual File System to store plugins."
"T1041::[TajMahal] has the ability to send collected files over its C2."
"T1055.001::[TajMahal] has the ability to inject DLLs for malicious plugins into running processes."
"T1056.001::[TajMahal] has the ability to capture keystrokes on an infected host."
"T1057::[TajMahal] has the ability to identify running processes and associated plugins on an infected host."
"T1082::[TajMahal] has the ability to identify hardware information, the computer name, and OS information on an infected host."
"T1083::[TajMahal] has the ability to index files from drives, user profiles, and removable drives."
"T1112::[TajMahal] can set the KeepPrintedJobs attribute for configured printers in SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\Print\\\\Printers to enable document stealing."
"T1113::[TajMahal] has the ability to take screenshots on an infected host including capturing content from windows of instant messaging applications."
"T1115::[TajMahal] has the ability to steal data from the clipboard of an infected host."
"T1119::[TajMahal] has the ability to index and compress files into a send queue for exfiltration."
"T1120::[TajMahal] has the ability to identify connected Apple devices."
"T1123::[TajMahal] has the ability to capture VoiceIP application audio on an infected host."
"T1124::[TajMahal] has the ability to determine local time on a compromised host."
"T1125::[TajMahal] has the ability to capture webcam video."
"T1129::[TajMahal] has the ability to inject the LoadLibrary call template DLL into running processes."
"T1518.001::[TajMahal] has the ability to identify which anti-virus products, firewalls, and anti-spyware products are in use."
"T1518::[TajMahal] has the ability to identify the Internet Explorer (IE) version on an infected host."
"T1539::[TajMahal] has the ability to steal web session cookies from Internet Explorer, Netscape Navigator, FireFox and RealNetworks applications."
"T1560.002::[TajMahal] has the ability to use the open source libraries XZip/Xunzip and zlib to compress files."
"T1036.004::[Tarrask] creates a scheduled task called “WinUpdate” to re-establish any dropped  C2 connections."
"T1036.005::[Tarrask] has masqueraded as executable files such as `winupdate.exe`, `date.exe`, or `win.exe`."
"T1053.005::[Tarrask] is able to create “hidden” scheduled tasks for persistence."
"T1059.003::[Tarrask] may abuse the Windows schtasks command-line tool to create \"hidden\" scheduled tasks."
"T1112::[Tarrask] is able to delete the Security Descriptor (`SD`) registry subkey in order to “hide” scheduled tasks."
"T1134.001::[Tarrask] leverages token theft to obtain `lsass.exe` security permissions."
"T1564::[Tarrask] is able to create “hidden” scheduled tasks by deleting the Security Descriptor (`SD`) registry value."
"T1059.003::[TDTESS] provides a reverse shell on the victim."
"T1070.004::[TDTESS] creates then deletes log files during installation of itself as a service."
"T1070.006::After creating a new service for persistence, [TDTESS] sets the file creation time for the service to the creation time of the victim's legitimate svchost.exe file."
"T1105::[TDTESS] has a command to download and execute an additional file."
"T1543.003::If running as administrator, [TDTESS] installs itself as a new service named bmwappushservice to establish persistence."
"T1012::[TEARDROP] checked that HKU\\SOFTWARE\\Microsoft\\CTF existed before decoding its embedded payload."
"T1027::[TEARDROP] created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher."
"T1036.005::[TEARDROP] files had names that resembled legitimate Window file and directory names."
"T1112::[TEARDROP] modified the Registry to create a Windows service for itself on a compromised host."
"T1140::[TEARDROP] was decoded using a custom rolling XOR algorithm to execute a customized [Cobalt Strike] payload."
"T1543.003::[TEARDROP] ran as a Windows service from the c:\\windows\\syswow64 folder."
"T1059.003::[TEXTMATE] executes cmd.exe to provide a reverse shell to adversaries."
"T1071.004::[TEXTMATE] uses DNS TXT records for C2."
"T1036.005::[ThiefQuest] prepends a copy of itself to the beginning of an executable file while maintaining the name of the executable."
"T1041::[ThiefQuest] exfiltrates targeted file extensions in the /Users/ folder to the command and control server via unencrypted HTTP. Network packets contain a string with two pieces of information: a file path and the contents of the file in a base64 encoded string."
"T1056.001::[ThiefQuest] uses the CGEventTap functions to perform keylogging."
"T1057::[ThiefQuest] obtains a list of running processes using the function kill_unwanted."
"T1059.002::[ThiefQuest] uses [AppleScript]'s osascript -e command to launch [ThiefQuest]'s persistence via [Launch Agent] and [Launch Daemon]."
"T1071.001::[ThiefQuest] uploads files via unencrypted HTTP."
"T1105::[ThiefQuest] can download and execute payloads in-memory or from disk."
"T1106::[ThiefQuest] uses various API to perform behaviors such as executing payloads and performing local enumeration."
"T1486::[ThiefQuest] encrypts a set of file extensions on a host, deletes the original files, and provides a ransom note with no contact information."
"T1497.003::[ThiefQuest] invokes time call to check the system's time, executes a sleep command, invokes a second time call, and then compares the time difference between the two time calls and the amount of time the system slept to identify the sandbox."
"T1518.001::[ThiefQuest] uses the kill_unwanted function to get a list of running processes, compares each process with an encrypted list of “unwanted” security related programs, and kills the processes for security related programs."
"T1543.001::[ThiefQuest] installs a launch item using an embedded encrypted launch agent property list template. The plist file is installed in the ~/Library/LaunchAgents/ folder and configured with the path to the persistent binary located in the ~/Library/ folder."
"T1543.004::When running with root privileges after a [Launch Agent] is installed, [ThiefQuest] installs a plist file to the /Library/LaunchDaemons/ folder with the RunAtLoad key set to true establishing persistence as a Launch Daemon."
"T1554::[ThiefQuest] searches through the /Users/ folder looking for executable files. For each executable, [ThiefQuest] prepends a copy of itself to the beginning of the file. When the file is executed, the [ThiefQuest] code is executed first. [ThiefQuest] creates a hidden file, copies the original target executable to the file, then executes the new hidden file to maintain the appearance of normal behavior."
"T1562.001::[ThiefQuest] uses the function kill_unwanted to obtain a list of running processes and kills each process matching a list of security related processes."
"T1564.001::[ThiefQuest] hides a copy of itself in the user's ~/Library directory by using a . at the beginning of the file name followed by 9 random characters."
"T1620::[ThiefQuest] uses various API functions such as NSCreateObjectFileImageFromMemory to load and link in-memory payloads."
"T1622::[ThiefQuest] uses a function named is_debugging to perform anti-debugging logic. The function invokes sysctl checking the returned value of P_TRACED. [ThiefQuest] also calls ptrace with the PTRACE_DENY_ATTACH flag to prevent debugging."
"T1005::[ThreatNeedle] can collect data and files from a compromised host."
"T1027::[ThreatNeedle] has been compressed and obfuscated using RC4, AES, or XOR."
"T1036.005::[ThreatNeedle] chooses its payload creation path from a randomly selected service name from netsvc."
"T1082::[ThreatNeedle] can collect system profile information from a compromised host."
"T1083::[ThreatNeedle] can obtain file and directory information."
"T1105::[ThreatNeedle] can download additional tools to enable lateral movement."
"T1112::[ThreatNeedle] can save its configuration data as the following RC4-encrypted Registry key: `HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\GameCon`."
"T1140::[ThreatNeedle] can decrypt its payload using RC4, AES, or one-byte XORing."
"T1204.002::[ThreatNeedle] relies on a victim to click on a malicious document for initial execution."
"T1543.003::[ThreatNeedle] can run in memory and register its payload as a Windows service."
"T1547.001::[ThreatNeedle] can be loaded into the Startup folder (`%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\OneDrives.lnk`) as a Shortcut file for persistence."
"T1566.001::[ThreatNeedle] has been distributed via a malicious Word document within a spearphishing email."
"T1005::[TinyTurla] can upload files from a compromised host."
"T1008::[TinyTurla] can go through a list of C2 server IPs and will try to register with each until one responds."
"T1012::[TinyTurla] can query the Registry for its configuration information."
"T1029::[TinyTurla] contacts its C2 based on a scheduled timing set in its configuration."
"T1036.004::[TinyTurla] has mimicked an existing Windows service by being installed as Windows Time Service."
"T1036.005::[TinyTurla] has been deployed as `w64time.dll` to appear legitimate."
"T1059.003::[TinyTurla] has been installed using a .bat file."
"T1071.001::[TinyTurla] can use HTTPS in C2 communications."
"T1105::[TinyTurla] has the ability to act as a second-stage dropper used to infect the system with additional malware."
"T1106::[TinyTurla] has used `WinHTTP`, `CreateProcess`, and other APIs for C2 communications and other functions."
"T1112::[TinyTurla] can set its configuration parameters in the Registry."
"T1569.002::[TinyTurla] can install itself as a service on compromised machines."
"T1573.002::[TinyTurla] has the ability to encrypt C2 traffic with SSL/TLS."
"T1020::When a document is found matching one of the extensions in the configuration, [TINYTYPHON] uploads it to the C2 server."
"T1027::[TINYTYPHON] has used XOR with 0x90 to obfuscate its configuration file."
"T1083::[TINYTYPHON] searches through the drive containing the OS, then all drive letters C through to Z, for documents matching certain extensions."
"T1547.001::[TINYTYPHON] installs itself under Registry Run key to establish persistence."
"T1056.001::[TinyZBot] contains keylogger functionality."
"T1059.003::[TinyZBot] supports execution from the command-line."
"T1113::[TinyZBot] contains screen capture functionality."
"T1115::[TinyZBot] contains functionality to collect information from the clipboard."
"T1543.003::[TinyZBot] can install as a Windows service for persistence."
"T1547.001::[TinyZBot] can create a shortcut in the Windows startup folder for persistence."
"T1547.009::[TinyZBot] can create a shortcut in the Windows startup folder for persistence."
"T1562.001::[TinyZBot] can disable Avira anti-virus."
"T1005::[Tomiris] has the ability to collect recent files matching a hardcoded list of extensions prior to exfiltration."
"T1027.002::[Tomiris] has been packed with UPX."
"T1041::[Tomiris] can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server."
"T1053.005::[Tomiris] has used `SCHTASKS /CREATE /SC DAILY /TN StartDVL /TR \"[path to self]\" /ST 10:00` to establish persistence."
"T1071.001::[Tomiris] can use HTTP to establish C2 communications."
"T1105::[Tomiris] can download files and execute them on a victim's system."
