<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Command and Scripting Interpreter: Windows Command Shell, Sub-technique T1059.003 - Enterprise | MITRE ATT&CK&reg;</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body> <!--stopindex--> <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent"> <!--start-indexing-for-search--> <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical"> <!--stop-indexing-for-search--> <div id="v-tab" role="tablist" aria-orientation="vertical"> <span class="heading" id="v-home-tab" aria-selected="false">TECHNIQUES</span> <div class="sidenav"> <div class="sidenav-head " id="enterprise"> <a href="/versions/v9/techniques/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043"> <a href="/versions/v9/tactics/TA0043"> Reconnaissance </a> <div class="expand-button collapsed" id="enterprise-TA0043-header" data-toggle="collapse" data-target="#enterprise-TA0043-body" aria-expanded="false" aria-controls="#enterprise-TA0043-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-body" aria-labelledby="enterprise-TA0043-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595"> <a href="/versions/v9/techniques/T1595/"> Active Scanning </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1595-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1595-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1595-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1595-body" aria-labelledby="enterprise-TA0043-T1595-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1595-T1595.001"> <a href="/versions/v9/techniques/T1595/001/"> Scanning IP Blocks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1595-T1595.002"> <a href="/versions/v9/techniques/T1595/002/"> Vulnerability Scanning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592"> <a href="/versions/v9/techniques/T1592/"> Gather Victim Host Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1592-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1592-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1592-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1592-body" aria-labelledby="enterprise-TA0043-T1592-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.001"> <a href="/versions/v9/techniques/T1592/001/"> Hardware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.002"> <a href="/versions/v9/techniques/T1592/002/"> Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.003"> <a href="/versions/v9/techniques/T1592/003/"> Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.004"> <a href="/versions/v9/techniques/T1592/004/"> Client Configurations </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589"> <a href="/versions/v9/techniques/T1589/"> Gather Victim Identity Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1589-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1589-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1589-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1589-body" aria-labelledby="enterprise-TA0043-T1589-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.001"> <a href="/versions/v9/techniques/T1589/001/"> Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.002"> <a href="/versions/v9/techniques/T1589/002/"> Email Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.003"> <a href="/versions/v9/techniques/T1589/003/"> Employee Names </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590"> <a href="/versions/v9/techniques/T1590/"> Gather Victim Network Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1590-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1590-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1590-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1590-body" aria-labelledby="enterprise-TA0043-T1590-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.001"> <a href="/versions/v9/techniques/T1590/001/"> Domain Properties </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.002"> <a href="/versions/v9/techniques/T1590/002/"> DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.003"> <a href="/versions/v9/techniques/T1590/003/"> Network Trust Dependencies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.004"> <a href="/versions/v9/techniques/T1590/004/"> Network Topology </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.005"> <a href="/versions/v9/techniques/T1590/005/"> IP Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.006"> <a href="/versions/v9/techniques/T1590/006/"> Network Security Appliances </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591"> <a href="/versions/v9/techniques/T1591/"> Gather Victim Org Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1591-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1591-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1591-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1591-body" aria-labelledby="enterprise-TA0043-T1591-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.001"> <a href="/versions/v9/techniques/T1591/001/"> Determine Physical Locations </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.002"> <a href="/versions/v9/techniques/T1591/002/"> Business Relationships </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.003"> <a href="/versions/v9/techniques/T1591/003/"> Identify Business Tempo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.004"> <a href="/versions/v9/techniques/T1591/004/"> Identify Roles </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598"> <a href="/versions/v9/techniques/T1598/"> Phishing for Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1598-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1598-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1598-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1598-body" aria-labelledby="enterprise-TA0043-T1598-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.001"> <a href="/versions/v9/techniques/T1598/001/"> Spearphishing Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.002"> <a href="/versions/v9/techniques/T1598/002/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.003"> <a href="/versions/v9/techniques/T1598/003/"> Spearphishing Link </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597"> <a href="/versions/v9/techniques/T1597/"> Search Closed Sources </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1597-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1597-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1597-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1597-body" aria-labelledby="enterprise-TA0043-T1597-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1597-T1597.001"> <a href="/versions/v9/techniques/T1597/001/"> Threat Intel Vendors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1597-T1597.002"> <a href="/versions/v9/techniques/T1597/002/"> Purchase Technical Data </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596"> <a href="/versions/v9/techniques/T1596/"> Search Open Technical Databases </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1596-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1596-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1596-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1596-body" aria-labelledby="enterprise-TA0043-T1596-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.001"> <a href="/versions/v9/techniques/T1596/001/"> DNS/Passive DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.002"> <a href="/versions/v9/techniques/T1596/002/"> WHOIS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.003"> <a href="/versions/v9/techniques/T1596/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.004"> <a href="/versions/v9/techniques/T1596/004/"> CDNs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.005"> <a href="/versions/v9/techniques/T1596/005/"> Scan Databases </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593"> <a href="/versions/v9/techniques/T1593/"> Search Open Websites/Domains </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1593-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1593-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1593-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1593-body" aria-labelledby="enterprise-TA0043-T1593-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1593-T1593.001"> <a href="/versions/v9/techniques/T1593/001/"> Social Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1593-T1593.002"> <a href="/versions/v9/techniques/T1593/002/"> Search Engines </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1594"> <a href="/versions/v9/techniques/T1594/"> Search Victim-Owned Websites </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042"> <a href="/versions/v9/tactics/TA0042"> Resource Development </a> <div class="expand-button collapsed" id="enterprise-TA0042-header" data-toggle="collapse" data-target="#enterprise-TA0042-body" aria-expanded="false" aria-controls="#enterprise-TA0042-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-body" aria-labelledby="enterprise-TA0042-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583"> <a href="/versions/v9/techniques/T1583/"> Acquire Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1583-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1583-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1583-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1583-body" aria-labelledby="enterprise-TA0042-T1583-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.001"> <a href="/versions/v9/techniques/T1583/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.002"> <a href="/versions/v9/techniques/T1583/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.003"> <a href="/versions/v9/techniques/T1583/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.004"> <a href="/versions/v9/techniques/T1583/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.005"> <a href="/versions/v9/techniques/T1583/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.006"> <a href="/versions/v9/techniques/T1583/006/"> Web Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586"> <a href="/versions/v9/techniques/T1586/"> Compromise Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1586-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1586-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1586-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1586-body" aria-labelledby="enterprise-TA0042-T1586-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1586-T1586.001"> <a href="/versions/v9/techniques/T1586/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1586-T1586.002"> <a href="/versions/v9/techniques/T1586/002/"> Email Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584"> <a href="/versions/v9/techniques/T1584/"> Compromise Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1584-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1584-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1584-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1584-body" aria-labelledby="enterprise-TA0042-T1584-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.001"> <a href="/versions/v9/techniques/T1584/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.002"> <a href="/versions/v9/techniques/T1584/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.003"> <a href="/versions/v9/techniques/T1584/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.004"> <a href="/versions/v9/techniques/T1584/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.005"> <a href="/versions/v9/techniques/T1584/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.006"> <a href="/versions/v9/techniques/T1584/006/"> Web Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587"> <a href="/versions/v9/techniques/T1587/"> Develop Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1587-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1587-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1587-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1587-body" aria-labelledby="enterprise-TA0042-T1587-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.001"> <a href="/versions/v9/techniques/T1587/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.002"> <a href="/versions/v9/techniques/T1587/002/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.003"> <a href="/versions/v9/techniques/T1587/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.004"> <a href="/versions/v9/techniques/T1587/004/"> Exploits </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585"> <a href="/versions/v9/techniques/T1585/"> Establish Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1585-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1585-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1585-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1585-body" aria-labelledby="enterprise-TA0042-T1585-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1585-T1585.001"> <a href="/versions/v9/techniques/T1585/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1585-T1585.002"> <a href="/versions/v9/techniques/T1585/002/"> Email Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588"> <a href="/versions/v9/techniques/T1588/"> Obtain Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1588-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1588-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1588-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1588-body" aria-labelledby="enterprise-TA0042-T1588-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.001"> <a href="/versions/v9/techniques/T1588/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.002"> <a href="/versions/v9/techniques/T1588/002/"> Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.003"> <a href="/versions/v9/techniques/T1588/003/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.004"> <a href="/versions/v9/techniques/T1588/004/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.005"> <a href="/versions/v9/techniques/T1588/005/"> Exploits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.006"> <a href="/versions/v9/techniques/T1588/006/"> Vulnerabilities </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608"> <a href="/versions/v9/techniques/T1608/"> Stage Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1608-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1608-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1608-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1608-body" aria-labelledby="enterprise-TA0042-T1608-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.001"> <a href="/versions/v9/techniques/T1608/001/"> Upload Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.002"> <a href="/versions/v9/techniques/T1608/002/"> Upload Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.003"> <a href="/versions/v9/techniques/T1608/003/"> Install Digital Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.004"> <a href="/versions/v9/techniques/T1608/004/"> Drive-by Target </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.005"> <a href="/versions/v9/techniques/T1608/005/"> Link Target </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001"> <a href="/versions/v9/tactics/TA0001"> Initial Access </a> <div class="expand-button collapsed" id="enterprise-TA0001-header" data-toggle="collapse" data-target="#enterprise-TA0001-body" aria-expanded="false" aria-controls="#enterprise-TA0001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-body" aria-labelledby="enterprise-TA0001-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1189"> <a href="/versions/v9/techniques/T1189/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1190"> <a href="/versions/v9/techniques/T1190/"> Exploit Public-Facing Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1133"> <a href="/versions/v9/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1200"> <a href="/versions/v9/techniques/T1200/"> Hardware Additions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566"> <a href="/versions/v9/techniques/T1566/"> Phishing </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1566-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1566-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1566-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1566-body" aria-labelledby="enterprise-TA0001-T1566-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.001"> <a href="/versions/v9/techniques/T1566/001/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.002"> <a href="/versions/v9/techniques/T1566/002/"> Spearphishing Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.003"> <a href="/versions/v9/techniques/T1566/003/"> Spearphishing via Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1091"> <a href="/versions/v9/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195"> <a href="/versions/v9/techniques/T1195/"> Supply Chain Compromise </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1195-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1195-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1195-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1195-body" aria-labelledby="enterprise-TA0001-T1195-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.001"> <a href="/versions/v9/techniques/T1195/001/"> Compromise Software Dependencies and Development Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.002"> <a href="/versions/v9/techniques/T1195/002/"> Compromise Software Supply Chain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.003"> <a href="/versions/v9/techniques/T1195/003/"> Compromise Hardware Supply Chain </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1199"> <a href="/versions/v9/techniques/T1199/"> Trusted Relationship </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1078-body" aria-labelledby="enterprise-TA0001-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002"> <a href="/versions/v9/tactics/TA0002"> Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-header" data-toggle="collapse" data-target="#enterprise-TA0002-body" aria-expanded="false" aria-controls="#enterprise-TA0002-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-body" aria-labelledby="enterprise-TA0002-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059"> <a href="/versions/v9/techniques/T1059/"> Command and Scripting Interpreter </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1059-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1059-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1059-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1059-body" aria-labelledby="enterprise-TA0002-T1059-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.001"> <a href="/versions/v9/techniques/T1059/001/"> PowerShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.002"> <a href="/versions/v9/techniques/T1059/002/"> AppleScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="enterprise-TA0002-T1059-T1059.003"> <a href="/versions/v9/techniques/T1059/003/"> Windows Command Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.004"> <a href="/versions/v9/techniques/T1059/004/"> Unix Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.005"> <a href="/versions/v9/techniques/T1059/005/"> Visual Basic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.006"> <a href="/versions/v9/techniques/T1059/006/"> Python </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.007"> <a href="/versions/v9/techniques/T1059/007/"> JavaScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.008"> <a href="/versions/v9/techniques/T1059/008/"> Network Device CLI </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1609"> <a href="/versions/v9/techniques/T1609/"> Container Administration Command </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1610"> <a href="/versions/v9/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1203"> <a href="/versions/v9/techniques/T1203/"> Exploitation for Client Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559"> <a href="/versions/v9/techniques/T1559/"> Inter-Process Communication </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1559-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1559-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1559-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1559-body" aria-labelledby="enterprise-TA0002-T1559-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1559-T1559.001"> <a href="/versions/v9/techniques/T1559/001/"> Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1559-T1559.002"> <a href="/versions/v9/techniques/T1559/002/"> Dynamic Data Exchange </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1106"> <a href="/versions/v9/techniques/T1106/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1053-body" aria-labelledby="enterprise-TA0002-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1129"> <a href="/versions/v9/techniques/T1129/"> Shared Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1072"> <a href="/versions/v9/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569"> <a href="/versions/v9/techniques/T1569/"> System Services </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1569-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1569-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1569-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1569-body" aria-labelledby="enterprise-TA0002-T1569-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1569-T1569.001"> <a href="/versions/v9/techniques/T1569/001/"> Launchctl </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1569-T1569.002"> <a href="/versions/v9/techniques/T1569/002/"> Service Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204"> <a href="/versions/v9/techniques/T1204/"> User Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1204-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1204-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1204-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1204-body" aria-labelledby="enterprise-TA0002-T1204-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.001"> <a href="/versions/v9/techniques/T1204/001/"> Malicious Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.002"> <a href="/versions/v9/techniques/T1204/002/"> Malicious File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.003"> <a href="/versions/v9/techniques/T1204/003/"> Malicious Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1047"> <a href="/versions/v9/techniques/T1047/"> Windows Management Instrumentation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003"> <a href="/versions/v9/tactics/TA0003"> Persistence </a> <div class="expand-button collapsed" id="enterprise-TA0003-header" data-toggle="collapse" data-target="#enterprise-TA0003-body" aria-expanded="false" aria-controls="#enterprise-TA0003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-body" aria-labelledby="enterprise-TA0003-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098"> <a href="/versions/v9/techniques/T1098/"> Account Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1098-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1098-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1098-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1098-body" aria-labelledby="enterprise-TA0003-T1098-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.001"> <a href="/versions/v9/techniques/T1098/001/"> Additional Cloud Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.002"> <a href="/versions/v9/techniques/T1098/002/"> Exchange Email Delegate Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.003"> <a href="/versions/v9/techniques/T1098/003/"> Add Office 365 Global Administrator Role </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.004"> <a href="/versions/v9/techniques/T1098/004/"> SSH Authorized Keys </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1197"> <a href="/versions/v9/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547"> <a href="/versions/v9/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1547-body" aria-labelledby="enterprise-TA0003-T1547-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.001"> <a href="/versions/v9/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.002"> <a href="/versions/v9/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.003"> <a href="/versions/v9/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.004"> <a href="/versions/v9/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.005"> <a href="/versions/v9/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.006"> <a href="/versions/v9/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.007"> <a href="/versions/v9/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.008"> <a href="/versions/v9/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.009"> <a href="/versions/v9/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.010"> <a href="/versions/v9/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.011"> <a href="/versions/v9/techniques/T1547/011/"> Plist Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.012"> <a href="/versions/v9/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.013"> <a href="/versions/v9/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.014"> <a href="/versions/v9/techniques/T1547/014/"> Active Setup </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037"> <a href="/versions/v9/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1037-body" aria-labelledby="enterprise-TA0003-T1037-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.001"> <a href="/versions/v9/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.002"> <a href="/versions/v9/techniques/T1037/002/"> Logon Script (Mac) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.003"> <a href="/versions/v9/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.004"> <a href="/versions/v9/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.005"> <a href="/versions/v9/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1176"> <a href="/versions/v9/techniques/T1176/"> Browser Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1554"> <a href="/versions/v9/techniques/T1554/"> Compromise Client Software Binary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136"> <a href="/versions/v9/techniques/T1136/"> Create Account </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1136-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1136-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1136-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1136-body" aria-labelledby="enterprise-TA0003-T1136-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.001"> <a href="/versions/v9/techniques/T1136/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.002"> <a href="/versions/v9/techniques/T1136/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.003"> <a href="/versions/v9/techniques/T1136/003/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543"> <a href="/versions/v9/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1543-body" aria-labelledby="enterprise-TA0003-T1543-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.001"> <a href="/versions/v9/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.002"> <a href="/versions/v9/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.003"> <a href="/versions/v9/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.004"> <a href="/versions/v9/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546"> <a href="/versions/v9/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1546-body" aria-labelledby="enterprise-TA0003-T1546-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.001"> <a href="/versions/v9/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.002"> <a href="/versions/v9/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.003"> <a href="/versions/v9/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.004"> <a href="/versions/v9/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.005"> <a href="/versions/v9/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.006"> <a href="/versions/v9/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.007"> <a href="/versions/v9/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.008"> <a href="/versions/v9/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.009"> <a href="/versions/v9/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.010"> <a href="/versions/v9/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.011"> <a href="/versions/v9/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.012"> <a href="/versions/v9/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.013"> <a href="/versions/v9/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.014"> <a href="/versions/v9/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.015"> <a href="/versions/v9/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1133"> <a href="/versions/v9/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1574-body" aria-labelledby="enterprise-TA0003-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1525"> <a href="/versions/v9/techniques/T1525/"> Implant Internal Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1556-body" aria-labelledby="enterprise-TA0003-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137"> <a href="/versions/v9/techniques/T1137/"> Office Application Startup </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1137-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1137-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1137-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1137-body" aria-labelledby="enterprise-TA0003-T1137-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.001"> <a href="/versions/v9/techniques/T1137/001/"> Office Template Macros </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.002"> <a href="/versions/v9/techniques/T1137/002/"> Office Test </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.003"> <a href="/versions/v9/techniques/T1137/003/"> Outlook Forms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.004"> <a href="/versions/v9/techniques/T1137/004/"> Outlook Home Page </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.005"> <a href="/versions/v9/techniques/T1137/005/"> Outlook Rules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.006"> <a href="/versions/v9/techniques/T1137/006/"> Add-ins </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542"> <a href="/versions/v9/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1542-body" aria-labelledby="enterprise-TA0003-T1542-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.001"> <a href="/versions/v9/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.002"> <a href="/versions/v9/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.003"> <a href="/versions/v9/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.004"> <a href="/versions/v9/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.005"> <a href="/versions/v9/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1053-body" aria-labelledby="enterprise-TA0003-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505"> <a href="/versions/v9/techniques/T1505/"> Server Software Component </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1505-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1505-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1505-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1505-body" aria-labelledby="enterprise-TA0003-T1505-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.001"> <a href="/versions/v9/techniques/T1505/001/"> SQL Stored Procedures </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.002"> <a href="/versions/v9/techniques/T1505/002/"> Transport Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.003"> <a href="/versions/v9/techniques/T1505/003/"> Web Shell </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1205-body" aria-labelledby="enterprise-TA0003-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1078-body" aria-labelledby="enterprise-TA0003-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004"> <a href="/versions/v9/tactics/TA0004"> Privilege Escalation </a> <div class="expand-button collapsed" id="enterprise-TA0004-header" data-toggle="collapse" data-target="#enterprise-TA0004-body" aria-expanded="false" aria-controls="#enterprise-TA0004-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-body" aria-labelledby="enterprise-TA0004-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548"> <a href="/versions/v9/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1548-body" aria-labelledby="enterprise-TA0004-T1548-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.001"> <a href="/versions/v9/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.002"> <a href="/versions/v9/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.003"> <a href="/versions/v9/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.004"> <a href="/versions/v9/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134"> <a href="/versions/v9/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1134-body" aria-labelledby="enterprise-TA0004-T1134-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.001"> <a href="/versions/v9/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.002"> <a href="/versions/v9/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.003"> <a href="/versions/v9/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.004"> <a href="/versions/v9/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.005"> <a href="/versions/v9/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547"> <a href="/versions/v9/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1547-body" aria-labelledby="enterprise-TA0004-T1547-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.001"> <a href="/versions/v9/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.002"> <a href="/versions/v9/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.003"> <a href="/versions/v9/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.004"> <a href="/versions/v9/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.005"> <a href="/versions/v9/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.006"> <a href="/versions/v9/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.007"> <a href="/versions/v9/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.008"> <a href="/versions/v9/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.009"> <a href="/versions/v9/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.010"> <a href="/versions/v9/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.011"> <a href="/versions/v9/techniques/T1547/011/"> Plist Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.012"> <a href="/versions/v9/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.013"> <a href="/versions/v9/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.014"> <a href="/versions/v9/techniques/T1547/014/"> Active Setup </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037"> <a href="/versions/v9/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1037-body" aria-labelledby="enterprise-TA0004-T1037-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.001"> <a href="/versions/v9/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.002"> <a href="/versions/v9/techniques/T1037/002/"> Logon Script (Mac) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.003"> <a href="/versions/v9/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.004"> <a href="/versions/v9/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.005"> <a href="/versions/v9/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543"> <a href="/versions/v9/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1543-body" aria-labelledby="enterprise-TA0004-T1543-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.001"> <a href="/versions/v9/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.002"> <a href="/versions/v9/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.003"> <a href="/versions/v9/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.004"> <a href="/versions/v9/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484"> <a href="/versions/v9/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1484-body" aria-labelledby="enterprise-TA0004-T1484-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1484-T1484.001"> <a href="/versions/v9/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1484-T1484.002"> <a href="/versions/v9/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1611"> <a href="/versions/v9/techniques/T1611/"> Escape to Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546"> <a href="/versions/v9/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1546-body" aria-labelledby="enterprise-TA0004-T1546-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.001"> <a href="/versions/v9/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.002"> <a href="/versions/v9/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.003"> <a href="/versions/v9/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.004"> <a href="/versions/v9/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.005"> <a href="/versions/v9/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.006"> <a href="/versions/v9/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.007"> <a href="/versions/v9/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.008"> <a href="/versions/v9/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.009"> <a href="/versions/v9/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.010"> <a href="/versions/v9/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.011"> <a href="/versions/v9/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.012"> <a href="/versions/v9/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.013"> <a href="/versions/v9/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.014"> <a href="/versions/v9/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.015"> <a href="/versions/v9/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1068"> <a href="/versions/v9/techniques/T1068/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1574-body" aria-labelledby="enterprise-TA0004-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055"> <a href="/versions/v9/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1055-body" aria-labelledby="enterprise-TA0004-T1055-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.001"> <a href="/versions/v9/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.002"> <a href="/versions/v9/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.003"> <a href="/versions/v9/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.004"> <a href="/versions/v9/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.005"> <a href="/versions/v9/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.008"> <a href="/versions/v9/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.009"> <a href="/versions/v9/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.011"> <a href="/versions/v9/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.012"> <a href="/versions/v9/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.013"> <a href="/versions/v9/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.014"> <a href="/versions/v9/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1053-body" aria-labelledby="enterprise-TA0004-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1078-body" aria-labelledby="enterprise-TA0004-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005"> <a href="/versions/v9/tactics/TA0005"> Defense Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-header" data-toggle="collapse" data-target="#enterprise-TA0005-body" aria-expanded="false" aria-controls="#enterprise-TA0005-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-body" aria-labelledby="enterprise-TA0005-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548"> <a href="/versions/v9/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1548-body" aria-labelledby="enterprise-TA0005-T1548-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.001"> <a href="/versions/v9/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.002"> <a href="/versions/v9/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.003"> <a href="/versions/v9/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.004"> <a href="/versions/v9/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134"> <a href="/versions/v9/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1134-body" aria-labelledby="enterprise-TA0005-T1134-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.001"> <a href="/versions/v9/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.002"> <a href="/versions/v9/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.003"> <a href="/versions/v9/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.004"> <a href="/versions/v9/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.005"> <a href="/versions/v9/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1197"> <a href="/versions/v9/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1612"> <a href="/versions/v9/techniques/T1612/"> Build Image on Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1140"> <a href="/versions/v9/techniques/T1140/"> Deobfuscate/Decode Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1610"> <a href="/versions/v9/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1006"> <a href="/versions/v9/techniques/T1006/"> Direct Volume Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484"> <a href="/versions/v9/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1484-body" aria-labelledby="enterprise-TA0005-T1484-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1484-T1484.001"> <a href="/versions/v9/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1484-T1484.002"> <a href="/versions/v9/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1480"> <a href="/versions/v9/techniques/T1480/"> Execution Guardrails </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1480-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1480-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1480-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1480-body" aria-labelledby="enterprise-TA0005-T1480-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1480-T1480.001"> <a