| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1059 | .003 | Command and Scripting Interpreter:Windows Command Shell | |
| Enterprise | T1543 | .003 | Create or Modify System Process:Windows Service | SUGARUSH has created a service named |
| Enterprise | T1680 | Local Storage Discovery | MoonWind can obtain the number of drives on the victim machine.[2] | |
| Enterprise | T1095 | Non-Application Layer Protocol | ||
| Enterprise | T1571 | Non-Standard Port | SUGARUSH has used port 4585 for a TCP connection to its C2.[1] | |
| Enterprise | T1016 | .001 | System Network Configuration Discovery:Internet Connection Discovery | SUGARUSH has checked for internet connectivity from an infected host before attempting to establish a new TCP connection.[1] |