"T1497.003::[Tomiris] has the ability to sleep for at least nine minutes to evade sandbox-based analysis systems."
"T1568::[Tomiris] has connected to a signalization server that provides a URL and port, and then [Tomiris] sends a GET request to that URL to establish C2."
"T1016::[Torisma] can collect the local MAC address using `GetAdaptersInfo` as well as the system's IP address."
"T1027.002::[Torisma] has been packed with Iz4 compression."
"T1027::[Torisma] has been Base64 encoded and AES encrypted."
"T1041::[Torisma] can send victim data to an actor-controlled C2 server."
"T1049::[Torisma] can use `WTSEnumerateSessionsW` to monitor remote desktop connections."
"T1071.001::[Torisma] can use HTTP and HTTPS for C2 communications."
"T1082::[Torisma] can use `GetlogicalDrives` to get a bitmask of all drives available on a compromised system. It can also use `GetDriveType` to determine if a new drive is a CD-ROM drive."
"T1106::[Torisma] has used various Windows API calls."
"T1124::[Torisma] can collect the current time on a victim machine."
"T1132.001::[Torisma] has encoded C2 communications with Base64."
"T1140::[Torisma] has used XOR and Base64 to decode C2 data."
"T1480::[Torisma] is only delivered to a compromised host if the victim's IP address is on an allow-list."
"T1573.001::[Torisma] has encrypted its C2 communications using XOR and VEST-32."
"T1001.001::[TrailBlazer] has used random identifier strings to obscure its C2 operations and result codes."
"T1001::[TrailBlazer] can masquerade its C2 traffic as legitimate Google Notifications HTTP requests."
"T1036::[TrailBlazer] has used filenames that match the name of the compromised system in attempt to avoid detection."
"T1071.001::[TrailBlazer] has used HTTP requests for C2."
"T1546.003::[TrailBlazer] has the ability to use WMI for persistence."
"T1005::[TrickBot] collects local files and information from the victim’s local machine."
"T1007::[TrickBot] collects a list of install programs and services on the system’s machine."
"T1008::[TrickBot] can use secondary C2 servers for communication after establishing connectivity and relaying victim information to primary C2 servers."
"T1016::[TrickBot] obtains the IP address, location, and other relevant network information from the victim’s machine."
"T1018::[TrickBot] can enumerate computers and network devices."
"T1021.005::[TrickBot] has used a VNC module to monitor the victim and collect information to pivot to valuable systems on the network"
"T1027.002::[TrickBot] leverages a custom packer to obfuscate its functionality."
"T1027::[TrickBot] uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files."
"T1033::[TrickBot] can identify the user and groups the user belongs to on a compromised host."
"T1036::The [TrickBot] downloader has used an icon to appear as a Microsoft Word document."
"T1041::[TrickBot] can send information about the compromised host and upload data to a hardcoded C2 server."
"T1053.005::[TrickBot] creates a scheduled task on the system that provides persistence."
"T1055.012::[TrickBot] injects into the svchost.exe process."
"T1055::[TrickBot] has used Nt* [Native API] functions to inject code into legitimate processes such as wermgr.exe."
"T1056.004::[TrickBot] has the ability to capture RDP credentials by capturing the CredEnumerateA API"
"T1057::[TrickBot] uses module networkDll for process list discovery."
"T1059.001::[TrickBot] has been known to use PowerShell to download new payloads, open documents, and upload data to command and control servers."
"T1059.003::[TrickBot] has used macros in Excel documents to download and deploy the malware on the user’s machine."
"T1069::[TrickBot] can identify the groups the user on a compromised host belongs to."
"T1071.001::[TrickBot] uses HTTPS to communicate with its C2 servers, to get malware updates, modules that perform most of the malware logic and various configuration files."
"T1082::[TrickBot] gathers the OS version, machine name, CPU type, amount of RAM available, and UEFI/BIOS firmware information from the victim’s machine."
"T1083::[TrickBot] searches the system for all of the following file extensions: .avi, .mov, .mkv, .mpeg, .mpeg4, .mp4, .mp3, .wav, .ogg, .jpeg, .jpg, .png, .bmp, .gif, .tiff, .ico, .xlsx, and .zip. It can also obtain browsing history, cookies, and plug-in information."
"T1087.001::[TrickBot] collects the users of the system."
"T1087.003::[TrickBot] collects email addresses from Outlook."
"T1090.002::[TrickBot] has been known to reach a command and control server via one of nine proxy IP addresses."
"T1105::[TrickBot] downloads several additional files and saves them to the victim's machine."
"T1106::[TrickBot] uses the Windows API call, CreateProcessW(), to manage execution flow."
"T1110.004::[TrickBot] uses brute-force attack against RDP with rdpscanDll module."
"T1112::[TrickBot] can modify registry entries."
"T1132.001::[TrickBot] can Base64-encode C2 commands."
"T1135::[TrickBot] module shareDll/mshareDll discovers network shares via the WNetOpenEnumA API."
"T1140::[TrickBot] decodes the configuration data and modules."
"T1185::[TrickBot] uses web injects and browser redirection to trick the user into providing their login credentials on a fake or modified web page."
"T1204.002::[TrickBot] has attempted to get users to launch malicious documents to deliver its payload."
"T1210::[TrickBot] utilizes EternalBlue and EternalRomance exploits for lateral movement in the modules wormwinDll, wormDll, mwormDll, nwormDll, tabDll."
"T1219::[TrickBot] uses vncDll module to remote control the victim machine."
"T1482::[TrickBot] can gather information about domain trusts by utilizing [Nltest]."
"T1495::[TrickBot] module \"Trickboot\" can write or erase the UEFI/BIOS firmware of a compromised device."
"T1497.003::[TrickBot] has used printf and file I/O loops to delay process execution as part of API hammering."
"T1542.003::[TrickBot] can implant malicious code into a compromised device's firmware."
"T1543.003::[TrickBot] establishes persistence by creating an autostart service that allows it to run whenever the machine boots."
"T1547.001::[TrickBot] establishes persistence in the Startup folder."
"T1552.001::[TrickBot] can obtain passwords stored in files from several applications such as Outlook, Filezilla, OpenSSH, OpenVPN and WinSCP."
"T1552.002::[TrickBot] has retrieved PuTTY credentials by querying the Software\\SimonTatham\\Putty\\Sessions registry key"
"T1553.002::[TrickBot] has come with a signed downloader component."
"T1555.003::[TrickBot] can obtain passwords stored in files from web browsers such as Chrome, Firefox, Internet Explorer, and Microsoft Edge, sometimes using [esentutl]."
"T1555.005::[TrickBot] can steal passwords from the KeePass open source password manager."
"T1559.001::[TrickBot] used COM to setup scheduled task for persistence."
"T1562.001::[TrickBot] can disable Windows Defender."
"T1566.001::[TrickBot] has used an email with an Excel sheet containing a malicious macro to deploy the malware"
"T1566.002::[TrickBot] has been delivered via malicious links in phishing e-mails."
"T1571::Some [TrickBot] samples have used HTTP over ports 447 and 8082 for C2."
"T1573.001::[TrickBot] uses a custom crypter leveraging Microsoft’s CryptoAPI to encrypt C2 traffic."
"T1018::[TRITON]’s TsLow python module pings controllers over the TriStation protocol."
"T1027::[TRITON] encoded the two inject.bin and imain.bin payloads."
"T1036.005::[TRITON] disguised itself as the legitimate Triconex Trilog application."
"T1036::[TRITON] attempts to write a dummy program into memory if it fails to reset the Triconex controller."
"T1059.006::[TRITON] was run as trilog.exe, a Py2EXE compiled python script that accepts a single IP address as a flag."
"T1003::[Trojan.Karagany] can dump passwords and save them into \\ProgramData\\Mail\\MailAg\\pwds.txt."
"T1010::[Trojan.Karagany] can monitor the titles of open windows to identify specific keywords."
"T1016::[Trojan.Karagany] can gather information on the network configuration of a compromised host."
"T1027.002::[Trojan.Karagany] samples sometimes use common binary packers such as UPX and Aspack on top of a custom Delphi binary packer."
"T1027::[Trojan.Karagany] can base64 encode and AES-128-CBC encrypt data prior to transmission."
"T1033::[Trojan.Karagany] can gather information about the user on a compromised host."
"T1049::[Trojan.Karagany] can use [netstat] to collect a list of network connections."
"T1055.003::[Trojan.Karagany] can inject a suspended thread of its own process into a new process and initiate via the ResumeThread API."
"T1056.001::[Trojan.Karagany] can capture keystrokes on a compromised host."
"T1057::[Trojan.Karagany] can use [Tasklist] to collect a list of running tasks."
"T1059.003::[Trojan.Karagany] can perform reconnaissance commands on a victim machine via a cmd.exe process."
"T1070.004::[Trojan.Karagany] has used plugins with a self-delete capability."
"T1071.001::[Trojan.Karagany] can communicate with C2 via HTTP POST requests."
"T1074.001::[Trojan.Karagany] can create directories to store plugin output and stage data for exfiltration."
"T1082::[Trojan.Karagany] can capture information regarding the victim's OS, security, and hardware configuration."
"T1083::[Trojan.Karagany] can enumerate files and directories on a compromised host."
"T1105::[Trojan.Karagany] can upload, download, and execute files on the victim."
"T1113::[Trojan.Karagany] can take a desktop screenshot and save the file into \\ProgramData\\Mail\\MailAg\\shot.png."
"T1497.001::[Trojan.Karagany] can detect commonly used and generic virtualization platforms based primarily on drivers and file paths."
"T1547.001::[Trojan.Karagany] can create a link to itself in the Startup folder to automatically start itself upon system restart."
"T1555.003::[Trojan.Karagany] can steal data and credentials from browsers."
"T1573.002::[Trojan.Karagany] can secure C2 communications with SSL and TLS."
"T1542.001::[Trojan.Mebromi] performs BIOS modification and can download and execute a file as well as protect itself from removal."
"T1036.004::To establish persistence, [Truvasys] adds a Registry Run key with a value \"TaskMgr\" in an attempt to masquerade as the legitimate Windows Task Manager."
"T1547.001::[Truvasys] adds a Registry Run key to establish persistence."
"T1016::[TSCookie] has the ability to identify the IP of the infected host."
"T1055::[TSCookie] has the ability to inject code into the svchost.exe, iexplorer.exe, explorer.exe, and default browser processes."
"T1057::[TSCookie] has the ability to list processes on the infected host."
"T1059.003::[TSCookie] has the ability to execute shell commands on the infected host."
"T1071.001::[TSCookie] can multiple protocols including HTTP and HTTPS in communication with command and control (C2) servers."