href="/versions/v9/techniques/T1480/001/"> Environmental Keying </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1211"> <a href="/versions/v9/techniques/T1211/"> Exploitation for Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222"> <a href="/versions/v9/techniques/T1222/"> File and Directory Permissions Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1222-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1222-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1222-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1222-body" aria-labelledby="enterprise-TA0005-T1222-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1222-T1222.001"> <a href="/versions/v9/techniques/T1222/001/"> Windows File and Directory Permissions Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1222-T1222.002"> <a href="/versions/v9/techniques/T1222/002/"> Linux and Mac File and Directory Permissions Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564"> <a href="/versions/v9/techniques/T1564/"> Hide Artifacts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1564-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1564-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1564-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1564-body" aria-labelledby="enterprise-TA0005-T1564-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.001"> <a href="/versions/v9/techniques/T1564/001/"> Hidden Files and Directories </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.002"> <a href="/versions/v9/techniques/T1564/002/"> Hidden Users </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.003"> <a href="/versions/v9/techniques/T1564/003/"> Hidden Window </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.004"> <a href="/versions/v9/techniques/T1564/004/"> NTFS File Attributes </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.005"> <a href="/versions/v9/techniques/T1564/005/"> Hidden File System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.006"> <a href="/versions/v9/techniques/T1564/006/"> Run Virtual Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.007"> <a href="/versions/v9/techniques/T1564/007/"> VBA Stomping </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1574-body" aria-labelledby="enterprise-TA0005-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562"> <a href="/versions/v9/techniques/T1562/"> Impair Defenses </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1562-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1562-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1562-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1562-body" aria-labelledby="enterprise-TA0005-T1562-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.001"> <a href="/versions/v9/techniques/T1562/001/"> Disable or Modify Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.002"> <a href="/versions/v9/techniques/T1562/002/"> Disable Windows Event Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.003"> <a href="/versions/v9/techniques/T1562/003/"> Impair Command History Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.004"> <a href="/versions/v9/techniques/T1562/004/"> Disable or Modify System Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.006"> <a href="/versions/v9/techniques/T1562/006/"> Indicator Blocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.007"> <a href="/versions/v9/techniques/T1562/007/"> Disable or Modify Cloud Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.008"> <a href="/versions/v9/techniques/T1562/008/"> Disable Cloud Logs </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070"> <a href="/versions/v9/techniques/T1070/"> Indicator Removal on Host </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1070-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1070-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1070-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1070-body" aria-labelledby="enterprise-TA0005-T1070-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.001"> <a href="/versions/v9/techniques/T1070/001/"> Clear Windows Event Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.002"> <a href="/versions/v9/techniques/T1070/002/"> Clear Linux or Mac System Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.003"> <a href="/versions/v9/techniques/T1070/003/"> Clear Command History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.004"> <a href="/versions/v9/techniques/T1070/004/"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.005"> <a href="/versions/v9/techniques/T1070/005/"> Network Share Connection Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.006"> <a href="/versions/v9/techniques/T1070/006/"> Timestomp </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1202"> <a href="/versions/v9/techniques/T1202/"> Indirect Command Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036"> <a href="/versions/v9/techniques/T1036/"> Masquerading </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1036-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1036-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1036-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1036-body" aria-labelledby="enterprise-TA0005-T1036-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.001"> <a href="/versions/v9/techniques/T1036/001/"> Invalid Code Signature </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.002"> <a href="/versions/v9/techniques/T1036/002/"> Right-to-Left Override </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.003"> <a href="/versions/v9/techniques/T1036/003/"> Rename System Utilities </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.004"> <a href="/versions/v9/techniques/T1036/004/"> Masquerade Task or Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.005"> <a href="/versions/v9/techniques/T1036/005/"> Match Legitimate Name or Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.006"> <a href="/versions/v9/techniques/T1036/006/"> Space after Filename </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1556-body" aria-labelledby="enterprise-TA0005-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578"> <a href="/versions/v9/techniques/T1578/"> Modify Cloud Compute Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1578-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1578-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1578-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1578-body" aria-labelledby="enterprise-TA0005-T1578-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.001"> <a href="/versions/v9/techniques/T1578/001/"> Create Snapshot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.002"> <a href="/versions/v9/techniques/T1578/002/"> Create Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.003"> <a href="/versions/v9/techniques/T1578/003/"> Delete Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.004"> <a href="/versions/v9/techniques/T1578/004/"> Revert Cloud Instance </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1112"> <a href="/versions/v9/techniques/T1112/"> Modify Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601"> <a href="/versions/v9/techniques/T1601/"> Modify System Image </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1601-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1601-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1601-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1601-body" aria-labelledby="enterprise-TA0005-T1601-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1601-T1601.001"> <a href="/versions/v9/techniques/T1601/001/"> Patch System Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1601-T1601.002"> <a href="/versions/v9/techniques/T1601/002/"> Downgrade System Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1599"> <a href="/versions/v9/techniques/T1599/"> Network Boundary Bridging </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1599-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1599-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1599-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1599-body" aria-labelledby="enterprise-TA0005-T1599-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1599-T1599.001"> <a href="/versions/v9/techniques/T1599/001/"> Network Address Translation Traversal </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027"> <a href="/versions/v9/techniques/T1027/"> Obfuscated Files or Information </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1027-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1027-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1027-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1027-body" aria-labelledby="enterprise-TA0005-T1027-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.001"> <a href="/versions/v9/techniques/T1027/001/"> Binary Padding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.002"> <a href="/versions/v9/techniques/T1027/002/"> Software Packing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.003"> <a href="/versions/v9/techniques/T1027/003/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.004"> <a href="/versions/v9/techniques/T1027/004/"> Compile After Delivery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.005"> <a href="/versions/v9/techniques/T1027/005/"> Indicator Removal from Tools </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542"> <a href="/versions/v9/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1542-body" aria-labelledby="enterprise-TA0005-T1542-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.001"> <a href="/versions/v9/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.002"> <a href="/versions/v9/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.003"> <a href="/versions/v9/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.004"> <a href="/versions/v9/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.005"> <a href="/versions/v9/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055"> <a href="/versions/v9/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1055-body" aria-labelledby="enterprise-TA0005-T1055-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.001"> <a href="/versions/v9/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.002"> <a href="/versions/v9/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.003"> <a href="/versions/v9/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.004"> <a href="/versions/v9/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.005"> <a href="/versions/v9/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.008"> <a href="/versions/v9/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.009"> <a href="/versions/v9/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.011"> <a href="/versions/v9/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.012"> <a href="/versions/v9/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.013"> <a href="/versions/v9/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.014"> <a href="/versions/v9/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1207"> <a href="/versions/v9/techniques/T1207/"> Rogue Domain Controller </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1014"> <a href="/versions/v9/techniques/T1014/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218"> <a href="/versions/v9/techniques/T1218/"> Signed Binary Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1218-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1218-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1218-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1218-body" aria-labelledby="enterprise-TA0005-T1218-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.001"> <a href="/versions/v9/techniques/T1218/001/"> Compiled HTML File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.002"> <a href="/versions/v9/techniques/T1218/002/"> Control Panel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.003"> <a href="/versions/v9/techniques/T1218/003/"> CMSTP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.004"> <a href="/versions/v9/techniques/T1218/004/"> InstallUtil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.005"> <a href="/versions/v9/techniques/T1218/005/"> Mshta </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.007"> <a href="/versions/v9/techniques/T1218/007/"> Msiexec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.008"> <a href="/versions/v9/techniques/T1218/008/"> Odbcconf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.009"> <a href="/versions/v9/techniques/T1218/009/"> Regsvcs/Regasm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.010"> <a href="/versions/v9/techniques/T1218/010/"> Regsvr32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.011"> <a href="/versions/v9/techniques/T1218/011/"> Rundll32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.012"> <a href="/versions/v9/techniques/T1218/012/"> Verclsid </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1216"> <a href="/versions/v9/techniques/T1216/"> Signed Script Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1216-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1216-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1216-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1216-body" aria-labelledby="enterprise-TA0005-T1216-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1216-T1216.001"> <a href="/versions/v9/techniques/T1216/001/"> PubPrn </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553"> <a href="/versions/v9/techniques/T1553/"> Subvert Trust Controls </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1553-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1553-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1553-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1553-body" aria-labelledby="enterprise-TA0005-T1553-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.001"> <a href="/versions/v9/techniques/T1553/001/"> Gatekeeper Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.002"> <a href="/versions/v9/techniques/T1553/002/"> Code Signing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.003"> <a href="/versions/v9/techniques/T1553/003/"> SIP and Trust Provider Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.004"> <a href="/versions/v9/techniques/T1553/004/"> Install Root Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.005"> <a href="/versions/v9/techniques/T1553/005/"> Mark-of-the-Web Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.006"> <a href="/versions/v9/techniques/T1553/006/"> Code Signing Policy Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1221"> <a href="/versions/v9/techniques/T1221/"> Template Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1205-body" aria-labelledby="enterprise-TA0005-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1127"> <a href="/versions/v9/techniques/T1127/"> Trusted Developer Utilities Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1127-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1127-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1127-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1127-body" aria-labelledby="enterprise-TA0005-T1127-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1127-T1127.001"> <a href="/versions/v9/techniques/T1127/001/"> MSBuild </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1535"> <a href="/versions/v9/techniques/T1535/"> Unused/Unsupported Cloud Regions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550"> <a href="/versions/v9/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1550-body" aria-labelledby="enterprise-TA0005-T1550-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.001"> <a href="/versions/v9/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.002"> <a href="/versions/v9/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.003"> <a href="/versions/v9/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.004"> <a href="/versions/v9/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1078-body" aria-labelledby="enterprise-TA0005-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497"> <a href="/versions/v9/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1497-body" aria-labelledby="enterprise-TA0005-T1497-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.001"> <a href="/versions/v9/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.002"> <a href="/versions/v9/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.003"> <a href="/versions/v9/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600"> <a href="/versions/v9/techniques/T1600/"> Weaken Encryption </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1600-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1600-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1600-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1600-body" aria-labelledby="enterprise-TA0005-T1600-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1600-T1600.001"> <a href="/versions/v9/techniques/T1600/001/"> Reduce Key Space </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1600-T1600.002"> <a href="/versions/v9/techniques/T1600/002/"> Disable Crypto Hardware </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1220"> <a href="/versions/v9/techniques/T1220/"> XSL Script Processing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006"> <a href="/versions/v9/tactics/TA0006"> Credential Access </a> <div class="expand-button collapsed" id="enterprise-TA0006-header" data-toggle="collapse" data-target="#enterprise-TA0006-body" aria-expanded="false" aria-controls="#enterprise-TA0006-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-body" aria-labelledby="enterprise-TA0006-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110"> <a href="/versions/v9/techniques/T1110/"> Brute Force </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1110-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1110-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1110-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1110-body" aria-labelledby="enterprise-TA0006-T1110-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.001"> <a href="/versions/v9/techniques/T1110/001/"> Password Guessing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.002"> <a href="/versions/v9/techniques/T1110/002/"> Password Cracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.003"> <a href="/versions/v9/techniques/T1110/003/"> Password Spraying </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.004"> <a href="/versions/v9/techniques/T1110/004/"> Credential Stuffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555"> <a href="/versions/v9/techniques/T1555/"> Credentials from Password Stores </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1555-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1555-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1555-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1555-body" aria-labelledby="enterprise-TA0006-T1555-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.001"> <a href="/versions/v9/techniques/T1555/001/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.002"> <a href="/versions/v9/techniques/T1555/002/"> Securityd Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.003"> <a href="/versions/v9/techniques/T1555/003/"> Credentials from Web Browsers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.004"> <a href="/versions/v9/techniques/T1555/004/"> Windows Credential Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.005"> <a href="/versions/v9/techniques/T1555/005/"> Password Managers </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1212"> <a href="/versions/v9/techniques/T1212/"> Exploitation for Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1187"> <a href="/versions/v9/techniques/T1187/"> Forced Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606"> <a href="/versions/v9/techniques/T1606/"> Forge Web Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1606-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1606-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1606-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1606-body" aria-labelledby="enterprise-TA0006-T1606-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1606-T1606.001"> <a href="/versions/v9/techniques/T1606/001/"> Web Cookies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1606-T1606.002"> <a href="/versions/v9/techniques/T1606/002/"> SAML Tokens </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056"> <a href="/versions/v9/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1056-body" aria-labelledby="enterprise-TA0006-T1056-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.001"> <a href="/versions/v9/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.002"> <a href="/versions/v9/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.003"> <a href="/versions/v9/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.004"> <a href="/versions/v9/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557"> <a