| Domain | ID | Name | Use | |
|---|---|---|---|---|
| Enterprise | T1547 | .001 | Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder | BabyShark has added a Registry key to ensure all future macros are enabled for Microsoft Word and Excel as well as for additional persistence.[1][2] | 
| Enterprise | T1059 | .003 | Command and Scripting Interpreter: Windows Command Shell | |
| Enterprise | T1132 | .001 | Data Encoding: Standard Encoding | BabyShark has encoded data using certutil before exfiltration.[1] | 
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | BabyShark has the ability to decode downloaded files prior to execution.[2] | |
| Enterprise | T1083 | File and Directory Discovery | BabyShark has used  | |
| Enterprise | T1070 | .004 | Indicator Removal on Host: File Deletion | BabyShark has cleaned up all files associated with the secondary payload execution.[3] | 
| Enterprise | T1105 | Ingress Tool Transfer | BabyShark has downloaded additional files from the C2.[3][2] | |
| Enterprise | T1056 | .001 | Input Capture: Keylogging | BabyShark has a PowerShell-based remote administration ability that can implement a PowerShell or C# based keylogger.[3] | 
| Enterprise | T1057 | Process Discovery | ||
| Enterprise | T1012 | Query Registry | BabyShark has executed the  | |
| Enterprise | T1053 | .005 | Scheduled Task/Job: Scheduled Task | BabyShark has used scheduled tasks to maintain persistence.[4] | 
| Enterprise | T1218 | .005 | Signed Binary Proxy Execution: Mshta | BabyShark has used mshta.exe to download and execute applications from a remote server.[2] | 
| Enterprise | T1082 | System Information Discovery | ||
| Enterprise | T1016 | System Network Configuration Discovery | ||
| Enterprise | T1033 | System Owner/User Discovery | ||
| ID | Name | References | 
|---|---|---|
| G0094 | Kimsuky |