"T1083::[TSCookie] has the ability to discover drive information on the infected host."
"T1090::[TSCookie] has the ability to proxy communications with command and control (C2) servers."
"T1095::[TSCookie] can use ICMP to receive information on the destination server."
"T1105::[TSCookie] has the ability to upload and download files to and from the infected host."
"T1140::[TSCookie] has the ability to decrypt, load, and execute a DLL and its resources."
"T1204.001::[TSCookie] has been executed via malicious links embedded in e-mails spoofing the Ministries of Education, Culture, Sports, Science and Technology of Japan."
"T1555.003::[TSCookie] has the ability to steal saved passwords from the Internet Explorer, Edge, Firefox, and Chrome browsers."
"T1573.001::[TSCookie] has encrypted network communications with RC4."
"T1001.001::[Turian] can insert pseudo-random characters into its network encryption setup."
"T1016::[Turian] can retrieve the internal IP address of a compromised host."
"T1027::[Turian] can use VMProtect for obfuscation."
"T1033::[Turian] can retrieve usernames."
"T1036.004::[Turian] can disguise as a legitimate service to blend into normal operations."
"T1059.003::[Turian] can create a remote shell and execute commands using [cmd]."
"T1059.004::[Turian] has the ability to use /bin/sh to execute commands."
"T1059.006::[Turian] has the ability to use Python to spawn a Unix shell."
"T1071.001::[Turian] has the ability to use HTTP for its C2."
"T1074.001::[Turian] can store copied files in a specific directory prior to exfiltration."
"T1082::[Turian] can retrieve system information including OS version, memory usage, local hostname, and system adapter information."
"T1083::[Turian] can search for specific files and list directories."
"T1105::[Turian] can download additional files and tools from its C2."
"T1113::[Turian] has the ability to take screenshots."
"T1120::[Turian] can scan for removable media to collect data."
"T1140::[Turian] has the ability to use a XOR decryption key to extract C2 server domains and IP addresses."
"T1547.001::[Turian] can establish persistence by adding Registry Run keys."
"T1560.001::[Turian] can use WinRAR to create a password-protected archive for files of interest."
"T1055.004::[TURNEDUP] is capable of injecting code into the APC queue of a created [Rundll32] process as part of an \"Early Bird injection.\""
"T1059.003::[TURNEDUP] is capable of creating a reverse shell."
"T1082::[TURNEDUP] is capable of gathering system information."
"T1105::[TURNEDUP] is capable of downloading additional files."
"T1113::[TURNEDUP] is capable of taking screenshots."
"T1547.001::[TURNEDUP] is capable of writing to a Registry Run key to establish."
"T1027::APIs and strings in some [TYPEFRAME] variants are RC4 encrypted. Another variant is encoded with XOR."
"T1059.003::[TYPEFRAME] can uninstall malware components using a batch script."
"T1059.005::[TYPEFRAME] has used a malicious Word document for delivery with VBA macros for execution."
"T1070.004::[TYPEFRAME] can delete files off the system."
"T1082::[TYPEFRAME] can gather the disk volume information."
"T1083::[TYPEFRAME] can search directories for files on the victim’s machine."
"T1090::A [TYPEFRAME] variant can force the compromised system to function as a proxy server."
"T1105::[TYPEFRAME] can upload and download files to the victim’s machine."
"T1112::[TYPEFRAME] can install encrypted configuration data under the Registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\ShellCompatibility\\Applications\\laxhost.dll and HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\PrintConfigs."
"T1140::One [TYPEFRAME] variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value \"0x35\"."
"T1204.002::A Word document delivering [TYPEFRAME] prompts the user to enable macro execution."
"T1543.003::[TYPEFRAME] variants can add malicious DLL modules as new services.[TYPEFRAME] can also delete services from the victim’s machine."
"T1562.004::[TYPEFRAME] can open the Windows Firewall on the victim’s machine to allow incoming connections."
"T1571::[TYPEFRAME] has used ports 443, 8080, and 8443 with a FakeTLS method."
"T1027::[UBoatRAT] encrypts instructions in the payload using a simple XOR cipher."
"T1057::[UBoatRAT] can list running processes on the system."
"T1059.003::[UBoatRAT] can start a command shell."
"T1071.001::[UBoatRAT] has used HTTP for C2 communications."
"T1102.002::[UBoatRAT] has used GitHub and a public blog service in Hong Kong for C2 communications."
"T1105::[UBoatRAT] can upload and download files to the victim’s machine."
"T1197::[UBoatRAT] takes advantage of the /SetNotifyCmdLine option in [BITSAdmin] to ensure it stays running on a system to maintain persistence."
"T1497.001::[UBoatRAT] checks for virtualization software such as VMWare, VirtualBox, or QEmu on the compromised machine."
"T1014::[Umbreon] hides from defenders by hooking libc function calls, hiding artifacts that would reveal its presence, such as the user account it creates to provide access and undermining strace, a tool often used to identify malware."
"T1059.003::[Umbreon] provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet"
"T1078.003::[Umbreon] creates valid local users to provide access to the system."
"T1095::[Umbreon] provides access to the system via SSH or any other protocol that uses PAM to authenticate."
"T1205::[Umbreon] provides additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet."
"T1016::[Unknown Logger] can obtain information about the victim's IP address."
"T1033::[Unknown Logger] can obtain information about the victim usernames."
"T1056.001::[Unknown Logger] is capable of recording keystrokes."
"T1082::[Unknown Logger] can obtain information about the victim computer name, physical memory, country, and date."
"T1091::[Unknown Logger] is capable of spreading to USB devices."
"T1105::[Unknown Logger] is capable of downloading remote files."
"T1555.003::[Unknown Logger] is capable of stealing usernames and passwords from browsers on the victim machine."
"T1562.001::[Unknown Logger] has functionality to disable security tools, including Kaspersky, BitDefender, and MalwareBytes."
"T1016::[UPPERCUT] has the capability to gather the victim's proxy information."
"T1033::[UPPERCUT] has the capability to collect the current logged on user’s username from a machine."
"T1059.003::[UPPERCUT] uses cmd.exe to execute commands on the victim’s machine."
"T1071.001::[UPPERCUT] has used HTTP for C2, including sending error codes in Cookie headers."
"T1082::[UPPERCUT] has the capability to gather the system’s hostname and OS version."
"T1083::[UPPERCUT] has the capability to gather the victim's current directory."
"T1105::[UPPERCUT] can download and upload files to and from the victim’s machine."
"T1113::[UPPERCUT] can capture desktop screenshots in the PNG format and send them to the C2 server."
"T1124::[UPPERCUT] has the capability to obtain the time zone information and current timestamp of the victim’s machine."
"T1573.001::Some versions of [UPPERCUT] have used the hard-coded string “this is the encrypt key” for Blowfish encryption when communicating with a C2. Later versions have hard-coded keys uniquely for each C2 address."
"T1014::[Uroburos] is a rootkit used by [Turla]."
"T1027.002::[Uroburos] uses a custom packer."
"T1005::[Ursnif] has collected files from victim machines, including certificates and cookies."
"T1007::[Ursnif] has gathered information about running services."
"T1012::[Ursnif] has used [Reg] to query the Registry for installed programs."
"T1027::[Ursnif] has used an XOR-based algorithm to encrypt Tor clients dropped to disk."
"T1036.005::[Ursnif] has used strings from legitimate system files and existing folders for its file, folder, and Registry entry names."
"T1041::[Ursnif] has used HTTP POSTs to exfil gathered information."
"T1047::[Ursnif] droppers have used WMI classes to execute [PowerShell] commands."
"T1055.005::[Ursnif] has injected code into target processes via thread local storage callbacks."
"T1055.012::[Ursnif] has used process hollowing to inject into child processes."
"T1056.004::[Ursnif] has hooked APIs to perform a wide variety of information theft, such as monitoring traffic from browsers."
"T1057::[Ursnif] has gathered information about running processes."
"T1059.001::[Ursnif] droppers have used PowerShell in download cradles to download and execute the malware's full executable payload."
"T1059.005::[Ursnif] droppers have used VBA macros to download and execute the malware's full executable payload."
"T1070.004::[Ursnif] has deleted data staged in tmp files after exfiltration."
"T1071.001::[Ursnif] has used HTTPS for C2."
"T1074.001::[Ursnif] has used tmp files to stage gathered information."
"T1080::[Ursnif] has copied itself to and infected files in network drives for propagation."
"T1082::[Ursnif] has used [Systeminfo] to gather system information."
"T1090.003::[Ursnif] has used [Tor] for C2."
"T1090::[Ursnif] has used a peer-to-peer (P2P) network for C2."
"T1091::[Ursnif] has copied itself to and infected removable drives for propagation."
"T1105::[Ursnif] has dropped payload and configuration files to disk. [Ursnif] has also been used to download and execute additional payloads."
"T1106::[Ursnif] has used CreateProcessW to create child processes."
"T1112::[Ursnif] has used Registry modifications as part of its installation routine."
"T1113::[Ursnif] has used hooked APIs to take screenshots."
"T1132::[Ursnif] has used encoded data in HTTP URLs for C2."
"T1140::[Ursnif] has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk."
"T1185::[Ursnif] has injected HTML codes into banking sites to steal sensitive online banking information (ex: usernames and passwords)."
"T1497.003::[Ursnif] has used a 30 minute delay after execution to evade sandbox monitoring tools."
"T1543.003::[Ursnif] has registered itself as a system service in the Registry for automatic execution at system startup."
"T1547.001::[Ursnif] has used Registry Run keys to establish automatic execution at system startup."
"T1559.001::[Ursnif] droppers have used COM objects to execute the malware's full executable payload."
"T1564.003::[Ursnif] droppers have used COM properties to execute malware in hidden windows."
"T1568.002::[Ursnif] has used a DGA to generate domain names for C2."
"T1005::[USBferry] can collect information from an air-gapped host machine."
"T1016::[USBferry] can detect the infected machine's network topology using ipconfig and arp."
"T1018::[USBferry] can use net view to gather information about remote systems."
"T1049::[USBferry] can use netstat and nbtstat to detect active network connections."
"T1057::[USBferry] can use tasklist to gather information about the process running on the infected system."
"T1059.003::[USBferry] can execute various Windows commands."
"T1083::[USBferry] can detect the victim's file or folder list."
"T1087.001::[USBferry] can use net user to gather information about local accounts."
"T1091::[USBferry] can copy its installer to attached USB storage devices."
"T1120::[USBferry] can check for connected USB devices."
"T1218.011::[USBferry] can execute rundll32.exe in memory to avoid detection."