href="/versions/v9/techniques/T1557/"> Man-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1557-body" aria-labelledby="enterprise-TA0006-T1557-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1557-T1557.001"> <a href="/versions/v9/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1557-T1557.002"> <a href="/versions/v9/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1556-body" aria-labelledby="enterprise-TA0006-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1040"> <a href="/versions/v9/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003"> <a href="/versions/v9/techniques/T1003/"> OS Credential Dumping </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1003-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1003-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1003-body" aria-labelledby="enterprise-TA0006-T1003-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.001"> <a href="/versions/v9/techniques/T1003/001/"> LSASS Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.002"> <a href="/versions/v9/techniques/T1003/002/"> Security Account Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.003"> <a href="/versions/v9/techniques/T1003/003/"> NTDS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.004"> <a href="/versions/v9/techniques/T1003/004/"> LSA Secrets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.005"> <a href="/versions/v9/techniques/T1003/005/"> Cached Domain Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.006"> <a href="/versions/v9/techniques/T1003/006/"> DCSync </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.007"> <a href="/versions/v9/techniques/T1003/007/"> Proc Filesystem </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.008"> <a href="/versions/v9/techniques/T1003/008/"> /etc/passwd and /etc/shadow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1528"> <a href="/versions/v9/techniques/T1528/"> Steal Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558"> <a href="/versions/v9/techniques/T1558/"> Steal or Forge Kerberos Tickets </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1558-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1558-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1558-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1558-body" aria-labelledby="enterprise-TA0006-T1558-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.001"> <a href="/versions/v9/techniques/T1558/001/"> Golden Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.002"> <a href="/versions/v9/techniques/T1558/002/"> Silver Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.003"> <a href="/versions/v9/techniques/T1558/003/"> Kerberoasting </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.004"> <a href="/versions/v9/techniques/T1558/004/"> AS-REP Roasting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1539"> <a href="/versions/v9/techniques/T1539/"> Steal Web Session Cookie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1111"> <a href="/versions/v9/techniques/T1111/"> Two-Factor Authentication Interception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552"> <a href="/versions/v9/techniques/T1552/"> Unsecured Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1552-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1552-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1552-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1552-body" aria-labelledby="enterprise-TA0006-T1552-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.001"> <a href="/versions/v9/techniques/T1552/001/"> Credentials In Files </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.002"> <a href="/versions/v9/techniques/T1552/002/"> Credentials in Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.003"> <a href="/versions/v9/techniques/T1552/003/"> Bash History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.004"> <a href="/versions/v9/techniques/T1552/004/"> Private Keys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.005"> <a href="/versions/v9/techniques/T1552/005/"> Cloud Instance Metadata API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.006"> <a href="/versions/v9/techniques/T1552/006/"> Group Policy Preferences </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.007"> <a href="/versions/v9/techniques/T1552/007/"> Container API </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007"> <a href="/versions/v9/tactics/TA0007"> Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-header" data-toggle="collapse" data-target="#enterprise-TA0007-body" aria-expanded="false" aria-controls="#enterprise-TA0007-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-body" aria-labelledby="enterprise-TA0007-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087"> <a href="/versions/v9/techniques/T1087/"> Account Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1087-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1087-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1087-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1087-body" aria-labelledby="enterprise-TA0007-T1087-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.001"> <a href="/versions/v9/techniques/T1087/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.002"> <a href="/versions/v9/techniques/T1087/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.003"> <a href="/versions/v9/techniques/T1087/003/"> Email Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.004"> <a href="/versions/v9/techniques/T1087/004/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1010"> <a href="/versions/v9/techniques/T1010/"> Application Window Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1217"> <a href="/versions/v9/techniques/T1217/"> Browser Bookmark Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1580"> <a href="/versions/v9/techniques/T1580/"> Cloud Infrastructure Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1538"> <a href="/versions/v9/techniques/T1538/"> Cloud Service Dashboard </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1526"> <a href="/versions/v9/techniques/T1526/"> Cloud Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1613"> <a href="/versions/v9/techniques/T1613/"> Container and Resource Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1482"> <a href="/versions/v9/techniques/T1482/"> Domain Trust Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1083"> <a href="/versions/v9/techniques/T1083/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1046"> <a href="/versions/v9/techniques/T1046/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1135"> <a href="/versions/v9/techniques/T1135/"> Network Share Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1040"> <a href="/versions/v9/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1201"> <a href="/versions/v9/techniques/T1201/"> Password Policy Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1120"> <a href="/versions/v9/techniques/T1120/"> Peripheral Device Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069"> <a href="/versions/v9/techniques/T1069/"> Permission Groups Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1069-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1069-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1069-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1069-body" aria-labelledby="enterprise-TA0007-T1069-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.001"> <a href="/versions/v9/techniques/T1069/001/"> Local Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.002"> <a href="/versions/v9/techniques/T1069/002/"> Domain Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.003"> <a href="/versions/v9/techniques/T1069/003/"> Cloud Groups </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1057"> <a href="/versions/v9/techniques/T1057/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1012"> <a href="/versions/v9/techniques/T1012/"> Query Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1018"> <a href="/versions/v9/techniques/T1018/"> Remote System Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1518"> <a href="/versions/v9/techniques/T1518/"> Software Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1518-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1518-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1518-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1518-body" aria-labelledby="enterprise-TA0007-T1518-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1518-T1518.001"> <a href="/versions/v9/techniques/T1518/001/"> Security Software Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1082"> <a href="/versions/v9/techniques/T1082/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1614"> <a href="/versions/v9/techniques/T1614/"> System Location Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1016"> <a href="/versions/v9/techniques/T1016/"> System Network Configuration Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1016-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1016-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1016-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1016-body" aria-labelledby="enterprise-TA0007-T1016-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1016-T1016.001"> <a href="/versions/v9/techniques/T1016/001/"> Internet Connection Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1049"> <a href="/versions/v9/techniques/T1049/"> System Network Connections Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1033"> <a href="/versions/v9/techniques/T1033/"> System Owner/User Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1007"> <a href="/versions/v9/techniques/T1007/"> System Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1124"> <a href="/versions/v9/techniques/T1124/"> System Time Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497"> <a href="/versions/v9/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1497-body" aria-labelledby="enterprise-TA0007-T1497-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.001"> <a href="/versions/v9/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.002"> <a href="/versions/v9/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.003"> <a href="/versions/v9/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008"> <a href="/versions/v9/tactics/TA0008"> Lateral Movement </a> <div class="expand-button collapsed" id="enterprise-TA0008-header" data-toggle="collapse" data-target="#enterprise-TA0008-body" aria-expanded="false" aria-controls="#enterprise-TA0008-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-body" aria-labelledby="enterprise-TA0008-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1210"> <a href="/versions/v9/techniques/T1210/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1534"> <a href="/versions/v9/techniques/T1534/"> Internal Spearphishing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1570"> <a href="/versions/v9/techniques/T1570/"> Lateral Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563"> <a href="/versions/v9/techniques/T1563/"> Remote Service Session Hijacking </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1563-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1563-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1563-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1563-body" aria-labelledby="enterprise-TA0008-T1563-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1563-T1563.001"> <a href="/versions/v9/techniques/T1563/001/"> SSH Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1563-T1563.002"> <a href="/versions/v9/techniques/T1563/002/"> RDP Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021"> <a href="/versions/v9/techniques/T1021/"> Remote Services </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1021-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1021-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1021-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1021-body" aria-labelledby="enterprise-TA0008-T1021-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.001"> <a href="/versions/v9/techniques/T1021/001/"> Remote Desktop Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.002"> <a href="/versions/v9/techniques/T1021/002/"> SMB/Windows Admin Shares </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.003"> <a href="/versions/v9/techniques/T1021/003/"> Distributed Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.004"> <a href="/versions/v9/techniques/T1021/004/"> SSH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.005"> <a href="/versions/v9/techniques/T1021/005/"> VNC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.006"> <a href="/versions/v9/techniques/T1021/006/"> Windows Remote Management </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1091"> <a href="/versions/v9/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1072"> <a href="/versions/v9/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1080"> <a href="/versions/v9/techniques/T1080/"> Taint Shared Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550"> <a href="/versions/v9/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1550-body" aria-labelledby="enterprise-TA0008-T1550-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.001"> <a href="/versions/v9/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.002"> <a href="/versions/v9/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.003"> <a href="/versions/v9/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.004"> <a href="/versions/v9/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009"> <a href="/versions/v9/tactics/TA0009"> Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-header" data-toggle="collapse" data-target="#enterprise-TA0009-body" aria-expanded="false" aria-controls="#enterprise-TA0009-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-body" aria-labelledby="enterprise-TA0009-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560"> <a href="/versions/v9/techniques/T1560/"> Archive Collected Data </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1560-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1560-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1560-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1560-body" aria-labelledby="enterprise-TA0009-T1560-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.001"> <a href="/versions/v9/techniques/T1560/001/"> Archive via Utility </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.002"> <a href="/versions/v9/techniques/T1560/002/"> Archive via Library </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.003"> <a href="/versions/v9/techniques/T1560/003/"> Archive via Custom Method </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1123"> <a href="/versions/v9/techniques/T1123/"> Audio Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1119"> <a href="/versions/v9/techniques/T1119/"> Automated Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1115"> <a href="/versions/v9/techniques/T1115/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1530"> <a href="/versions/v9/techniques/T1530/"> Data from Cloud Storage Object </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602"> <a href="/versions/v9/techniques/T1602/"> Data from Configuration Repository </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1602-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1602-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1602-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1602-body" aria-labelledby="enterprise-TA0009-T1602-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1602-T1602.001"> <a href="/versions/v9/techniques/T1602/001/"> SNMP (MIB Dump) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1602-T1602.002"> <a href="/versions/v9/techniques/T1602/002/"> Network Device Configuration Dump </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213"> <a href="/versions/v9/techniques/T1213/"> Data from Information Repositories </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1213-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1213-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1213-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1213-body" aria-labelledby="enterprise-TA0009-T1213-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1213-T1213.001"> <a href="/versions/v9/techniques/T1213/001/"> Confluence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1213-T1213.002"> <a href="/versions/v9/techniques/T1213/002/"> Sharepoint </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1005"> <a href="/versions/v9/techniques/T1005/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1039"> <a href="/versions/v9/techniques/T1039/"> Data from Network Shared Drive </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1025"> <a href="/versions/v9/techniques/T1025/"> Data from Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074"> <a href="/versions/v9/techniques/T1074/"> Data Staged </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1074-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1074-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1074-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1074-body" aria-labelledby="enterprise-TA0009-T1074-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1074-T1074.001"> <a href="/versions/v9/techniques/T1074/001/"> Local Data Staging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1074-T1074.002"> <a href="/versions/v9/techniques/T1074/002/"> Remote Data Staging </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114"> <a href="/versions/v9/techniques/T1114/"> Email Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1114-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1114-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1114-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1114-body" aria-labelledby="enterprise-TA0009-T1114-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.001"> <a href="/versions/v9/techniques/T1114/001/"> Local Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.002"> <a href="/versions/v9/techniques/T1114/002/"> Remote Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.003"> <a href="/versions/v9/techniques/T1114/003/"> Email Forwarding Rule </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056"> <a href="/versions/v9/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1056-body" aria-labelledby="enterprise-TA0009-T1056-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.001"> <a href="/versions/v9/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.002"> <a href="/versions/v9/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.003"> <a href="/versions/v9/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.004"> <a href="/versions/v9/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1185"> <a href="/versions/v9/techniques/T1185/"> Man in the Browser </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557"> <a href="/versions/v9/techniques/T1557/"> Man-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1557-body" aria-labelledby="enterprise-TA0009-T1557-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1557-T1557.001"> <a href="/versions/v9/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1557-T1557.002"> <a href="/versions/v9/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1113"> <a href="/versions/v9/techniques/T1113/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1125"> <a href="/versions/v9/techniques/T1125/"> Video Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011"> <a href="/versions/v9/tactics/TA0011"> Command and Control </a> <div class="expand-button collapsed" id="enterprise-TA0011-header" data-toggle="collapse" data-target="#enterprise-TA0011-body" aria-expanded="false" aria-controls="#enterprise-TA0011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-body" aria-labelledby="enterprise-TA0011-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071"> <a href="/versions/v9/techniques/T1071/"> Application Layer Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1071-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1071-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1071-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1071-body" aria-labelledby="enterprise-TA0011-T1071-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.001"> <a href="/versions/v9/techniques/T1071/001/"> Web Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.002"> <a href="/versions/v9/techniques/T1071/002/"> File Transfer Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.003"> <a href="/versions/v9/techniques/T1071/003/"> Mail Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.004"> <a href="/versions/v9/techniques/T1071/004/"> DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1092"> <a href="/versions/v9/techniques/T1092/"> Communication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132"> <a href="/versions/v9/techniques/T1132/"> Data Encoding </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1132-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1132-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1132-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1132-body" aria-labelledby="enterprise-TA0011-T1132-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1132-T1132.001"> <a href="/versions/v9/techniques/T1132/001/"> Standard Encoding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1132-T1132.002"> <a href="/versions/v9/techniques/T1132/002/"> Non-Standard Encoding </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001"> <a href="/versions/v9/techniques/T1001/"> Data Obfuscation </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1001-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1001-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1001-body" aria-labelledby="enterprise-TA0011-T1001-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.001"> <a href="/versions/v9/techniques/T1001/001/"> Junk Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.002"> <a href="/versions/v9/techniques/T1001/002/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.003"> <a href="/versions/v9/techniques/T1001/003/"> Protocol Impersonation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568"> <a href="/versions/v9/techniques/T1568/"> Dynamic Resolution </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1568-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1568-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1568-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1568-body" aria-labelledby="enterprise-TA0011-T1568-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.001"> <a href="/versions/v9/techniques/T1568/001/"> Fast Flux DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.002"> <a href="/versions/v9/techniques/T1568/002/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.003"> <a href="/versions/v9/techniques/T1568/003/"> DNS Calculation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573"> <a href="/versions/v9/techniques/T1573/"> Encrypted Channel </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1573-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1573-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1573-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1573-body" aria-labelledby="enterprise-TA0011-T1573-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1573-T1573.001"> <a href="/versions/v9/techniques/T1573/001/"> Symmetric Cryptography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1573-T1573.002"> <a href="/versions/v9/techniques/T1573/002/"> Asymmetric Cryptography </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1008"> <a href="/versions/v9/techniques/T1008/"> Fallback Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1105"> <a href="/versions/v9/techniques/T1105/"> Ingress Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1104"> <a href="/versions/v9/techniques/T1104/"> Multi-Stage Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1095"> <a href="/versions/v9/techniques/T1095/"> Non-Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1571"> <a href="/versions/v9/techniques/T1571/"> Non-Standard Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1572"> <a href="/versions/v9/techniques/T1572/"> Protocol Tunneling </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090"> <a href="/versions/v9/techniques/T1090/"> Proxy </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1090-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1090-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1090-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1090-body" aria-labelledby="enterprise-TA0011-T1090-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.001"> <a href="/versions/v9/techniques/T1090/001/"> Internal Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.002"> <a href="/versions/v9/techniques/T1090/002/"> External Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.003"> <a href="/versions/v9/techniques/T1090/003/"> Multi-hop Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.004"> <a href="/versions/v9/techniques/T1090/004/"> Domain Fronting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1219"> <a href="/versions/v9/techniques/T1219/"> Remote Access Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1205-body" aria-labelledby="enterprise-TA0011-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102"> <a href="/versions/v9/techniques/T1102/"> Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1102-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1102-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1102-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1102-body" aria-labelledby="enterprise-TA0011-T1102-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.001"> <a href="/versions/v9/techniques/T1102/001/"> Dead Drop Resolver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.002"> <a href="/versions/v9/techniques/T1102/002/"> Bidirectional Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.003"> <a href="/versions/v9/techniques/T1102/003/"> One-Way Communication </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010"> <a href="/versions/v9/tactics/TA0010"> Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-header" data-toggle="collapse" data-target="#enterprise-TA0010-body" aria-expanded="false" aria-controls="#enterprise-TA0010-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-body" aria-labelledby="enterprise-TA0010-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1020"> <a href="/versions/v9/techniques/T1020/"> Automated Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1020-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1020-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1020-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1020-body" aria-labelledby="enterprise-TA0010-T1020-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1020-T1020.001"> <a href="/versions/v9/techniques/T1020/001/"> Traffic Duplication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1030"> <a href="/versions/v9/techniques/T1030/"> Data Transfer Size Limits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048"> <a href="/versions/v9/techniques/T1048/"> Exfiltration Over Alternative Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1048-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1048-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1048-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1048-body" aria-labelledby="enterprise-TA0010-T1048-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.001"> <a href="/versions/v9/techniques/T1048/001/"> Exfiltration Over Symmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.002"> <a href="/versions/v9/techniques/T1048/002/"> Exfiltration Over Asymmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.003"> <a href="/versions/v9/techniques/T1048/003/"> Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1041"> <a href="/versions/v9/techniques/T1041/"> Exfiltration Over C2 Channel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1011"> <a href="/versions/v9/techniques/T1011/"> Exfiltration Over Other Network Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1011-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1011-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1011-body" aria-labelledby="enterprise-TA0010-T1011-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1011-T1011.001"> <a href="/versions/v9/techniques/T1011/001/"> Exfiltration Over Bluetooth </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1052"> <a href="/versions/v9/techniques/T1052/"> Exfiltration Over Physical Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1052-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1052-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1052-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1052-body" aria-labelledby="enterprise-TA0010-T1052-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1052-T1052.001"> <a href="/versions/v9/techniques/T1052/001/"> Exfiltration over USB </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567"> <a href="/versions/v9/techniques/T1567/"> Exfiltration Over Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1567-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1567-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1567-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1567-body" aria-labelledby="enterprise-TA0010-T1567-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1567-T1567.001"> <a href="/versions/v9/techniques/T1567/001/"> Exfiltration to Code Repository </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1567-T1567.002"> <a href="/versions/v9/techniques/T1567/002/"> Exfiltration to Cloud Storage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1029"> <a href="/versions/v9/techniques/T1029/"> Scheduled Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1537"> <a href="/versions/v9/techniques/T1537/"> Transfer Data to Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040"> <a href="/versions/v9/tactics/TA0040"> Impact </a> <div class="expand-button collapsed" id="enterprise-TA0040-header" data-toggle="collapse" data-target="#enterprise-TA0040-body" aria-expanded="false" aria-controls="#enterprise-TA0040-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-body" aria-labelledby="enterprise-TA0040-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1531"> <a href="/versions/v9/techniques/T1531/"> Account Access Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1485"> <a href="/versions/v9/techniques/T1485/"> Data Destruction </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1486"> <a href="/versions/v9/techniques/T1486/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565"> <a href="/versions/v9/techniques/T1565/"> Data Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1565-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1565-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1565-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1565-body" aria-labelledby="enterprise-TA0040-T1565-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.001"> <a href="/versions/v9/techniques/T1565/001/"> Stored Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.002"> <a href="/versions/v9/techniques/T1565/002/"> Transmitted Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.003"> <a href="/versions/v9/techniques/T1565/003/"> Runtime Data Manipulation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491"> <a href="/versions/v9/techniques/T1491/"> Defacement </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1491-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1491-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1491-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1491-body" aria-labelledby="enterprise-TA0040-T1491-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1491-T1491.001"> <a href="/versions/v9/techniques/T1491/001/"> Internal Defacement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1491-T1491.002"> <a href="/versions/v9/techniques/T1491/002/"> External Defacement </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561"> <a href="/versions/v9/techniques/T1561/"> Disk Wipe </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1561-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1561-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1561-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1561-body" aria-labelledby="enterprise-TA0040-T1561-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1561-T1561.001"> <a href="/versions/v9/techniques/T1561/001/"> Disk Content Wipe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1561-T1561.002"> <a href="/versions/v9/techniques/T1561/002/"> Disk Structure Wipe </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499"> <a href="/versions/v9/techniques/T1499/"> Endpoint Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1499-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1499-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1499-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1499-body" aria-labelledby="enterprise-TA0040-T1499-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.001"> <a href="/versions/v9/techniques/T1499/001/"> OS Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.002"> <a href="/versions/v9/techniques/T1499/002/"> Service Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.003"> <a href="/versions/v9/techniques/T1499/003/"> Application Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.004"> <a href="/versions/v9/techniques/T1499/004/"> Application or System Exploitation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1495"> <a href="/versions/v9/techniques/T1495/"> Firmware Corruption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1490"> <a href="/versions/v9/techniques/T1490/"> Inhibit System Recovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498"> <a href="/versions/v9/techniques/T1498/"> Network Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1498-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1498-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1498-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1498-body" aria-labelledby="enterprise-TA0040-T1498-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1498-T1498.001"> <a href="/versions/v9/techniques/T1498/001/"> Direct Network Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1498-T1498.002"> <a href="/versions/v9/techniques/T1498/002/"> Reflection Amplification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1496"> <a href="/versions/v9/techniques/T1496/"> Resource Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1489"> <a href="/versions/v9/techniques/T1489/"> Service Stop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1529"> <a href="/versions/v9/techniques/T1529/"> System Shutdown/Reboot </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v9/techniques/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027"> <a href="/versions/v9/tactics/TA0027"> Initial Access </a> <div class="expand-button collapsed" id="mobile-TA0027-header" data-toggle="collapse" data-target="#mobile-TA0027-body" aria-expanded="false" aria-controls="#mobile-TA0027-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0027-body" aria-labelledby="mobile-TA0027-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1475"> <a href="/versions/v9/techniques/T1475/"> Deliver Malicious App via Authorized App Store </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1476"> <a href="/versions/v9/techniques/T1476/"> Deliver Malicious App via Other Means </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1456"> <a href="/versions/v9/techniques/T1456/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1458"> <a href="/versions/v9/techniques/T1458/"> Exploit via Charging Station or PC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1477"> <a href="/versions/v9/techniques/T1477/"> Exploit via Radio Interfaces </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1478"> <a href="/versions/v9/techniques/T1478/"> Install Insecure or Malicious Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1461"> <a href="/versions/v9/techniques/T1461/"> Lockscreen Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1444"> <a href="/versions/v9/techniques/T1444/"> Masquerade as Legitimate Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1474"> <a href="/versions/v9/techniques/T1474/"> Supply Chain Compromise </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041"> <a href="/versions/v9/tactics/TA0041"> Execution </a> <div class="expand-button collapsed" id="mobile-TA0041-header" data-toggle="collapse" data-target="#mobile-TA0041-body" aria-expanded="false" aria-controls="#mobile-TA0041-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0041-body" aria-labelledby="mobile-TA0041-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1402"> <a href="/versions/v9/techniques/T1402/"> Broadcast Receivers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1605"> <a href="/versions/v9/techniques/T1605/"> Command-Line Interface </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1575"> <a href="/versions/v9/techniques/T1575/"> Native Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1603"> <a href="/versions/v9/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028"> <a href="/versions/v9/tactics/TA0028"> Persistence </a> <div class="expand-button collapsed" id="mobile-TA0028-header" data-toggle="collapse" data-target="#mobile-TA0028-body" aria-expanded="false" aria-controls="#mobile-TA0028-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-body" aria-labelledby="mobile-TA0028-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1402"> <a href="/versions/v9/techniques/T1402/"> Broadcast Receivers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1577"> <a href="/versions/v9/techniques/T1577/"> Compromise Application Executable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1541"> <a href="/versions/v9/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1403"> <a href="/versions/v9/techniques/T1403/"> Modify Cached Executable Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1398"> <a href="/versions/v9/techniques/T1398/"> Modify OS Kernel or Boot Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1399"> <a href="/versions/v9/techniques/T1399/"> Modify Trusted Execution Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1603"> <a href="/versions/v9/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029"> <a href="/versions/v9/tactics/TA0029"> Privilege Escalation </a> <div class="expand-button collapsed" id="mobile-TA0029-header" data-toggle="collapse" data-target="#mobile-TA0029-body" aria-expanded="false" aria-controls="#mobile-TA0029-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-body" aria-labelledby="mobile-TA0029-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1401"> <a href="/versions/v9/techniques/T1401/"> Device Administrator Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1404"> <a href="/versions/v9/techniques/T1404/"> Exploit OS Vulnerability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1405"> <a href="/versions/v9/techniques/T1405/"> Exploit TEE Vulnerability </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030"> <a href="/versions/v9/tactics/TA0030"> Defense Evasion </a> <div class="expand-button collapsed" id="mobile-TA0030-header" data-toggle="collapse" data-target="#mobile-TA0030-body" aria-expanded="false" aria-controls="#mobile-TA0030-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-body" aria-labelledby="mobile-TA0030-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1418"> <a href="/versions/v9/techniques/T1418/"> Application Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1447"> <a href="/versions/v9/techniques/T1447/"> Delete Device Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1446"> <a href="/versions/v9/techniques/T1446/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1408"> <a href="/versions/v9/techniques/T1408/"> Disguise Root/Jailbreak Indicators </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1407"> <a href="/versions/v9/techniques/T1407/"> Download New Code at Runtime </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1523"> <a href="/versions/v9/techniques/T1523/"> Evade Analysis Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1581"> <a href="/versions/v9/techniques/T1581/"> Geofencing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1516"> <a href="/versions/v9/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1478"> <a href="/versions/v9/techniques/T1478/"> Install Insecure or Malicious Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1444"> <a href="/versions/v9/techniques/T1444/"> Masquerade as Legitimate Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1398"> <a href="/versions/v9/techniques/T1398/"> Modify OS Kernel or Boot Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1399"> <a href="/versions/v9/techniques/T1399/"> Modify Trusted Execution Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1575"> <a href="/versions/v9/techniques/T1575/"> Native Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1406"> <a href="/versions/v9/techniques/T1406/"> Obfuscated Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1604"> <a href="/versions/v9/techniques/T1604/"> Proxy Through Victim </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1508"> <a href="/versions/v9/techniques/T1508/"> Suppress Application Icon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1576"> <a href="/versions/v9/techniques/T1576/"> Uninstall Malicious Application </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031"> <a href="/versions/v9/tactics/TA0031"> Credential Access </a> <div class="expand-button collapsed" id="mobile-TA0031-header" data-toggle="collapse" data-target="#mobile-TA0031-body" aria-expanded="false" aria-controls="#mobile-TA0031-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-body" aria-labelledby="mobile-TA0031-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1517"> <a href="/versions/v9/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1413"> <a href="/versions/v9/techniques/T1413/"> Access Sensitive Data in Device Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1409"> <a