"T1020::[USBStealer] automatically exfiltrates collected files via removable media when an infected device connects to an air-gapped victim machine after initially being connected to an internet-enabled victim machine."
"T1025::Once a removable media device is inserted back into the first victim, [USBStealer] collects data from it that was exfiltrated from a second victim."
"T1027::Most strings in [USBStealer] are encrypted using 3DES and XOR and reversed."
"T1036.005::[USBStealer] mimics a legitimate Russian program called USB Disk Security."
"T1052.001::[USBStealer] exfiltrates collected files via removable media from air-gapped victims."
"T1070.004::[USBStealer] has several commands to delete files associated with the malware from the victim."
"T1070.006::[USBStealer] sets the timestamps of its dropper files to the last-access and last-write timestamps of a standard Windows library chosen on the system."
"T1074.001::[USBStealer] collects files matching certain criteria from the victim and stores them in a local directory for later exfiltration."
"T1083::[USBStealer] searches victim drives for files matching certain extensions (“.skr”,“.pkr” or “.key”) or names."
"T1091::[USBStealer] drops itself onto removable media and relies on Autorun to execute the malicious file when a user opens the removable media on another system."
"T1092::[USBStealer] drops commands for a second victim onto a removable media drive inserted into the first victim, and commands are executed when the drive is inserted into the second victim."
"T1119::For all non-removable drives on a victim, [USBStealer] executes automated collection of certain files for later exfiltration."
"T1120::[USBStealer] monitors victims for insertion of removable drives. When dropped onto a second victim, it also enumerates drives connected to the system."
"T1547.001::[USBStealer] registers itself under a Registry Run key with the name \"USB Disk Security.\""
"T1008::[Valak] can communicate over multiple C2 hosts."
"T1012::[Valak] can use the Registry for code updates and to collect credentials."
"T1016::[Valak] has the ability to identify the domain and the MAC and IP addresses of an infected machine."
"T1027.002::[Valak] has used packed DLL payloads."
"T1027::[Valak] has the ability to base64 encode and XOR encrypt strings."
"T1033::[Valak] can gather information regarding the user."
"T1041::[Valak] has the ability to exfiltrate data over the C2 channel."
"T1047::[Valak] can use wmic process call create in a scheduled task to launch plugins and for execution."
"T1053.005::[Valak] has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host."
"T1057::[Valak] has the ability to enumerate running processes on a compromised host."
"T1059.001::[Valak] has used PowerShell to download additional modules."
"T1059.007::[Valak] can execute JavaScript containing configuration data for establishing persistence."
"T1071.001::[Valak] has used HTTP in communications with C2."
"T1082::[Valak] can determine the Windows version and computer name on a compromised host."
"T1087.001::[Valak] has the ability to enumerate local admin accounts."
"T1087.002::[Valak] has the ability to enumerate domain admin accounts."
"T1104::[Valak] can download additional modules and malware capable of using separate C2 channels."
"T1105::[Valak] has downloaded a variety of modules and payloads to the compromised host, including [IcedID] and NetSupport Manager RAT-based malware."
"T1112::[Valak] has the ability to modify the Registry key HKCU\\Software\\ApplicationContainer\\Appsw64 to store information regarding the C2 server and downloads."
"T1113::[Valak] has the ability to take screenshots on a compromised host."
"T1114.002::[Valak] can collect sensitive mailing information from Exchange servers, including credentials and the domain certificate of an enterprise."
"T1119::[Valak] can download a module to search for and build a report of harvested credential data."
"T1132.001::[Valak] has returned C2 data as encoded ASCII."
"T1140::[Valak] has the ability to decode and decrypt downloaded files."
"T1204.002::[Valak] has been executed via Microsoft Word documents containing malicious macros."
"T1218.010::[Valak] has used regsvr32.exe to launch malicious DLLs."
"T1518.001::[Valak] can determine if a compromised host has security products installed."
"T1552.002::[Valak] can use the clientgrabber module to steal e-mail credentials from the Registry."
"T1555.004::[Valak] can use a .NET compiled module named exchgrabber to enumerate credentials from the Credential Manager."
"T1559.002::[Valak] can execute tasks via OLE."
"T1564.004::[Valak] has the ability save and execute files as alternate data streams (ADS)."
"T1566.001::[Valak] has been delivered via spearphishing e-mails with password protected ZIP files."
"T1566.002::[Valak] has been delivered via malicious links in e-mail."
"T1071.001::[VaporRage] can use HTTP to download shellcode from compromised websites."
"T1105::[VaporRage] has the ability to download malicious shellcode to compromised systems."
"T1140::[VaporRage] can deobfuscate XOR-encoded shellcode prior to execution."
"T1480::[VaporRage] has the ability to check for the presence of a specific DLL and terminate if it is not found."
"T1071.001::[Vasport] creates a backdoor by making a connection using a HTTP POST."
"T1090::[Vasport] is capable of tunneling though a proxy."
"T1105::[Vasport] can download files."
"T1547.001::[Vasport] copies itself to disk and creates an associated run key Registry entry to establish."
"T1059.005::[VBShower] has the ability to execute VBScript files."
"T1070.004::[VBShower] has attempted to complicate forensic analysis by deleting all the files contained in %APPDATA%\\..\\Local\\Temporary Internet Files\\Content.Word and %APPDATA%\\..\\Local Settings\\Temporary Internet Files\\Content.Word\\."
"T1071.001::[VBShower] has attempted to obtain a VBS script from command and control (C2) nodes over HTTP."
"T1105::[VBShower] has the ability to download VBS files to the target computer."
"T1547.001::[VBShower] used HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\\\[a-f0-9A-F]{8} to maintain persistence."
"T1016::[VERMIN] gathers the local IP address."
"T1027.002::[VERMIN] is initially packed."
"T1027::[VERMIN] is obfuscated using the obfuscation tool called ConfuserEx."
"T1033::[VERMIN] gathers the username from the victim’s machine."
"T1056.001::[VERMIN] collects keystrokes from the victim machine."
"T1057::[VERMIN] can get a list of the processes and running tasks on the system."
"T1070.004::[VERMIN] can delete files on the victim’s machine."
"T1071.001::[VERMIN] uses HTTP for C2 communications."
"T1082::[VERMIN] collects the OS name, machine name, and architecture information."
"T1105::[VERMIN] can download and upload files to the victim's machine."
"T1113::[VERMIN] can perform screen captures of the victim’s machine."
"T1115::[VERMIN] collects data stored in the clipboard."
"T1119::[VERMIN] saves each collected file with the automatically generated format {0:dd-MM-yyyy}.txt ."
"T1123::[VERMIN] can perform audio capture."
"T1140::[VERMIN] decrypts code, strings, and commands to use once it's on the victim's machine."
"T1518.001::[VERMIN] uses WMI to check for anti-virus software installed on the system."
"T1560::[VERMIN] encrypts the collected files using 3-DES."
"T1007::[Volgmer] queries the system to identify existing services."
"T1012::[Volgmer] checks the system for certain Registry keys."
"T1016::[Volgmer] can gather the IP address from the victim's machine."
"T1027::A [Volgmer] variant is encoded using a simple XOR cipher."
"T1036.004::Some [Volgmer] variants add new services with display names generated by a list of hard-coded strings such as Application, Background, Security, and Windows, presumably as a way to masquerade as a legitimate service."
"T1049::[Volgmer] can gather information about TCP connection state."
"T1057::[Volgmer] can gather a list of processes."
"T1059.003::[Volgmer] can execute commands on the victim's machine."
"T1070.004::[Volgmer] can delete files and itself after infection to avoid analysis."
"T1082::[Volgmer] can gather system information, the computer name, OS version, drive and serial information from the victim's machine."
"T1083::[Volgmer] can list directories on a victim."
"T1105::[Volgmer] can download remote files and additional payloads to the victim's machine."
"T1106::[Volgmer] executes payloads using the Windows API call CreateProcessW()."
"T1112::[Volgmer] stores the encoded configuration file in the Registry key HKEY_LOCAL_MACHINE\\SYSTEM\\CurrentControlSet\\Control\\WMI\\Security."
"T1140::[Volgmer] deobfuscates its strings and APIs once its executed."
"T1543.003::[Volgmer] installs a copy of itself in a randomly selected service, then overwrites the ServiceDLL entry in the service's Registry entry. Some [Volgmer] variants also install .dll files as services with names generated by a list of hard-coded strings."
"T1573.001::[Volgmer] uses a simple XOR cipher to encrypt traffic and files."
"T1573.002::Some [Volgmer] variants use SSL to encrypt C2 communications."
"T1016::[WannaCry] will attempt to determine the local network segment it is a part of."
"T1018::[WannaCry] scans its local network segment for remote systems to try to exploit and copy itself to."
"T1047::[WannaCry] utilizes wmic to delete shadow copies."
"T1083::[WannaCry] searches for variety of user files by file extension before encrypting them using RSA and AES, including Office, PDF, image, audio, video, source code, archive/compression format, and key and certificate files."
"T1090.003::[WannaCry] uses [Tor] for command and control traffic."
"T1120::[WannaCry] contains a thread that will attempt to scan for new attached drives every few seconds. If one is identified, it will encrypt the files on the attached device."
"T1210::[WannaCry] uses an exploit in SMBv1 to spread itself to other remote systems on a network."
"T1222.001::[WannaCry] uses attrib +h and icacls . /grant Everyone:F /T /C /Q to make some of its files hidden and grant all users full access controls."
"T1486::[WannaCry] encrypts user files and demands that a ransom be paid in Bitcoin to decrypt those files."
"T1489::[WannaCry] attempts to kill processes associated with Exchange, Microsoft SQL Server, and MySQL to make it possible to encrypt their data stores."
"T1490::[WannaCry] uses vssadmin, wbadmin, bcdedit, and wmic to delete and disable operating system recovery features."
"T1543.003::[WannaCry] creates the service \"mssecsvc2.0\" with the display name \"Microsoft Security Center (2.0) Service.\""
"T1563.002::[WannaCry] enumerates current remote desktop sessions and tries to execute the malware on each session."
"T1564.001::[WannaCry] uses attrib +h to make some of its files hidden."
"T1570::[WannaCry] attempts to copy itself to remote computers after gaining access via an SMB exploit."
"T1573.002::[WannaCry] uses [Tor] for command and control traffic and routes a custom cryptographic protocol over the [Tor] circuit."
"T1005::[WarzoneRAT] can collect data from a compromised host."
"T1014::[WarzoneRAT] can include a rootkit to hide processes, files, and startup."
"T1021.001::[WarzoneRAT] has the ability to control an infected PC using RDP."