href="/versions/v9/techniques/T1409/"> Access Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1414"> <a href="/versions/v9/techniques/T1414/"> Capture Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1412"> <a href="/versions/v9/techniques/T1412/"> Capture SMS Messages </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1405"> <a href="/versions/v9/techniques/T1405/"> Exploit TEE Vulnerability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1417"> <a href="/versions/v9/techniques/T1417/"> Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1411"> <a href="/versions/v9/techniques/T1411/"> Input Prompt </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1579"> <a href="/versions/v9/techniques/T1579/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1410"> <a href="/versions/v9/techniques/T1410/"> Network Traffic Capture or Redirection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1416"> <a href="/versions/v9/techniques/T1416/"> URI Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032"> <a href="/versions/v9/tactics/TA0032"> Discovery </a> <div class="expand-button collapsed" id="mobile-TA0032-header" data-toggle="collapse" data-target="#mobile-TA0032-body" aria-expanded="false" aria-controls="#mobile-TA0032-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-body" aria-labelledby="mobile-TA0032-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1418"> <a href="/versions/v9/techniques/T1418/"> Application Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1523"> <a href="/versions/v9/techniques/T1523/"> Evade Analysis Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1420"> <a href="/versions/v9/techniques/T1420/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1430"> <a href="/versions/v9/techniques/T1430/"> Location Tracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1423"> <a href="/versions/v9/techniques/T1423/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1424"> <a href="/versions/v9/techniques/T1424/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1426"> <a href="/versions/v9/techniques/T1426/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1422"> <a href="/versions/v9/techniques/T1422/"> System Network Configuration Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1421"> <a href="/versions/v9/techniques/T1421/"> System Network Connections Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033"> <a href="/versions/v9/tactics/TA0033"> Lateral Movement </a> <div class="expand-button collapsed" id="mobile-TA0033-header" data-toggle="collapse" data-target="#mobile-TA0033-body" aria-expanded="false" aria-controls="#mobile-TA0033-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0033-body" aria-labelledby="mobile-TA0033-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0033-T1427"> <a href="/versions/v9/techniques/T1427/"> Attack PC via USB Connection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0033-T1428"> <a href="/versions/v9/techniques/T1428/"> Exploit Enterprise Resources </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035"> <a href="/versions/v9/tactics/TA0035"> Collection </a> <div class="expand-button collapsed" id="mobile-TA0035-header" data-toggle="collapse" data-target="#mobile-TA0035-body" aria-expanded="false" aria-controls="#mobile-TA0035-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-body" aria-labelledby="mobile-TA0035-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1435"> <a href="/versions/v9/techniques/T1435/"> Access Calendar Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1433"> <a href="/versions/v9/techniques/T1433/"> Access Call Log </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1432"> <a href="/versions/v9/techniques/T1432/"> Access Contact List </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1517"> <a href="/versions/v9/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1413"> <a href="/versions/v9/techniques/T1413/"> Access Sensitive Data in Device Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1409"> <a href="/versions/v9/techniques/T1409/"> Access Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1429"> <a href="/versions/v9/techniques/T1429/"> Capture Audio </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1512"> <a href="/versions/v9/techniques/T1512/"> Capture Camera </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1414"> <a href="/versions/v9/techniques/T1414/"> Capture Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1412"> <a href="/versions/v9/techniques/T1412/"> Capture SMS Messages </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1533"> <a href="/versions/v9/techniques/T1533/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1541"> <a href="/versions/v9/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1417"> <a href="/versions/v9/techniques/T1417/"> Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1430"> <a href="/versions/v9/techniques/T1430/"> Location Tracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1507"> <a href="/versions/v9/techniques/T1507/"> Network Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1410"> <a href="/versions/v9/techniques/T1410/"> Network Traffic Capture or Redirection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1513"> <a href="/versions/v9/techniques/T1513/"> Screen Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037"> <a href="/versions/v9/tactics/TA0037"> Command and Control </a> <div class="expand-button collapsed" id="mobile-TA0037-header" data-toggle="collapse" data-target="#mobile-TA0037-body" aria-expanded="false" aria-controls="#mobile-TA0037-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-body" aria-labelledby="mobile-TA0037-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1438"> <a href="/versions/v9/techniques/T1438/"> Alternate Network Mediums </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1436"> <a href="/versions/v9/techniques/T1436/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1520"> <a href="/versions/v9/techniques/T1520/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1544"> <a href="/versions/v9/techniques/T1544/"> Remote File Copy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1437"> <a href="/versions/v9/techniques/T1437/"> Standard Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1521"> <a href="/versions/v9/techniques/T1521/"> Standard Cryptographic Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1509"> <a href="/versions/v9/techniques/T1509/"> Uncommonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1481"> <a href="/versions/v9/techniques/T1481/"> Web Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036"> <a href="/versions/v9/tactics/TA0036"> Exfiltration </a> <div class="expand-button collapsed" id="mobile-TA0036-header" data-toggle="collapse" data-target="#mobile-TA0036-body" aria-expanded="false" aria-controls="#mobile-TA0036-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0036-body" aria-labelledby="mobile-TA0036-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1438"> <a href="/versions/v9/techniques/T1438/"> Alternate Network Mediums </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1436"> <a href="/versions/v9/techniques/T1436/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1532"> <a href="/versions/v9/techniques/T1532/"> Data Encrypted </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1437"> <a href="/versions/v9/techniques/T1437/"> Standard Application Layer Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034"> <a href="/versions/v9/tactics/TA0034"> Impact </a> <div class="expand-button collapsed" id="mobile-TA0034-header" data-toggle="collapse" data-target="#mobile-TA0034-body" aria-expanded="false" aria-controls="#mobile-TA0034-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0034-body" aria-labelledby="mobile-TA0034-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1448"> <a href="/versions/v9/techniques/T1448/"> Carrier Billing Fraud </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1510"> <a href="/versions/v9/techniques/T1510/"> Clipboard Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1471"> <a href="/versions/v9/techniques/T1471/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1447"> <a href="/versions/v9/techniques/T1447/"> Delete Device Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1446"> <a href="/versions/v9/techniques/T1446/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1472"> <a href="/versions/v9/techniques/T1472/"> Generate Fraudulent Advertising Revenue </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1516"> <a href="/versions/v9/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1452"> <a href="/versions/v9/techniques/T1452/"> Manipulate App Store Rankings or Ratings </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1582"> <a href="/versions/v9/techniques/T1582/"> SMS Control </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0038"> <a href="/versions/v9/tactics/TA0038"> Network Effects </a> <div class="expand-button collapsed" id="mobile-TA0038-header" data-toggle="collapse" data-target="#mobile-TA0038-body" aria-expanded="false" aria-controls="#mobile-TA0038-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0038-body" aria-labelledby="mobile-TA0038-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1466"> <a href="/versions/v9/techniques/T1466/"> Downgrade to Insecure Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1439"> <a href="/versions/v9/techniques/T1439/"> Eavesdrop on Insecure Network Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1449"> <a href="/versions/v9/techniques/T1449/"> Exploit SS7 to Redirect Phone Calls/SMS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1450"> <a href="/versions/v9/techniques/T1450/"> Exploit SS7 to Track Device Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1464"> <a href="/versions/v9/techniques/T1464/"> Jamming or Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1463"> <a href="/versions/v9/techniques/T1463/"> Manipulate Device Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1467"> <a href="/versions/v9/techniques/T1467/"> Rogue Cellular Base Station </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1465"> <a href="/versions/v9/techniques/T1465/"> Rogue Wi-Fi Access Points </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1451"> <a href="/versions/v9/techniques/T1451/"> SIM Card Swap </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0039"> <a href="/versions/v9/tactics/TA0039"> Remote Service Effects </a> <div class="expand-button collapsed" id="mobile-TA0039-header" data-toggle="collapse" data-target="#mobile-TA0039-body" aria-expanded="false" aria-controls="#mobile-TA0039-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0039-body" aria-labelledby="mobile-TA0039-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1470"> <a href="/versions/v9/techniques/T1470/"> Obtain Device Cloud Backups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1468"> <a href="/versions/v9/techniques/T1468/"> Remotely Track Device Without Authorization </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1469"> <a href="/versions/v9/techniques/T1469/"> Remotely Wipe Data Without Authorization </a> </div> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v9/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a></li> <li class="breadcrumb-item">Windows Command Shell</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">Command and Scripting Interpreter:</span> Windows Command Shell </h1> <div class="row"> <div class="col-md-8"> <!--stop-indexing-for-search--> <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Command and Scripting Interpreter (8)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/techniques/T1059/001/" class="subtechnique-table-item" data-subtechnique_id="T1059.001"> T1059.001 </a> </td> <td> <a href="/versions/v9/techniques/T1059/001/" class="subtechnique-table-item" data-subtechnique_id="T1059.001"> PowerShell </a> </td> </tr> <tr> <td> <a href="/versions/v9/techniques/T1059/002/" class="subtechnique-table-item" data-subtechnique_id="T1059.002"> T1059.002 </a> </td> <td> <a href="/versions/v9/techniques/T1059/002/" class="subtechnique-table-item" data-subtechnique_id="T1059.002"> AppleScript </a> </td> </tr> <tr> <td class="active"> T1059.003 </td> <td class="active"> Windows Command Shell </td> </tr> <tr> <td> <a href="/versions/v9/techniques/T1059/004/" class="subtechnique-table-item" data-subtechnique_id="T1059.004"> T1059.004 </a> </td> <td> <a href="/versions/v9/techniques/T1059/004/" class="subtechnique-table-item" data-subtechnique_id="T1059.004"> Unix Shell </a> </td> </tr> <tr> <td> <a href="/versions/v9/techniques/T1059/005/" class="subtechnique-table-item" data-subtechnique_id="T1059.005"> T1059.005 </a> </td> <td> <a href="/versions/v9/techniques/T1059/005/" class="subtechnique-table-item" data-subtechnique_id="T1059.005"> Visual Basic </a> </td> </tr> <tr> <td> <a href="/versions/v9/techniques/T1059/006/" class="subtechnique-table-item" data-subtechnique_id="T1059.006"> T1059.006 </a> </td> <td> <a href="/versions/v9/techniques/T1059/006/" class="subtechnique-table-item" data-subtechnique_id="T1059.006"> Python </a> </td> </tr> <tr> <td> <a href="/versions/v9/techniques/T1059/007/" class="subtechnique-table-item" data-subtechnique_id="T1059.007"> T1059.007 </a> </td> <td> <a href="/versions/v9/techniques/T1059/007/" class="subtechnique-table-item" data-subtechnique_id="T1059.007"> JavaScript </a> </td> </tr> <tr> <td> <a href="/versions/v9/techniques/T1059/008/" class="subtechnique-table-item" data-subtechnique_id="T1059.008"> T1059.008 </a> </td> <td> <a href="/versions/v9/techniques/T1059/008/" class="subtechnique-table-item" data-subtechnique_id="T1059.008"> Network Device CLI </a> </td> </tr> </tbody> </table> </div> </div> </div> <!--start-indexing-for-search--> <div class="description-body"> <p>Adversaries may abuse the Windows command shell for execution. The Windows command shell (<a href="/versions/v9/software/S0106">cmd</a>) is the primary command prompt on Windows systems. The Windows command prompt can be used to control almost any aspect of a system, with various permission levels required for different subsets of commands. </p><p>Batch files (ex: .bat or .cmd) also provide the shell with a list of sequential commands to run, as well as normal scripting operations such as conditionals and loops. Common uses of batch files include long or repetitive tasks, or the need to run the same set of commands on multiple systems.</p><p>Adversaries may leverage <a href="/versions/v9/software/S0106">cmd</a> to execute various commands and payloads. Common uses include <a href="/versions/v9/software/S0106">cmd</a> to execute a single command, or abusing <a href="/versions/v9/software/S0106">cmd</a> interactively with input and output forwarded over a command and control channel.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1059.003 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of:&nbsp;</span> <a href="/versions/v9/techniques/T1059">T1059</a> </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/versions/v9/tactics/TA0002">Execution</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Windows </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The lowest level of permissions the adversary is required to be operating within to perform the (sub-)technique on a system">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Permissions Required:&nbsp;</span>User </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Source of information collected by a sensor or logging system that may be used to collect information relevant to identifying the action being performed, sequence of actions, or the results of those actions by an adversary">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Data Sources:&nbsp;</span><a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/command.yml'>Command</a>: Command Execution, <a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/process.yml'>Process</a>: Process Creation </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>1.1 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>09 March 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>14 April 2021 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1059.003" href="/versions/v9/techniques/T1059/003/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1059.003" href="/techniques/T1059/003/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/software/S0065"> S0065 </a> </td> <td> <a href="/versions/v9/software/S0065"> 4H RAT </a> </td> <td> <p><a href="/versions/v9/software/S0065">4H RAT</a> has the capability to create a remote shell.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="CrowdStrike Putter Panda">^{<a href="http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0469"> S0469 </a> </td> <td> <a href="/versions/v9/software/S0469"> ABK </a> </td> <td> <p><a href="/versions/v9/software/S0469">ABK</a> has the ability to use <a href="/versions/v9/software/S0106">cmd</a> to run a Portable Executable (PE) on the compromised host.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="Trend Micro Tick November 2019">^{<a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0202"> S0202 </a> </td> <td> <a href="/versions/v9/software/S0202"> adbupd </a> </td> <td> <p><a href="/versions/v9/software/S0202">adbupd</a> can run a copy of cmd.exe.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft PLATINUM April 2016">^{<a href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0018"> G0018 </a> </td> <td> <a href="/versions/v9/groups/G0018"> admin@338 </a> </td> <td> <p>Following exploitation with <a href="/versions/v9/software/S0042">LOWBALL</a> malware, <a href="/versions/v9/groups/G0018">admin@338</a> actors created a file containing a list of commands to be executed on the compromised computer.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="FireEye admin@338">^{<a href="https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0045"> S0045 </a> </td> <td> <a href="/versions/v9/software/S0045"> ADVSTORESHELL </a> </td> <td> <p><a href="/versions/v9/software/S0045">ADVSTORESHELL</a> can create a remote shell and run a given command.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="ESET Sednit Part 2">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="Bitdefender APT28 Dec 2015">^{<a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0504"> S0504 </a> </td> <td> <a href="/versions/v9/software/S0504"> Anchor </a> </td> <td> <p><a href="/versions/v9/software/S0504">Anchor</a> has used cmd.exe to run its self deletion routine.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Cyberreason Anchor December 2019">^{<a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0006"> G0006 </a> </td> <td> <a href="/versions/v9/groups/G0006"> APT1 </a> </td> <td> <p><a href="/versions/v9/groups/G0006">APT1</a> has used the Windows command shell to execute commands, and batch scripting to automate execution.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="Mandiant APT1">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0026"> G0026 </a> </td> <td> <a href="/versions/v9/groups/G0026"> APT18 </a> </td> <td> <p><a href="/versions/v9/groups/G0026">APT18</a> uses cmd.exe to execute commands on the victim’s machine.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="PaloAlto DNS Requests May 2016">^{<a href="https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Anomali Evasive Maneuvers July 2015">^{<a href="https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0007"> G0007 </a> </td> <td> <a href="/versions/v9/groups/G0007"> APT28 </a> </td> <td> <p>An <a href="/versions/v9/groups/G0007">APT28</a> loader Trojan uses a cmd.exe and batch script to run its payload.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="Unit 42 Playbook Dec 2017">^{<a href="https://pan-unit42.github.io/playbook_viewer/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span> The group has also used macros to execute payloads.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="Unit42 Cannon Nov 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Accenture SNAKEMACKEREL Nov 2018">^{<a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="TrendMicro Pawn Storm Dec 2020">^{<a href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0016"> G0016 </a> </td> <td> <a href="/versions/v9/groups/G0016"> APT29 </a> </td> <td> <p><a href="/versions/v9/groups/G0016">APT29</a> used <code>cmd.exe</code> to execute commands on remote machines.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="Microsoft Analyzing Solorigate Dec 2020">^{<a href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0022"> G0022 </a> </td> <td> <a href="/versions/v9/groups/G0022"> APT3 </a> </td> <td> <p>An <a href="/versions/v9/groups/G0022">APT3</a> downloader uses the Windows command <code>"cmd.exe" /C whoami</code>. The group also uses a tool to execute commands on remote computers.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="FireEye Operation Double Tap">^{<a href="https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Symantec Buckeye">^{<a href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0050"> G0050 </a> </td> <td> <a href="/versions/v9/groups/G0050"> APT32 </a> </td> <td> <p><a href="/versions/v9/groups/G0050">APT32</a> has used cmd.exe for execution.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" data-reference="Cybereason Cobalt Kitty 2017">^{<a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0067"> G0067 </a> </td> <td> <a href="/versions/v9/groups/G0067"> APT37 </a> </td> <td> <p><a href="/versions/v9/groups/G0067">APT37</a> has used the command-line interface.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" data-reference="FireEye APT37 Feb 2018">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" data-reference="Talos Group123">^{<a href="https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0082"> G0082 </a> </td> <td> <a href="/versions/v9/groups/G0082"> APT38 </a> </td> <td> <p><a href="/versions/v9/groups/G0082">APT38</a> has used a command-line tunneler, NACHOCHEESE, to give them shell access to a victim’s machine.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" data-reference="FireEye APT38 Oct 2018">^{<a href="https://content.fireeye.com/apt/rpt-apt38" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0096"> G0096 </a> </td> <td> <a href="/versions/v9/groups/G0096"> APT41 </a> </td> <td> <p><a href="/versions/v9/groups/G0096">APT41</a> used <code>cmd.exe /c</code> to execute commands on remote machines.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" data-reference="FireEye APT41 Aug 2019">^{<a href="https://content.fireeye.com/apt-41/rpt-apt41" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><a href="/versions/v9/groups/G0096">APT41</a> used a batch file to install persistence for the <a href="/versions/v9/software/S0154">Cobalt Strike</a> BEACON loader.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" data-reference="FireEye APT41 March 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0373"> S0373 </a> </td> <td> <a href="/versions/v9/software/S0373"> Astaroth </a> </td> <td> <p><a href="/versions/v9/software/S0373">Astaroth</a> spawns a CMD process to execute commands. <span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" data-reference="Cybereason Astaroth Feb 2019">^{<a href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0347"> S0347 </a> </td> <td> <a href="/versions/v9/software/S0347"> AuditCred </a> </td> <td> <p><a href="/versions/v9/software/S0347">AuditCred</a> can open a reverse shell on the system to execute commands.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="TrendMicro Lazarus Nov 2018">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0414"> S0414 </a> </td> <td> <a href="/versions/v9/software/S0414"> BabyShark </a> </td> <td> <p><a href="/versions/v9/software/S0414">BabyShark</a> has used cmd.exe to execute commands.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" data-reference="Unit42 BabyShark Feb 2019">^{<a href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0475"> S0475 </a> </td> <td> <a href="/versions/v9/software/S0475"> BackConfig </a> </td> <td> <p><a href="/versions/v9/software/S0475">BackConfig</a> can download and run batch files to execute commands on a compromised host.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" data-reference="Unit 42 BackConfig May 2020">^{<a href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0031"> S0031 </a> </td> <td> <a href="/versions/v9/software/S0031"> BACKSPACE </a> </td> <td> <p>Adversaries can direct <a href="/versions/v9/software/S0031">BACKSPACE</a> to execute from the command line on infected hosts, or have <a href="/versions/v9/software/S0031">BACKSPACE</a> create a reverse shell.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" data-reference="FireEye APT30">^{<a href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0128"> S0128 </a> </td> <td> <a href="/versions/v9/software/S0128"> BADNEWS </a> </td> <td> <p><a href="/versions/v9/software/S0128">BADNEWS</a> is capable of executing commands via cmd.exe.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" data-reference="Forcepoint Monsoon">^{<a href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span><span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" data-reference="TrendMicro Patchwork Dec 2017">^{<a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0234"> S0234 </a> </td> <td> <a href="/versions/v9/software/S0234"> Bandook </a> </td> <td> <p><a href="/versions/v9/software/S0234">Bandook</a> is capable of spawning a Windows command shell.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" data-reference="EFF Manul Aug 2016">^{<a href="https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0239"> S0239 </a> </td> <td> <a href="/versions/v9/software/S0239"> Bankshot </a> </td> <td> <p><a href="/versions/v9/software/S0239">Bankshot</a> uses the command-line interface to execute arbitrary commands.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" data-reference="McAfee Bankshot">^{<a href="https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span><span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" data-reference="US-CERT Bankshot Dec 2017">^{<a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0534"> S0534 </a> </td> <td> <a href="/versions/v9/software/S0534"> Bazar </a> </td> <td> <p><a href="/versions/v9/software/S0534">Bazar</a> can launch cmd.exe to perform reconnaissance commands.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" data-reference="Cybereason Bazar July 2020">^{<a href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" data-reference="Zscaler Bazar September 2020">^{<a href="https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0470"> S0470 </a> </td> <td> <a href="/versions/v9/software/S0470"> BBK </a> </td> <td> <p><a href="/versions/v9/software/S0470">BBK</a> has the ability to use <a href="/versions/v9/software/S0106">cmd</a> to run a Portable Executable (PE) on the compromised host.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="Trend Micro Tick November 2019">^{<a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0017"> S0017 </a> </td> <td> <a href="/versions/v9/software/S0017"> BISCUIT </a> </td> <td> <p><a href="/versions/v9/software/S0017">BISCUIT</a> has a command to launch a command shell on the system.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" data-reference="Mandiant APT1 Appendix">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0268"> S0268 </a> </td> <td> <a href="/versions/v9/software/S0268"> Bisonal </a> </td> <td> <p><a href="/versions/v9/software/S0268">Bisonal</a> can launch cmd.exe to execute commands on the system.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" data-reference="Unit 42 Bisonal July 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0069"> S0069 </a> </td> <td> <a href="/versions/v9/software/S0069"> BLACKCOFFEE </a> </td> <td> <p><a href="/versions/v9/software/S0069">BLACKCOFFEE</a> has the capability to create a reverse shell.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" data-reference="FireEye APT17">^{<a href="https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0564"> S0564 </a> </td> <td> <a href="/versions/v9/software/S0564"> BlackMould </a> </td> <td> <p><a href="/versions/v9/software/S0564">BlackMould</a> can run cmd.exe with parameters.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" data-reference="Microsoft GALLIUM December 2019">^{<a href="https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0520"> S0520 </a> </td> <td> <a href="/versions/v9/software/S0520"> BLINDINGCAN </a> </td> <td> <p><a href="/versions/v9/software/S0520">BLINDINGCAN</a> has executed commands via cmd.exe.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" data-reference="US-CERT BLINDINGCAN Aug 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0108"> G0108 </a> </td> <td> <a href="/versions/v9/groups/G0108"> Blue Mockingbird </a> </td> <td> <p><a href="/versions/v9/groups/G0108">Blue Mockingbird</a> has used batch script files to automate execution and deployment of payloads.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" data-reference="RedCanary Mockingbird May 2020">^{<a href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0360"> S0360 </a> </td> <td> <a href="/versions/v9/software/S0360"> BONDUPDATER </a> </td> <td> <p><a href="/versions/v9/software/S0360">BONDUPDATER</a> can read batch commands in a file sent from its C2 server and execute them with cmd.exe.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" data-reference="Palo Alto OilRig Sep 2018">^{<a href="https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0060"> G0060 </a> </td> <td> <a href="/versions/v9/groups/G0060"> BRONZE BUTLER </a> </td> <td> <p><a href="/versions/v9/groups/G0060">BRONZE BUTLER</a> has used batch scripts and the command-line interface for execution.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" data-reference="Secureworks BRONZE BUTLER Oct 2017">^{<a href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0025"> S0025 </a> </td> <td> <a href="/versions/v9/software/S0025"> CALENDAR </a> </td> <td> <p><a href="/versions/v9/software/S0025">CALENDAR</a> has a command to run cmd.exe to execute commands.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" data-reference="Mandiant APT1 Appendix">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0030"> S0030 </a> </td> <td> <a href="/versions/v9/software/S0030"> Carbanak </a> </td> <td> <p><a href="/versions/v9/software/S0030">Carbanak</a> has a command to create a reverse shell.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" data-reference="FireEye CARBANAK June 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0348"> S0348 </a> </td> <td> <a href="/versions/v9/software/S0348"> Cardinal RAT </a> </td> <td> <p><a href="/versions/v9/software/S0348">Cardinal RAT</a> can execute commands.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" data-reference="PaloAlto CardinalRat Apr 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0462"> S0462 </a> </td> <td> <a href="/versions/v9/software/S0462"> CARROTBAT </a> </td> <td> <p><a href="/versions/v9/software/S0462">CARROTBAT</a> has the ability to execute command line arguments on a compromised host.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" data-reference="Unit 42 CARROTBAT January 2020">^{<a href="https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0572"> S0572 </a> </td> <td> <a href="/versions/v9/software/S0572"> Caterpillar WebShell </a> </td> <td> <p><a href="/versions/v9/software/S0572">Caterpillar WebShell</a> can run commands on the compromised asset with CMD functions.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" data-reference="ClearSky Lebanese Cedar Jan 2021">^{<a href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0114"> G0114 </a> </td> <td> <a href="/versions/v9/groups/G0114"> Chimera </a> </td> <td> <p><a href="/versions/v9/groups/G0114">Chimera</a> has used the Windows Command Shell and batch scripts for execution on compromised hosts.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" data-reference="NCC Group Chimera January 2021">^{<a href="https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0020"> S0020 </a> </td> <td> <a href="/versions/v9/software/S0020"> China Chopper </a> </td> <td> <p><a href="/versions/v9/software/S0020">China Chopper</a>'s server component is capable of opening a command terminal.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" data-reference="SecureWorks BRONZE UNION June 2017">^{<a href="https://www.secureworks.com/research/bronze-union" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span><span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" data-reference="Lee 2013">^{<a href="https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span><span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" data-reference="NCSC Joint Report Public Tools">^{<a href="https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0106"> S0106 </a> </td> <td> <a href="/versions/v9/software/S0106"> cmd </a> </td> <td> <p><a href="/versions/v9/software/S0106">cmd</a> is used to execute programs and other actions at the command-line interface.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" data-reference="TechNet Cmd">^{<a href="https://technet.microsoft.com/en-us/library/bb490880.aspx" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0080"> G0080 </a> </td> <td> <a href="/versions/v9/groups/G0080"> Cobalt Group </a> </td> <td> <p><a href="/versions/v9/groups/G0080">Cobalt Group</a> has used a JavaScript backdoor that is capable of launching cmd.exe to execute shell commands.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" data-reference="Morphisec Cobalt Gang Oct 2018">^{<a href="https://blog.morphisec.com/cobalt-gang-2.0" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span> The group has used an exploit toolkit known as Threadkit that launches .bat files.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" data-reference="Talos Cobalt Group July 2018">^{<a href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span><span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" data-reference="PTSecurity Cobalt Group Aug 2017">^{<a href="https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span><span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" data-reference="Group IB Cobalt Aug 2017">^{<a href="https://www.group-ib.com/blog/cobalt" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span><span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" data-reference="Morphisec Cobalt Gang Oct 2018">^{<a href="https://blog.morphisec.com/cobalt-gang-2.0" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span><span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" data-reference="Unit 42 Cobalt Gang Oct 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span><span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" data-reference="TrendMicro Cobalt Group Nov 2017">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0154"> S0154 </a> </td> <td> <a href="/versions/v9/software/S0154"> Cobalt Strike </a> </td> <td> <p><a href="/versions/v9/software/S0154">Cobalt Strike</a> uses a command-line interface to interact with systems.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" data-reference="Cobalt Strike TTPs Dec 2017">^{<a href="https://www.cobaltstrike.com/downloads/reports/tacticstechniquesandprocedures.pdf" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span><span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" data-reference="Talos Cobalt Strike September 2020">^{<a href=" https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0338"> S0338 </a> </td> <td> <a href="/versions/v9/software/S0338"> Cobian RAT </a> </td> <td> <p><a href="/versions/v9/software/S0338">Cobian RAT</a> can launch a remote command shell interface for executing commands.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" data-reference="Zscaler Cobian Aug 2017">^{<a href="https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0369"> S0369 </a> </td> <td> <a href="/versions/v9/software/S0369"> CoinTicker </a> </td> <td> <p><a href="/versions/v9/software/S0369">CoinTicker</a> executes a bash script to establish a reverse shell.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" data-reference="CoinTicker 2019">^{<a href="https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0244"> S0244 </a> </td> <td> <a href="/versions/v9/software/S0244"> Comnie </a> </td> <td> <p><a href="/versions/v9/software/S0244">Comnie</a> executes BAT scripts.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" data-reference="Palo Alto Comnie">^{<a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0126"> S0126 </a> </td> <td> <a href="/versions/v9/software/S0126"> ComRAT </a> </td> <td> <p><a href="/versions/v9/software/S0126">ComRAT</a> has used <code>cmd.exe</code> to execute commands.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0575"> S0575 </a> </td> <td> <a href="/versions/v9/software/S0575"> Conti </a> </td> <td> <p><a href="/versions/v9/software/S0575">Conti</a> can utilize command line options to allow an attacker control over how it scans and encrypts files.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" data-reference="CarbonBlack Conti July 2020">^{<a href="https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0046"> S0046 </a> </td> <td> <a href="/versions/v9/software/S0046"> CozyCar </a> </td> <td> <p>A module in <a href="/versions/v9/software/S0046">CozyCar</a> allows arbitrary commands to be executed by invoking <code>C:\Windows\System32\cmd.exe</code>.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" data-reference="F-Secure CozyDuke">^{<a href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163418/CozyDuke.pdf" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0070"> G0070 </a> </td> <td> <a href="/versions/v9/groups/G0070"> Dark Caracal </a> </td> <td> <p><a href="/versions/v9/groups/G0070">Dark Caracal</a> has used macros in Word documents that would download a second stage if executed.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" data-reference="Lookout Dark Caracal Jan 2018">^{<a href="https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0334"> S0334 </a> </td> <td> <a href="/versions/v9/software/S0334"> DarkComet </a> </td> <td> <p><a href="/versions/v9/software/S0334">DarkComet</a> can launch a remote shell to execute commands on the victim’s machine.<span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" data-reference="Malwarebytes DarkComet March 2018">^{<a href="https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0012"> G0012 </a> </td> <td> <a href="/versions/v9/groups/G0012"> Darkhotel </a> </td> <td> <p><a href="/versions/v9/groups/G0012">Darkhotel</a> has dropped an mspaint.lnk shortcut to disk which launches a shell script that downloads and executes a file.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" data-reference="Securelist Darkhotel Aug 2015">^{<a href="https://securelist.com/darkhotels-attacks-in-2015/71713/" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0187"> S0187 </a> </td> <td> <a href="/versions/v9/software/S0187"> Daserf </a> </td> <td> <p><a href="/versions/v9/software/S0187">Daserf</a> can execute shell commands.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" data-reference="Trend Micro Daserf Nov 2017">^{<a href="http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a>}</span><span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" data-reference="Secureworks BRONZE BUTLER Oct 2017">^{<a href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0243"> S0243 </a> </td> <td> <a href="/versions/v9/software/S0243"> DealersChoice </a> </td> <td> <p><a href="/versions/v9/software/S0243">DealersChoice</a> makes modifications to open-source scripts from GitHub and executes them on the victim’s machine.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" data-reference="Sofacy DealersChoice">^{<a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0354"> S0354 </a> </td> <td> <a href="/versions/v9/software/S0354"> Denis </a> </td> <td> <p><a href="/versions/v9/software/S0354">Denis</a> can launch a remote shell to execute arbitrary commands on the victim’s machine.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" data-reference="Cybereason Oceanlotus May 2017">^{<a href="https://www.cybereason.com/blog/operation-cobalt-kitty-apt" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" data-reference="Cybereason Cobalt Kitty 2017">^{<a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0200"> S0200 </a> </td> <td> <a href="/versions/v9/software/S0200"> Dipsind </a> </td> <td> <p><a href="/versions/v9/software/S0200">Dipsind</a> can spawn remote shells.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft PLATINUM April 2016">^{<a href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0186"> S0186 </a> </td> <td> <a href="/versions/v9/software/S0186"> DownPaper </a> </td> <td> <p><a href="/versions/v9/software/S0186">DownPaper</a> uses the command line.<span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" data-reference="ClearSky Charming Kitten Dec 2017">^{<a href="http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0074"> G0074 </a> </td> <td> <a href="/versions/v9/groups/G0074"> Dragonfly 2.0 </a> </td> <td> <p><a href="/versions/v9/groups/G0074">Dragonfly 2.0</a> used various types of scripting to perform operations, including batch scripts.<span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a>}</span><span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" data-reference="US-CERT APT Energy Oct 2017">^{<a href="https://www.us-cert.gov/ncas/alerts/TA17-293A" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0547"> S0547 </a> </td> <td> <a href="/versions/v9/software/S0547"> DropBook </a> </td> <td> <p><a href="/versions/v9/software/S0547">DropBook</a> can execute arbitrary shell commands on the victims' machines.