"T1021.005::[WarzoneRAT] has the ability of performing remote desktop access via a VNC console."
"T1041::[WarzoneRAT] can send collected victim data to its C2 server."
"T1055::[WarzoneRAT] has the ability to inject malicious DLLs into a specific process for privilege escalation."
"T1056.001::[WarzoneRAT] has the capability to install a live and offline keylogger, including through the use of the `GetAsyncKeyState` Windows API."
"T1057::[WarzoneRAT] can obtain a list of processes on a compromised host."
"T1059.001::[WarzoneRAT] can use PowerShell to download files and execute commands."
"T1059.003::[WarzoneRAT] can use `cmd.exe` to execute malicious code."
"T1082::[WarzoneRAT] can collect compromised host information, including OS version, PC name, RAM size, and CPU details."
"T1083::[WarzoneRAT] can enumerate directories on a compromise host."
"T1090::[WarzoneRAT] has the capability to act as a reverse proxy."
"T1095::[WarzoneRAT] can communicate with its C2 server via TCP over port 5200."
"T1105::[WarzoneRAT] can download and execute additional files."
"T1106::[WarzoneRAT] can use a variety of API calls on a compromised host."
"T1112::[WarzoneRAT] can create `HKCU\\Software\\Classes\\Folder\\shell\\open\\command` as a new registry key during privilege escalation."
"T1125::[WarzoneRAT] can access the webcam on a victim's machine."
"T1140::[WarzoneRAT] can use XOR 0x45 to decrypt obfuscated code."
"T1204.002::[WarzoneRAT] has relied on a victim to open a malicious attachment within an email for execution."
"T1221::[WarzoneRAT] has been install via template injection through a malicious DLL embedded within a template RTF in a Word document."
"T1546.015::[WarzoneRAT]  can perform COM hijacking by setting the path to itself to the `HKCU\\Software\\Classes\\Folder\\shell\\open\\command` key with a `DelegateExecute` parameter."
"T1547.001::[WarzoneRAT] can add itself to the `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run` and `HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Explorer\\UIF2IS20VK` Registry keys."
"T1548.002::[WarzoneRAT] can use `sdclt.exe` to bypass UAC in Windows 10 to escalate privileges; for older Windows versions [WarzoneRAT] can use the IFileOperation exploit to bypass the UAC module."
"T1555.003::[WarzoneRAT] has the capability to grab passwords from numerous web browsers as well as from Outlook and Thunderbird email clients."
"T1562.001::[WarzoneRAT] can disarm Windows Defender during the UAC process to evade detection."
"T1564::[WarzoneRAT] can masquerade the Process Environment Block on a compromised host to hide it's attempts to elevate privileges through `IFileOperation`."
"T1566.001::[WarzoneRAT] has been distributed as a malicious attachment within an email."
"T1573.001::[WarzoneRAT] can encrypt its C2 with RC4 with the password `warzone160\\x00`."
"T1012::[WastedLocker] checks for specific registry keys related to the UCOMIEnumConnections and IActiveScriptParseProcedure32 interfaces."
"T1027.001::[WastedLocker] contains junk code to increase its entropy and hide the actual code."
"T1027::The [WastedLocker] payload includes encrypted strings stored within the .bss section of the binary file."
"T1059.003::[WastedLocker] has used [cmd] to execute commands on the system."
"T1083::[WastedLocker] can enumerate files and directories just prior to encryption."
"T1106::[WastedLocker]'s custom crypter, CryptOne, leveraged the VirtualAlloc() API function to help execute the payload."
"T1112::[WastedLocker] can modify registry values within the Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\ZoneMap registry key."
"T1120::[WastedLocker] can enumerate removable drives prior to the encryption process."
"T1135::[WastedLocker] can identify network adjacent and accessible drives."
"T1140::[WastedLocker]'s custom cryptor, CryptOne, used an XOR based algorithm to decrypt the payload."
"T1222.001::[WastedLocker] has a command to take ownership of a file and reset the ACL permissions using the takeown.exe /F filepath command."
"T1486::[WastedLocker] can encrypt data and leave a ransom note."
"T1490::[WastedLocker] can delete shadow volumes."
"T1497.001::[WastedLocker] checked if UCOMIEnumConnections and IActiveScriptParseProcedure32 Registry keys were detected as part of its anti-analysis technique."
"T1543.003::[WastedLocker] created and established a service that runs until the encryption process is complete."
"T1548.002::[WastedLocker] can perform a UAC bypass if it is not executed with administrator rights or if the infected host runs Windows Vista or later."
"T1564.001::[WastedLocker] has copied a random file from the Windows System32 folder to the %APPDATA% location under a different hidden filename."
"T1564.004::[WastedLocker] has the ability to save and execute files as an alternate data stream (ADS)."
"T1569.002::[WastedLocker] can execute itself as a service."
"T1574.001::[WastedLocker] has performed DLL hijacking before execution."
"T1012::[Waterbear] can query the Registry key \"HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\MSDTC\\MTxOCI\" to see if the value `OracleOcilib` exists."
"T1027.005::[Waterbear] can scramble functions not to be executed again with random values."
"T1027::[Waterbear] has used RC4 encrypted shellcode and encrypted functions."
"T1049::[Waterbear] can use API hooks on `GetExtendedTcpTable` to retrieve a table containing a list of TCP endpoints available to the application."
"T1055.003::[Waterbear] can use thread injection to inject shellcode into the process of security software."
"T1055::[Waterbear] can inject decrypted shellcode into the LanmanServer service."
"T1057::[Waterbear] can identify the process for a specific security product."
"T1105::[Waterbear] can receive and load executables from remote C2 servers."
"T1106::[Waterbear] can leverage API functions for execution."
"T1112::[Waterbear] has deleted certain values from the Registry to load a malicious DLL."
"T1140::[Waterbear] has the ability to decrypt its RC4 encrypted payload for execution."
"T1518.001::[Waterbear] can find the presence of a specific security software."
"T1562.006::[Waterbear] can hook the ZwOpenProcess and GetExtendedTcpTable APIs called by the process of a security product to hide PIDs and TCP records from detection."
"T1574.002::[Waterbear] has used DLL side loading to import and load a malicious DLL loader."
"T1059.003::[WEBC2] can open an interactive command shell."
"T1105::[WEBC2] can download and execute a file."
"T1574.001::Variants of [WEBC2] achieve persistence by using DLL search order hijacking, usually by copying the DLL file to %SYSTEMROOT% (C:\\WINDOWS\\ntshrui.dll)."
"T1005::[WellMail] can exfiltrate files from the victim machine."
"T1016::[WellMail] can identify the IP address of the victim system."
"T1033::[WellMail] can identify the current username on the victim system."
"T1095::[WellMail] can use TCP for C2 communications."
"T1105::[WellMail] can receive data and executable scripts from C2."
"T1140::[WellMail] can decompress scripts received from C2."
"T1560::[WellMail] can archive files on the compromised host."
"T1571::[WellMail] has been observed using TCP port 25, without using SMTP, to leverage an open port for secure command and control communications."
"T1573.002::[WellMail] can use hard coded client and certificate authority certificates to communicate with C2 over mutual TLS."
"T1001.001::[WellMess] can use junk data in the Base64 string for additional obfuscation."
"T1005::[WellMess] can send files from the victim machine to C2."
"T1016::[WellMess] can identify the IP address and user domain on the target machine."
"T1033::[WellMess] can collect the username on the victim machine to send to C2."
"T1059.001::[WellMess] can execute PowerShell scripts received from C2."
"T1059.003::[WellMess] can execute command line scripts received from C2."
"T1069.002::[WellMess] can identify domain group membership for the current user."
"T1071.001::[WellMess] can use HTTP and HTTPS in C2 communications."
"T1071.004::[WellMess] has the ability to use DNS tunneling for C2 communications."
"T1082::[WellMess] can identify the computer name of a compromised host."
"T1105::[WellMess] can write files to a compromised host."
"T1132.001::[WellMess] has used Base64 encoding to uniquely identify communication to and from the C2."
"T1140::[WellMess] can decode and decrypt data received from C2."
"T1573.001::[WellMess] can encrypt HTTP POST data using RC6 and a dynamically generated AES key encrypted with a hard coded RSA public key."
"T1573.002::[WellMess] can communicate to C2 with mutual TLS where client and server mutually check certificates."
"T1027::[WhisperGate] can Base64 encode strings, store downloaded files in reverse byte order,  and use the Eazfuscator tool to obfuscate its third stage."
"T1036::[WhisperGate] has been disguised as a JPG extension to avoid detection as a malicious PE file."
"T1055.012::[WhisperGate] has the ability to inject its fourth stage into a suspended process created by the legitimate Windows utility `InstallUtil.exe`."
"T1059.001::[WhisperGate] can use PowerShell to support multiple actions including execution and defense evasion."
"T1059.003::[WhisperGate] can use `cmd.exe` to execute commands."
"T1059.005::[WhisperGate] can use a Visual Basic script to exclude the `C:\\` drive from Windows Defender."
"T1070.004::[WhisperGate] can delete tools from a compromised host after execution."
"T1071.001::[WhisperGate] can make an HTTPS connection to download additional files."
"T1082::[WhisperGate] has the ability to enumerate fixed logical drives on a targeted system."
"T1083::[WhisperGate] can locate files based on hardcoded file extensions."
"T1102::[WhisperGate] can download additional payloads hosted on a Discord channel."
"T1105::[WhisperGate] can download additional stages of malware from a Discord CDN channel."
"T1106::[WhisperGate] has used the `ExitWindowsEx` API to flush file buffers to disk and stop running processes."
"T1134.002::The [WhisperGate] third stage can use the AdvancedRun.exe tool to execute commands in the context of the Windows TrustedInstaller group via `%TEMP%\\AdvancedRun.exe\" /EXEFilename \"C:\\Windows\\System32\\sc.exe\" /WindowState 0 /CommandLine \"stop WinDefend\" /StartDirectory \"\" /RunAs 8 /Run`."
"T1135::[WhisperGate] can enumerate connected remote logical drives."
"T1140::[WhisperGate] can deobfuscate downloaded files stored in reverse byte order and decrypt embedded resources using multiple XOR operations."
"T1218.004::[WhisperGate] has used `InstallUtil.exe` as part of its process to disable Windows Defender."
"T1485::[WhisperGate] can corrupt files by overwriting the first 1 MB with `0xcc` and appending random extensions."
"T1497.001::[WhisperGate] can stop its execution when it recognizes the presence of certain monitoring tools."
"T1497.003::[WhisperGate] can pause for 20 seconds to bypass antivirus solutions."
"T1518.001::[WhisperGate] can recognize the presence of monitoring tools on a target system."
"T1529::[WhisperGate] can shutdown a compromised host through execution of `ExitWindowsEx` with the `EXW_SHUTDOWN` flag."
"T1542.003::[WhisperGate] overwrites the MBR with a bootloader component that performs destructive wiping operations on hard drives and displays a fake ransom note when the host boots."
"T1561.001::[WhisperGate] can overwrite sectors of a victim host's hard drive at periodic offsets."
"T1561.002::[WhisperGate] can overwrite the Master Book Record (MBR) on victim systems with a malicious 16-bit bootloader."
"T1562.001::[WhisperGate] can download and execute AdvancedRun.exe to disable the Windows Defender Theat Protection service and set an exclusion path for the C:\\ drive."
"T1569.002::[WhisperGate] can download and execute AdvancedRun.exe via `sc.exe`."
"T1055::[Wiarp] creates a backdoor through which remote attackers can inject files into running processes."
"T1059.003::[Wiarp] creates a backdoor through which remote attackers can open a command line interface."
"T1105::[Wiarp] creates a backdoor through which remote attackers can download files."
"T1543.003::[Wiarp] creates a backdoor through which remote attackers can create a service."
"T1012::[WINDSHIELD] can gather Registry values."
"T1033::[WINDSHIELD] can gather the victim user name."
"T1070.004::[WINDSHIELD] is capable of file deletion along with other file system interaction."
"T1082::[WINDSHIELD] can gather the victim computer name."
"T1095::[WINDSHIELD] C2 traffic can communicate via TCP raw sockets."
"T1027::[WindTail] can be delivered as a compressed, encrypted, and encoded payload."
"T1036.001::[WindTail] has been incompletely signed with revoked certificates."
"T1036::[WindTail] has used icons mimicking MS Office files to mask payloads."
"T1048.003::[WindTail] has the ability to automatically exfiltrate files using the macOS built-in utility /usr/bin/curl."
"T1059.004::[WindTail] can use the open command to execute an application."
"T1070.004::[WindTail] has the ability to receive and execute a self-delete command."
"T1071.001::[WindTail] has the ability to use HTTP for C2 communications."
"T1083::[WindTail] has the ability to enumerate the users home directory and the path to its own application bundle."
"T1106::[WindTail] can invoke Apple APIs contentsOfDirectoryAtPath, pathExtension, and (string) compare."
"T1119::[WindTail] can identify and add files that possess specific file extensions to an array for archiving."
"T1124::[WindTail] has the ability to generate the current date and time."
"T1140::[WindTail] has the ability to decrypt strings using hard-coded AES keys."
"T1560.001::[WindTail] has the ability to use the macOS built-in zip utility to archive files."
"T1564.003::[WindTail] can instruct the OS to execute an application without a dock icon or menu."
"T1007::[WINERACK] can enumerate services."
"T1010::[WINERACK] can enumerate active windows."
"T1033::[WINERACK] can gather information on the victim username."
"T1057::[WINERACK] can enumerate processes."
"T1059::[WINERACK] can create a reverse shell that utilizes statically-linked Wine cmd.exe code to emulate Windows command prompt commands."
"T1082::[WINERACK] can gather information about the host."
"T1083::[WINERACK] can enumerate files and directories."
"T1055::[Wingbird] performs multiple process injections to hijack system processes and execute malicious code."
"T1068::[Wingbird] exploits CVE-2016-4117 to allow an executable to gain escalated privileges."
"T1070.004::[Wingbird] deletes its payload along with the payload's parent process after it finishes copying files."
"T1082::[Wingbird] checks the victim OS version after executing to determine where to drop files based on whether the victim is 32-bit or 64-bit."
"T1518.001::[Wingbird] checks for the presence of Bitdefender security software."
"T1543.003::[Wingbird] uses services.exe to register a new autostart service named \"Audit Service\" using a copy of the local lsass.exe file."
"T1547.008::[Wingbird] drops a malicious file (sspisrv.dll) alongside a copy of lsass.exe, which is used to register a service that loads sspisrv.dll as a driver. The payload of the malicious driver (located in its entry-point function) is executed when loaded by lsass.exe before the spoofed service becomes unstable and crashes."
"T1569.002::[Wingbird] uses services.exe to register a new autostart service named \"Audit Service\" using a copy of the local lsass.exe file."
"T1574.002::[Wingbird] side loads a malicious file, sspisrv.dll, in part of a spoofed lssas.exe service."
"T1008::[WinMM] is usually configured with primary and backup domains for C2 communications."
"T1033::[WinMM] uses NetUser-GetInfo to identify that it is running under an “Admin” account on the local system."
"T1057::[WinMM] sets a WH_CBT Windows hook to collect information on process creation."
"T1071.001::[WinMM] uses HTTP for C2."
"T1082::[WinMM] collects the system name, OS version including service pack, and system install date and sends the information to the C2 server."
"T1083::[WinMM] sets a WH_CBT Windows hook to search for and capture files on the victim."
"T1014::[Winnti for Linux] has used a modified copy of the open-source userland rootkit Azazel, named libxselinux.so, to hide the malware's operations and network activity."
"T1027::[Winnti for Linux] can encode its configuration file with single-byte XOR encoding."
"T1071.001::[Winnti for Linux] has used HTTP in outbound communications."
"T1095::[Winnti for Linux] has used ICMP, custom TCP, and UDP in outbound communications."
"T1105::[Winnti for Linux] has the ability to deploy modules directly from command and control (C2) servers, possibly for remote command execution, file exfiltration, and socks5 proxying on the infected host."
"T1140::[Winnti for Linux] has decoded XOR encoded strings holding its configuration upon execution."
"T1205::[Winnti for Linux] has used a passive listener, capable of identifying a specific magic value before executing tasking, as a secondary command and control (C2) mechanism."
"T1573.001::[Winnti for Linux] has used a custom TCP protocol with four-byte XOR for command and control (C2)."
"T1027::[Winnti for Windows] has the ability to encrypt and compress its payload."
"T1036.005::A [Winnti for Windows] implant file was named ASPNET_FILTER.DLL, mimicking the legitimate ASP.NET ISAPI filter DLL with the same name."
"T1057::[Winnti for Windows] can check if the explorer.exe process is responsible for calling its install function."
"T1070.004::[Winnti for Windows] can delete the DLLs for its various components from a compromised host."
"T1070.006::[Winnti for Windows] can set the timestamps for its worker and service components to match that of cmd.exe."
"T1071.001::[Winnti for Windows] has the ability to use encapsulated HTTP/S in C2 communications."
"T1082::[Winnti for Windows] can determine if the OS on a compromised host is newer than Windows XP."
"T1083::[Winnti for Windows] can check for the presence of specific files prior to moving to the next phase of execution."
"T1090.001::The [Winnti for Windows] HTTP/S C2 mode can make use of a local proxy."
"T1090.002::The [Winnti for Windows] HTTP/S C2 mode can make use of an external proxy."
"T1095::[Winnti for Windows] can communicate using custom TCP."
"T1105::The [Winnti for Windows] dropper can place malicious payloads on targeted systems."
"T1106::[Winnti for Windows] can use Native API to create a new process and to start services."
"T1140::The [Winnti for Windows] dropper can decrypt and decompresses a data blob."
"T1218.011::The [Winnti for Windows] installer loads a DLL using rundll32."
"T1480.001::The [Winnti for Windows] dropper component can verify the existence of a single command line parameter and either terminate if it is not found or later use it as a decryption key."
"T1543.003::[Winnti for Windows] sets its DLL file as a new service in the Registry to establish persistence."
"T1547.001::[Winnti for Windows] can add a service named wind0ws to the Registry to achieve persistence after reboot."
"T1548.002::[Winnti for Windows] can use a variant of the sysprep UAC bypass."
"T1569.002::[Winnti for Windows] can run as a service using svchost.exe."
"T1573.001::[Winnti for Windows] can XOR encrypt C2 traffic."
"T1072::It is believed that a patch management system for an anti-virus product commonly installed among targeted companies was used to distribute the [Wiper] malware."
"T1033::[XAgentOSX] contains the getInfoOSX function to return the OS X version as well as the current user."
"T1056.001::[XAgentOSX] contains keylogging functionality that will monitor for active application windows and write them to the log, it can handle special characters, and it will buffer by default 50 characters before sending them out over the C2 infrastructure."
"T1057::[XAgentOSX] contains the getProcessList function to run ps aux to get running processes."
"T1070.004::[XAgentOSX] contains the deletFileFromPath function to delete a specified file using the NSFileManager:removeFileAtPath method."
"T1071.002::[XAgentOSX] contains the ftpUpload function to use the FTPManager:uploadFile method to upload files from the target system."
"T1082::[XAgentOSX] contains the getInstalledAPP function to run ls -la /Applications to gather what applications are installed."
"T1083::[XAgentOSX] contains the readFiles function to return a detailed listing (sometimes recursive) of a specified directory."
"T1106::[XAgentOSX] contains the execFile function to execute a specified file on the system using the NSTask:launch method."
"T1113::[XAgentOSX] contains the takeScreenShot (along with startTakeScreenShot and stopTakeScreenShot) functions to take screenshots using the CGGetActiveDisplayList, CGDisplayCreateImage, and NSImage:initWithCGImage methods."
"T1555.003::[XAgentOSX] contains the getFirefoxPassword function to attempt to locate Firefox passwords."
"T1016::[Xbash] can collect IP addresses and local intranet information from a victim’s machine."
"T1046::[Xbash] can perform port scanning of TCP and UDP ports."
"T1053.003::[Xbash] can create a cronjob for persistence if it determines it is on a Linux system."
"T1059.001::[Xbash] can use scripts to invoke PowerShell to download a malicious PE executable or PE DLL for execution."
"T1059.005::[Xbash] can execute malicious VBScript payloads on the victim’s machine."
"T1059.007::[Xbash] can execute malicious JavaScript payloads on the victim’s machine."
"T1071.001::[Xbash] uses HTTP for C2 communications."
"T1102.001::[Xbash] can obtain a webpage hosted on Pastebin to update its C2 domain list."
"T1105::[Xbash] can download additional malicious files from its C2 server."
"T1110.001::[Xbash] can obtain a list of weak passwords from the C2 server to use for brute forcing as well as attempt to brute force services with open ports."
"T1203::[Xbash] can attempt to exploit known vulnerabilities in Hadoop, Redis, or ActiveMQ when it finds those services running in order to conduct further execution."
"T1218.005::[Xbash] can use mshta for executing scripts."
"T1218.010::[Xbash] can use regsvr32 for executing scripts."
"T1485::[Xbash] has destroyed Linux-based databases as part of its ransomware capabilities."
"T1486::[Xbash] has maliciously encrypted victim's database systems and demanded a cryptocurrency ransom be paid."
"T1547.001::[Xbash] can create a Startup item for persistence if it determines it is on a Windows system."
"T1005::[xCaon] has uploaded files from victims' machines."
"T1016::[xCaon] has used the GetAdaptersInfo() API call to get the victim's MAC address."
"T1059.003::[xCaon] has a command to start an interactive shell."
"T1071.001::[xCaon] has communicated with the C2 server by sending POST requests over HTTP."
"T1105::[xCaon] has a command to download files to the victim's machine."
"T1106::[xCaon] has leveraged native OS function calls to retrieve  victim's network adapter's  information using GetAdapterInfo() API."
"T1132.001::[xCaon] has used Base64 to encode its C2 traffic."
"T1140::[xCaon] has decoded strings from the C2 server before executing commands."
"T1518.001::[xCaon] has checked for the existence of Kaspersky antivirus software on the system."
"T1547::[xCaon] has added persistence via the Registry key HKEY_CURRENT_USER\\Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows\\load which causes the malware to run each time any user logs in."
"T1573.001::[xCaon] has encrypted data sent to the C2 server using a XOR key."
"T1005::[XCSSET] collects contacts and application data from files in Desktop, Documents, Downloads, Dropbox, and WeChat folders."
"T1036::[XCSSET] builds a malicious application bundle to resemble Safari through using the Safari icon and Info.plist."
"T1041::[XCSSET] exfiltrates data stolen from a system over its C2 channel."
"T1056.002::[XCSSET] prompts the user to input credentials using a native macOS dialog box leveraging the system process /Applications/Safari.app/Contents/MacOS/SafariForWebKitDevelopment."
"T1059.004::[XCSSET] uses a shell script to execute Mach-o files and osacompile commands such as, osacompile -x -o xcode.app main.applescript."
"T1068::[XCSSET] has used a zero-day exploit in the ssh launchdaemon to elevate privileges and bypass SIP."
"T1082::[XCSSET] identifies the macOS version and uses ioreg to determine serial number."
"T1083::[XCSSET] has used `mdfind` to enumerate a list of apps known to grant screen sharing permissions."
"T1087::[XCSSET] attempts to discover accounts from various locations such as a user's Evernote, AppleID, Telegram, Skype, and WeChat data."
"T1098.004::[XCSSET] will create an ssh key if necessary with the ssh-keygen -t rsa -f $HOME/.ssh/id_rsa -P command. [XCSSET] will upload a private key file to the server to remotely access the host without a password."
"T1105::[XCSSET] downloads browser specific AppleScript modules using a constructed URL with the curl command, https://\" & domain & \"/agent/scripts/\" & moduleName & \".applescript."
"T1113::[XCSSET] saves a screen capture of the victim's system with a numbered filename and .jpg extension. Screen captures are taken at specified intervals based on the system."
"T1195.001::[XCSSET] adds malicious code to a host's Xcode projects by enumerating CocoaPods target_integrator.rb files under the /Library/Ruby/Gems folder or enumerates all .xcodeproj folders under a given directory. [XCSSET] then downloads a script and Mach-O file into the Xcode project folder."
"T1222.002::[XCSSET] uses the chmod +x command to grant executable permissions to the malicious file."
"T1486::[XCSSET] performs AES-CBC encryption on files under ~/Documents, ~/Downloads, and\n~/Desktop with a fixed key and renames files to give them a .enc extension. Only files with sizes \nless than 500MB are encrypted."
"T1497.003::Using the machine's local time, [XCSSET] waits 43200 seconds (12 hours) from the initial creation timestamp of a specific file, .report. After the elapsed time, [XCSSET] executes additional modules."
"T1518.001::[XCSSET] searches firewall configuration files located in /Library/Preferences/ and uses csrutil status to determine if System Integrity Protection is enabled."
"T1518::[XCSSET] uses ps aux with the grep command to enumerate common browsers and system processes potentially impacting [XCSSET]'s exfiltration capabilities."
"T1539::[XCSSET] uses scp to access the ~/Library/Cookies/Cookies.binarycookies file."
"T1543.004::[XCSSET] uses the ssh launchdaemon to elevate privileges, bypass system controls, and enable remote access to the victim."
"T1553.001::[XCSSET] has dropped a malicious applet into an app's `.../Contents/MacOS/` folder of a previously launched app to bypass Gatekeeper's security checks on first launch apps (prior to macOS 13)."
"T1554::[XCSSET] uses a malicious browser application to replace the legitimate browser in order to continuously capture credentials, monitor web traffic, and download additional modules."
"T1560::[XCSSET] will compress entire ~/Desktop folders excluding all .git folders, but only if the total data size is under 200MB."
"T1564.001::[XCSSET] uses a hidden folder named .xcassets and .git to embed itself in Xcode."
"T1569.001::[XCSSET] loads a system level launchdaemon using the launchctl load -w command from /System/Librarby/LaunchDaemons/ssh.plist."
"T1573.001::[XCSSET] uses RC4 encryption over TCP to communicate with its C2 server."
"T1574.006::[XCSSET] adds malicious file paths to the DYLD_FRAMEWORK_PATH and DYLD_LIBRARY_PATH environment variables to execute malicious code."
"T1614.001::[XCSSET] uses AppleScript to check the host's language and location with the command user locale of (get system info)."
"T1647::[XCSSET] uses the plutil command to modify the LSUIElement, DFBundleDisplayName, and CFBundleIdentifier keys in the /Contents/Info.plist file to change how [XCSSET] is visible on the system."
"T1008::The C2 server used by [XTunnel] provides a port number to the victim to use as a fallback in case the connection closes on the currently used port."
"T1027.001::A version of [XTunnel] introduced in July 2015 inserted junk code into the binary in a likely attempt to obfuscate it and bypass security products."
"T1027::A version of [XTunnel] introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products."
"T1046::[XTunnel] is capable of probing the network for open ports."
"T1059.003::[XTunnel] has been used to execute remote commands."
"T1090::[XTunnel] relays traffic between a C2 server and a victim."
"T1552.001::[XTunnel] is capable of accessing locally stored passwords on victims."
"T1573.002::[XTunnel] uses SSL/TLS and RC4 to encrypt traffic."
"T1027::[YAHOYAH] encrypts its configuration file using a simple algorithm."
"T1071.001::[YAHOYAH] uses HTTP for C2."
"T1082::[YAHOYAH] checks for the system’s Windows OS version and hostname."
"T1105::[YAHOYAH] uses HTTP GET requests to download other files that are executed in memory."
"T1140::[YAHOYAH] decrypts downloaded files before execution."
"T1518.001::[YAHOYAH] checks for antimalware solution processes on the system."
"T1005::[yty] collects files with the following extensions: .ppt, .pptx, .pdf, .doc, .docx, .xls, .xlsx, .docm, .rtf, .inp, .xlsm, .csv, .odt, .pps, .vcf and sends them back to the C2 server."
"T1016::[yty] runs ipconfig /all and collects the domain name."
"T1018::[yty] uses the net view command for discovery."
"T1027.001::[yty] contains junk code in its binary, likely to confuse malware analysts."
"T1027.002::[yty] packs a plugin with UPX."
"T1033::[yty] collects the victim’s username."
"T1053.005::[yty] establishes persistence by creating a scheduled task with the command SchTasks /Create /SC DAILY /TN BigData /TR “ + path_file + “/ST 09:30“."
"T1056.001::[yty] uses a keylogger plugin to gather keystrokes."
"T1057::[yty] gets an output of running processes using the tasklist command."
"T1082::[yty] gathers the computer name, the serial number of the main disk volume, CPU information, Microsoft Windows version, and runs the command systeminfo."
"T1083::[yty] gathers information on victim’s drives and has a plugin for document listing."
"T1102.002::[yty] communicates to the C2 server by retrieving a Google Doc."
"T1113::[yty] collects screenshots of the victim machine."
"T1497.001::[yty] has some basic anti-sandbox detection that tries to detect Virtual PC, Sandboxie, and VMware."
"T1012::[Zebrocy] executes the reg query command to obtain information in the Registry."
"T1016::[Zebrocy] runs the ipconfig /all command."
"T1027.002::[Zebrocy]'s Delphi variant was packed with UPX."
"T1033::[Zebrocy] gets the username from the system."
"T1037.001::[Zebrocy] performs persistence with a logon script via adding to the Registry key HKCU\\Environment\\UserInitMprLogonScript."
"T1041::[Zebrocy] has exfiltrated data to the designated C2 server using HTTP POST requests."
"T1047::One variant of [Zebrocy] uses WMI queries to gather information."
"T1049::[Zebrocy] uses netstat -aon to gather network connection information."
"T1053.005::[Zebrocy] has a command to create a scheduled task for persistence."
"T1056.004::[Zebrocy] installs an application-defined Windows hook to get notified when a network drive has been attached, so it can then use the hook to call its RecordToFile file stealing method."
"T1057::[Zebrocy] uses the tasklist and wmic process get Capture, ExecutablePath commands to gather the processes running on the system."
"T1059.003::[Zebrocy] uses cmd.exe to execute commands on the system."
"T1070.004::[Zebrocy] has a command to delete files and directories."
"T1071.001::[Zebrocy] uses HTTP for C2."
"T1071.003::[Zebrocy] uses SMTP and POP3 for C2."
"T1074.001::[Zebrocy] stores all collected information in a single file before exfiltration."
"T1082::[Zebrocy] collects the OS version, computer name and serial number for the storage volume C:\\. [Zebrocy] also runs the systeminfo command to gather system information."
"T1083::[Zebrocy] searches for files that are 60mb and less and contain the following extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .exe, .zip, and .rar. [Zebrocy] also runs the echo %APPDATA% command to list the contents of the directory."
"T1105::[Zebrocy] obtains additional code to execute on the victim's machine, including the downloading of a secondary payload."
"T1113::A variant of [Zebrocy] captures screenshots of the victim’s machine in JPEG and BMP format."
"T1119::[Zebrocy] scans the system and automatically collects files with the following extensions: .doc, .docx, ,.xls, .xlsx, .pdf, .pptx, .rar, .zip, .jpg, .jpeg, .bmp, .tiff, .kum, .tlg, .sbx, .cr, .hse, .hsf, and .lhz."
"T1120::[Zebrocy] enumerates information about connected storage devices."
"T1124::[Zebrocy] gathers the current time zone and date information from the system."
"T1132.001::[Zebrocy] has used URL/Percent Encoding on data exfiltrated via HTTP POST requests."
"T1135::[Zebrocy] identifies network drives when they are added to victim systems."
"T1140::[Zebrocy] decodes its secondary payload and writes it to the victim’s machine. [Zebrocy] also uses AES and XOR to decrypt strings and payloads."
"T1547.001::[Zebrocy] creates an entry in a Registry Run key for the malware to execute on startup."
"T1555.003::[Zebrocy] has the capability to upload dumper tools that extract credentials from web browsers and store them in database files."
"T1560::[Zebrocy]  has used a method similar to RC4 as well as AES for encryption and hexadecimal for encoding data before exfiltration."
"T1573.002::[Zebrocy] uses SSL and AES ECB for encrypting C2 communications."
"T1014::[Zeroaccess] is a kernel-mode rootkit."
"T1564.004::Some variants of the [Zeroaccess] Trojan have been known to store data in Extended Attributes."
"T1001.002::[ZeroT] has retrieved stage 2 payloads as Bitmap images that use Least Significant Bit (LSB) steganography."
"T1016::[ZeroT] gathers the victim's IP address and domain information, and then sends it to its C2 server."
"T1027.001::[ZeroT] has obfuscated DLLs and functions using dummy API calls inserted between real instructions."
"T1027.002::Some [ZeroT] DLL files have been packed with UPX."
"T1027::[ZeroT] has encrypted its payload with RC4."
"T1071.001::[ZeroT] has used HTTP for C2."
"T1082::[ZeroT] gathers the victim's computer name, Windows version, and system language, and then sends it to its C2 server."
"T1105::[ZeroT] can download additional payloads onto the victim."
"T1140::[ZeroT] shellcode decrypts and decompresses its RC4-encrypted payload."
"T1543.003::[ZeroT] can add a new service to ensure [PlugX] persists on the system when delivered as another payload onto the system."
"T1548.002::Many [ZeroT] samples can perform UAC bypass by using eventvwr.exe to execute a malicious file."
"T1573.001::[ZeroT] has used RC4 to encrypt C2 traffic."
"T1574.002::[ZeroT] has used DLL side-loading to load malicious payloads."
"T1012::[Zeus Panda] checks for the existence of a Registry key and if it contains certain values."
"T1027::[Zeus Panda] encrypts strings with XOR and obfuscates the macro code from the initial payload. [Zeus Panda] also encrypts all configuration and settings in AES and RC4."
"T1055.002::[Zeus Panda] checks processes on the system and if they meet the necessary requirements, it injects into that process."
"T1056.001::[Zeus Panda] can perform keylogging on the victim’s machine by hooking the functions TranslateMessage and WM_KEYDOWN."
"T1056.004::[Zeus Panda] hooks processes by leveraging its own IAT hooked functions."
"T1057::[Zeus Panda] checks for running processes on the victim’s machine."
"T1059.001::[Zeus Panda] uses PowerShell to download and execute the payload."
"T1059.003::[Zeus Panda] can launch an interface where it can execute several commands on the victim’s PC."
"T1059::[Zeus Panda] can launch remote scripts on the victim’s machine."
"T1070.004::[Zeus Panda] has a command to delete a file. It also can uninstall scripts and delete files to cover its track."
"T1071.001::[Zeus Panda] uses HTTP for C2 communications."
"T1082::[Zeus Panda] collects the OS version, system architecture, computer name, product ID, install date, and information on the keyboard mapping to determine the language used on the system."
"T1083::[Zeus Panda] searches for specific directories on the victim’s machine."
"T1105::[Zeus Panda] can download additional malware plug-in modules and execute them on the victim’s machine."
"T1112::[Zeus Panda] modifies several Registry keys under HKCU\\Software\\Microsoft\\Internet Explorer\\ PhishingFilter\\ to disable phishing filters."
"T1113::[Zeus Panda] can take screenshots of the victim’s machine."
"T1115::[Zeus Panda] can hook GetClipboardData function to watch for clipboard pastes to collect."
"T1124::[Zeus Panda] collects the current system time (UTC) and sends it back to the C2 server."
"T1140::[Zeus Panda] decrypts strings in the code during the execution process."
"T1518.001::[Zeus Panda] checks to see if anti-virus, anti-spyware, or firewall products are installed in the victim’s environment."
"T1547.001::[Zeus Panda] adds persistence by creating Registry Run keys."
"T1614.001::[Zeus Panda] queries the system's keyboard mapping to determine the language used on the system. It will terminate execution if it detects LANG_RUSSIAN, LANG_BELARUSIAN, LANG_KAZAK, or LANG_UKRAINIAN."
"T1007::[ZLib] has the ability to discover and manipulate Windows services."
"T1036.005::[ZLib] mimics the resource version information of legitimate Realtek Semiconductor, Nvidia, or Synaptics modules."
"T1041::[ZLib] has sent data and files from a compromised host to its C2 servers."
"T1059.003::[ZLib] has the ability to execute shell commands."
"T1071.001::[ZLib] communicates over HTTP for C2."
"T1082::[ZLib] has the ability to enumerate system information."
"T1083::[ZLib] has the ability to enumerate files and drives."
"T1105::[ZLib] has the ability to download files."
"T1113::[ZLib] has the ability to obtain screenshots of the compromised system."
"T1543.003::[ZLib] creates Registry keys to allow itself to run as various services."
"T1560.002::The [ZLib] backdoor compresses communications using the standard Zlib compression library."
"T1001.002::[Zox] has used the .PNG file format for C2 communications."
"T1005::[Zox] has the ability to upload files from a targeted system."
"T1021.002::[Zox] has the ability to use SMB for communication."
"T1027::[Zox] has been encoded with Base64."
"T1057::[Zox] has the ability to list processes."
"T1068::[Zox] has the ability to leverage local and remote exploits to escalate privileges."
"T1082::[Zox] can enumerate attached drives."
"T1083::[Zox] can enumerate files on a compromised host."
"T1105::[Zox] can download files to a compromised machine."
"T1016::[zwShell] can obtain the victim IP address."
"T1021.001::[zwShell] has used RDP for lateral movement."
"T1021.002::[zwShell] has been copied over network shares to move laterally."
"T1033::[zwShell] can obtain the name of the logged-in user on the victim."
"T1053.005::[zwShell] has used SchTasks for execution."
"T1059.003::[zwShell] can launch command-line shells."
"T1070.004::[zwShell] has deleted itself after creating a service as well as deleted a temporary file when the system reboots."
"T1082::[zwShell] can obtain the victim PC name and OS version."
"T1083::[zwShell] can browse the file system."
"T1112::[zwShell] can modify the Registry."
"T1543.003::[zwShell] has established persistence by adding itself as a new service."
"T1005::[ZxShell] can transfer files from a compromised host."
"T1007::[ZxShell] can check the services on the system."
"T1012::[ZxShell] can query the netsvc group value data located in the svchost group Registry key."
"T1021.001::[ZxShell] has remote desktop functionality."
"T1021.005::[ZxShell] supports functionality for VNC sessions."
"T1033::[ZxShell] can collect the owner and organization information from the target workstation."
"T1046::[ZxShell] can launch port scans."
"T1055.001::[ZxShell] is injected into a shared SVCHOST process."
"T1056.001::[ZxShell] has a feature to capture a remote computer's keystrokes using a keylogger."
"T1056.004::[ZxShell] hooks several API functions to spawn system threads."
"T1057::[ZxShell] has a command, ps, to obtain a listing of processes on the system."
"T1059.003::[ZxShell] can launch a reverse command shell."
"T1070.001::[ZxShell] has a command to clear system event logs."
"T1070.004::[ZxShell] can delete files from the system."
"T1071.001::[ZxShell] has used HTTP for C2 connections."
"T1071.002::[ZxShell] has used FTP for C2 connections."
"T1082::[ZxShell] can collect the local hostname, operating system details, CPU speed, and total physical memory."
"T1083::[ZxShell] has a command to open a file manager and explorer on the system."
"T1090::[ZxShell] can set up an HTTP or SOCKS proxy."
"T1105::[ZxShell] has a command to transfer files from a remote host."
"T1106::[ZxShell] can leverage native API including RegisterServiceCtrlHandler  to register a service.RegisterServiceCtrlHandler"
"T1112::[ZxShell] can create Registry entries to enable services to run."
"T1113::[ZxShell] can capture screenshots."
"T1125::[ZxShell] has a command to perform video device spying."
"T1134.002::[ZxShell] has a command called RunAs, which creates a new process as another user or process context."
"T1136.001::[ZxShell] has a feature to create local user accounts."
"T1190::[ZxShell] has been dropped through exploitation of CVE-2011-2462, CVE-2013-3163, and CVE-2014-0322."
"T1218.011::[ZxShell] has used rundll32.exe to execute other DLLs and named pipes."
"T1499::[ZxShell] has a feature to perform SYN flood attack on a host."
"T1543.003::[ZxShell] can create a new service using the service parser function ProcessScCommand."
"T1562.001::[ZxShell] can kill AV products' processes."
"T1562.004::[ZxShell] can disable the firewall by modifying the registry key HKLM\\SYSTEM\\CurrentControlSet\\Services\\SharedAccess\\Parameters\\FirewallPolicy\\StandardProfile."
"T1569.002::[ZxShell] can create a new service for execution."
"T1571::[ZxShell] can use ports 1985 and 1986 in HTTP/S communication."
"T1005::[ZxxZ] can collect data from a compromised host."
"T1012::[ZxxZ] can search the registry of a compromised host."
"T1027::[ZxxZ] has been encoded to avoid detection from static analysis tools."
"T1033::[ZxxZ] can collect the username from a compromised host."
"T1036.004::[ZxxZ] has been disguised as a Windows security update service."
"T1053.005::[ZxxZ] has used scheduled tasks for persistence and execution."
"T1057::[ZxxZ] has created a snapshot of running processes using `CreateToolhelp32Snapshot`."
"T1082::[ZxxZ] has collected the host name and operating system product name from a compromised machine."
"T1105::[ZxxZ] can download and execute additional files."
"T1106::[ZxxZ] has used API functions such as `Process32First`, `Process32Next`, and `ShellExecuteA`."
"T1140::[ZxxZ] has used a XOR key to decrypt strings."
"T1204.002::[ZxxZ] has relied on victims to open a malicious attachment delivered via email."
"T1518.001::[ZxxZ] can search a compromised host to determine if it is running Windows Defender or Kasperky antivirus."
"T1566.001::[ZxxZ] has been distributed via spearphishing emails, usually containing a malicious RTF or Excel attachment."