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" data-reference="Cybereason Molerats Dec 2020">^{<a href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a>}</span><span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" data-reference="BleepingComputer Molerats Dec 2020">^{<a href="https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0567"> S0567 </a> </td> <td> <a href="/versions/v9/software/S0567"> Dtrack </a> </td> <td> <p><a href="/versions/v9/software/S0567">Dtrack</a> has used <code>cmd.exe</code> to add a persistent service.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" data-reference="CyberBit Dtrack">^{<a href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0593"> S0593 </a> </td> <td> <a href="/versions/v9/software/S0593"> ECCENTRICBANDWAGON </a> </td> <td> <p><a href="/versions/v9/software/S0593">ECCENTRICBANDWAGON</a> can use <a href="/versions/v9/software/S0106">cmd</a> to execute commands on a victim’s machine.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" data-reference="CISA EB Aug 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0554"> S0554 </a> </td> <td> <a href="/versions/v9/software/S0554"> Egregor </a> </td> <td> <p><a href="/versions/v9/software/S0554">Egregor</a> has used batch files for execution and can launch Internet Explorer from cmd.exe.<span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" data-reference="JoeSecurity Egregor 2020">^{<a href="https://www.joesandbox.com/analysis/318027/0/html" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a>}</span><span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" data-reference="Cybereason Egregor Nov 2020">^{<a href="https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0082"> S0082 </a> </td> <td> <a href="/versions/v9/software/S0082"> Emissary </a> </td> <td> <p><a href="/versions/v9/software/S0082">Emissary</a> has the capability to create a remote shell and execute specified commands.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" data-reference="Lotus Blossom Dec 2015">^{<a href="http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0367"> S0367 </a> </td> <td> <a href="/versions/v9/software/S0367"> Emotet </a> </td> <td> <p><a href="/versions/v9/software/S0367">Emotet</a> has used cmd.exe to run a PowerShell script. <span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" data-reference="Picus Emotet Dec 2018">^{<a href="https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0363"> S0363 </a> </td> <td> <a href="/versions/v9/software/S0363"> Empire </a> </td> <td> <p><a href="/versions/v9/software/S0363">Empire</a> has modules for executing scripts.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" data-reference="Github PowerShell Empire">^{<a href="https://github.com/EmpireProject/Empire" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0396"> S0396 </a> </td> <td> <a href="/versions/v9/software/S0396"> EvilBunny </a> </td> <td> <p><a href="/versions/v9/software/S0396">EvilBunny</a> has an integrated scripting engine to download and execute Lua scripts.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" data-reference="Cyphort EvilBunny Dec 2014">^{<a href="https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0343"> S0343 </a> </td> <td> <a href="/versions/v9/software/S0343"> Exaramel for Windows </a> </td> <td> <p><a href="/versions/v9/software/S0343">Exaramel for Windows</a> has a command to launch a remote shell and executes commands on the victim’s machine.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" data-reference="ESET TeleBots Oct 2018">^{<a href="https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0171"> S0171 </a> </td> <td> <a href="/versions/v9/software/S0171"> Felismus </a> </td> <td> <p><a href="/versions/v9/software/S0171">Felismus</a> uses command line for execution.<span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" data-reference="Forcepoint Felismus Mar 2017">^{<a href="https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0267"> S0267 </a> </td> <td> <a href="/versions/v9/software/S0267"> FELIXROOT </a> </td> <td> <p><a href="/versions/v9/software/S0267">FELIXROOT</a> executes batch scripts on the victim’s machine, and can launch a reverse shell for command execution.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" data-reference="FireEye FELIXROOT July 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a>}</span><span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" data-reference="ESET GreyEnergy Oct 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0051"> G0051 </a> </td> <td> <a href="/versions/v9/groups/G0051"> FIN10 </a> </td> <td> <p><a href="/versions/v9/groups/G0051">FIN10</a> has executed malicious .bat files containing PowerShell commands.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" data-reference="FireEye FIN10 June 2017">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0037"> G0037 </a> </td> <td> <a href="/versions/v9/groups/G0037"> FIN6 </a> </td> <td> <p><a href="/versions/v9/groups/G0037">FIN6</a> has used <code>kill.bat</code> script to disable security tools.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" data-reference="FireEye FIN6 Apr 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0046"> G0046 </a> </td> <td> <a href="/versions/v9/groups/G0046"> FIN7 </a> </td> <td> <p><a href="/versions/v9/groups/G0046">FIN7</a> used the command prompt to launch commands on the victim’s machine.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" data-reference="FireEye FIN7 Aug 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a>}</span><span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" data-reference="Flashpoint FIN 7 March 2019">^{<a href="https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0061"> G0061 </a> </td> <td> <a href="/versions/v9/groups/G0061"> FIN8 </a> </td> <td> <p><a href="/versions/v9/groups/G0061">FIN8</a> has used a Batch file to automate frequently executed post compromise cleanup activities.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" data-reference="FireEye Know Your Enemy FIN8 Aug 2016">^{<a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a>}</span> <a href="/versions/v9/groups/G0061">FIN8</a> executes commands remotely via cmd.exe.<span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" data-reference="FireEye Obfuscation June 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0117"> G0117 </a> </td> <td> <a href="/versions/v9/groups/G0117"> Fox Kitten </a> </td> <td> <p><a href="/versions/v9/groups/G0117">Fox Kitten</a> has used cmd.exe likely as a password changing mechanism.<span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" data-reference="CISA AA20-259A Iran-Based Actor September 2020">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0101"> G0101 </a> </td> <td> <a href="/versions/v9/groups/G0101"> Frankenstein </a> </td> <td> <p><a href="/versions/v9/groups/G0101">Frankenstein</a> has run a command script to set up persistence as a scheduled task named "WinUpdate", as well as other encoded commands from the command-line.<span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" data-reference="Talos Frankenstein June 2019">^{<a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0093"> G0093 </a> </td> <td> <a href="/versions/v9/groups/G0093"> GALLIUM </a> </td> <td> <p><a href="/versions/v9/groups/G0093">GALLIUM</a> used the Windows command shell to execute commands.<span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" data-reference="Cybereason Soft Cell June 2019">^{<a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0047"> G0047 </a> </td> <td> <a href="/versions/v9/groups/G0047"> Gamaredon Group </a> </td> <td> <p><a href="/versions/v9/groups/G0047">Gamaredon Group</a> has used various batch scripts to establish C2 and download additional files. <a href="/versions/v9/groups/G0047">Gamaredon Group</a>'s backdoor malware has also been written to a batch file.<span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" data-reference="Palo Alto Gamaredon Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a>}</span><span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" data-reference="ESET Gamaredon June 2020">^{<a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0249"> S0249 </a> </td> <td> <a href="/versions/v9/software/S0249"> Gold Dragon </a> </td> <td> <p><a href="/versions/v9/software/S0249">Gold Dragon</a> uses cmd.exe to execute commands for discovery.<span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" data-reference="McAfee Gold Dragon">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0493"> S0493 </a> </td> <td> <a href="/versions/v9/software/S0493"> GoldenSpy </a> </td> <td> <p><a href="/versions/v9/software/S0493">GoldenSpy</a> can execute remote commands via the command-line interface.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" data-reference="Trustwave GoldenSpy June 2020">^{<a href="https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0588"> S0588 </a> </td> <td> <a href="/versions/v9/software/S0588"> GoldMax </a> </td> <td> <p><a href="/versions/v9/software/S0588">GoldMax</a> can spawn a command shell, and execute native commands.<span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a>}</span><span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" data-reference="FireEye SUNSHUTTLE Mar 2021">^{<a href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0477"> S0477 </a> </td> <td> <a href="/versions/v9/software/S0477"> Goopy </a> </td> <td> <p><a href="/versions/v9/software/S0477">Goopy</a> has the ability to use cmd.exe to execute commands passed from an Outlook C2 channel.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" data-reference="Cybereason Cobalt Kitty 2017">^{<a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0078"> G0078 </a> </td> <td> <a href="/versions/v9/groups/G0078"> Gorgon Group </a> </td> <td> <p><a href="/versions/v9/groups/G0078">Gorgon Group</a> malware can use cmd.exe to download and execute payloads and to execute commands on the system.<span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" data-reference="Unit 42 Gorgon Group Aug 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0237"> S0237 </a> </td> <td> <a href="/versions/v9/software/S0237"> GravityRAT </a> </td> <td> <p><a href="/versions/v9/software/S0237">GravityRAT</a> executes commands remotely on the infected host.<span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" data-reference="Talos GravityRAT">^{<a href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0342"> S0342 </a> </td> <td> <a href="/versions/v9/software/S0342"> GreyEnergy </a> </td> <td> <p><a href="/versions/v9/software/S0342">GreyEnergy</a> uses cmd.exe to execute itself in-memory.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" data-reference="ESET GreyEnergy Oct 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0132"> S0132 </a> </td> <td> <a href="/versions/v9/software/S0132"> H1N1 </a> </td> <td> <p><a href="/versions/v9/software/S0132">H1N1</a> kills and disables services by using cmd.exe.<span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" data-reference="Cisco H1N1 Part 2">^{<a href="http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities-part-2" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0246"> S0246 </a> </td> <td> <a href="/versions/v9/software/S0246"> HARDRAIN </a> </td> <td> <p><a href="/versions/v9/software/S0246">HARDRAIN</a> uses cmd.exe to execute <code>netsh</code>commands.<span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" data-reference="US-CERT HARDRAIN March 2018">^{<a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0391"> S0391 </a> </td> <td> <a href="/versions/v9/software/S0391"> HAWKBALL </a> </td> <td> <p><a href="/versions/v9/software/S0391">HAWKBALL</a> has created a cmd.exe reverse shell, executed commands, and uploaded output via the command line.<span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" data-reference="FireEye HAWKBALL Jun 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0071"> S0071 </a> </td> <td> <a href="/versions/v9/software/S0071"> hcdLoader </a> </td> <td> <p><a href="/versions/v9/software/S0071">hcdLoader</a> provides command-line access to the compromised system.<span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" data-reference="Dell Lateral Movement">^{<a href="http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0170"> S0170 </a> </td> <td> <a href="/versions/v9/software/S0170"> Helminth </a> </td> <td> <p><a href="/versions/v9/software/S0170">Helminth</a> can provide a remote shell. One version of <a href="/versions/v9/software/S0170">Helminth</a> uses batch scripting.<span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" data-reference="Palo Alto OilRig May 2016">^{<a href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0087"> S0087 </a> </td> <td> <a href="/versions/v9/software/S0087"> Hi-Zor </a> </td> <td> <p><a href="/versions/v9/software/S0087">Hi-Zor</a> has the ability to create a reverse shell.<span onclick=scrollToRef('scite-114') id="scite-ref-114-a" class="scite-citeref-number" data-reference="Fidelis INOCNATION">^{<a href="https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL_0.pdf" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0394"> S0394 </a> </td> <td> <a href="/versions/v9/software/S0394"> HiddenWasp </a> </td> <td> <p><a href="/versions/v9/software/S0394">HiddenWasp</a> uses a script to automate tasks on the victim's machine and to assist in execution.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" data-reference="Intezer HiddenWasp Map 2019">^{<a href="https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0126"> G0126 </a> </td> <td> <a href="/versions/v9/groups/G0126"> Higaisa </a> </td> <td> <p><a href="/versions/v9/groups/G0126">Higaisa</a> used <code>cmd.exe</code> for execution.<span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" data-reference="Malwarebytes Higaisa 2020">^{<a href="https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a>}</span><span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" data-reference="Zscaler Higaisa 2020">^{<a href="https://www.zscaler.com/blogs/security-research/return-higaisa-apt" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a>}</span><span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" data-reference="PTSecurity Higaisa 2020">^{<a href="https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0009"> S0009 </a> </td> <td> <a href="/versions/v9/software/S0009"> Hikit </a> </td> <td> <p><a href="/versions/v9/software/S0009">Hikit</a> has the ability to create a remote shell and run given commands.<span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" data-reference="FireEye HIKIT Rootkit Part 2">^{<a href="https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0232"> S0232 </a> </td> <td> <a href="/versions/v9/software/S0232"> HOMEFRY </a> </td> <td> <p><a href="/versions/v9/software/S0232">HOMEFRY</a> uses a command-line interface.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" data-reference="FireEye Periscope March 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0072"> G0072 </a> </td> <td> <a href="/versions/v9/groups/G0072"> Honeybee </a> </td> <td> <p>Several commands are supported by the <a href="/versions/v9/groups/G0072">Honeybee</a>'s implant via the command-line interface and there’s also a utility to execute any custom command on an infected endpoint.<span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" data-reference="McAfee Honeybee">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a>}</span> <a href="/versions/v9/groups/G0072">Honeybee</a> used batch scripting.<span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" data-reference="McAfee Honeybee">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0376"> S0376 </a> </td> <td> <a href="/versions/v9/software/S0376"> HOPLIGHT </a> </td> <td> <p><a href="/versions/v9/software/S0376">HOPLIGHT</a> can launch cmd.exe to execute commands on the system.<span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" data-reference="US-CERT HOPLIGHT Apr 2019">^{<a href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0431"> S0431 </a> </td> <td> <a href="/versions/v9/software/S0431"> HotCroissant </a> </td> <td> <p><a href="/versions/v9/software/S0431">HotCroissant</a> can remotely open applications on the infected host with the <code>ShellExecuteA</code> command.<span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" data-reference="Carbon Black HotCroissant April 2020">^{<a href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0070"> S0070 </a> </td> <td> <a href="/versions/v9/software/S0070"> HTTPBrowser </a> </td> <td> <p><a href="/versions/v9/software/S0070">HTTPBrowser</a> is capable of spawning a reverse shell on a victim.<span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" data-reference="Dell TG-3390">^{<a href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0068"> S0068 </a> </td> <td> <a href="/versions/v9/software/S0068"> httpclient </a> </td> <td> <p><a href="/versions/v9/software/S0068">httpclient</a> opens cmd.exe on the victim.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="CrowdStrike Putter Panda">^{<a href="http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0119"> G0119 </a> </td> <td> <a href="/versions/v9/groups/G0119"> Indrik Spider </a> </td> <td> <p><a href="/versions/v9/groups/G0119">Indrik Spider</a> has used batch scripts on victim's machines.<span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" data-reference="Crowdstrike Indrik November 2018">^{<a href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0259"> S0259 </a> </td> <td> <a href="/versions/v9/software/S0259"> InnaputRAT </a> </td> <td> <p><a href="/versions/v9/software/S0259">InnaputRAT</a> launches a shell to execute commands on the victim’s machine.<span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" data-reference="ASERT InnaputRAT April 2018">^{<a href="https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0260"> S0260 </a> </td> <td> <a href="/versions/v9/software/S0260"> InvisiMole </a> </td> <td> <p><a href="/versions/v9/software/S0260">InvisiMole</a> can launch a remote shell to execute commands.<span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" data-reference="ESET InvisiMole June 2018">^{<a href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a>}</span><span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" data-reference="ESET InvisiMole June 2020">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0015"> S0015 </a> </td> <td> <a href="/versions/v9/software/S0015"> Ixeshe </a> </td> <td> <p><a href="/versions/v9/software/S0015">Ixeshe</a> is capable of executing commands via <a href="/versions/v9/software/S0106">cmd</a>.<span onclick=scrollToRef('scite-129') id="scite-ref-129-a" class="scite-citeref-number" data-reference="Trend Micro IXESHE 2012">^{<a href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf" target="_blank" data-hasqtip="128" aria-describedby="qtip-128">[129]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0389"> S0389 </a> </td> <td> <a href="/versions/v9/software/S0389"> JCry </a> </td> <td> <p><a href="/versions/v9/software/S0389">JCry</a> has used <code>cmd.exe</code> to launch PowerShell.<span onclick=scrollToRef('scite-130') id="scite-ref-130-a" class="scite-citeref-number" data-reference="Carbon Black JCry May 2019">^{<a href="https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/" target="_blank" data-hasqtip="129" aria-describedby="qtip-129">[130]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0044"> S0044 </a> </td> <td> <a href="/versions/v9/software/S0044"> JHUHUGIT </a> </td> <td> <p><a href="/versions/v9/software/S0044">JHUHUGIT</a> uses a .bat file to execute a .dll.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="Talos Seduploader Oct 2017">^{<a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0201"> S0201 </a> </td> <td> <a href="/versions/v9/software/S0201"> JPIN </a> </td> <td> <p><a href="/versions/v9/software/S0201">JPIN</a> can use the command-line utility cacls.exe to change file permissions.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Microsoft PLATINUM April 2016">^{<a href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0283"> S0283 </a> </td> <td> <a href="/versions/v9/software/S0283"> jRAT </a> </td> <td> <p><a href="/versions/v9/software/S0283">jRAT</a> has command line access.<span onclick=scrollToRef('scite-131') id="scite-ref-131-a" class="scite-citeref-number" data-reference="Kaspersky Adwind Feb 2016">^{<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf" target="_blank" data-hasqtip="130" aria-describedby="qtip-130">[131]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0088"> S0088 </a> </td> <td> <a href="/versions/v9/software/S0088"> Kasidet </a> </td> <td> <p><a href="/versions/v9/software/S0088">Kasidet</a> can execute commands using cmd.exe.<span onclick=scrollToRef('scite-132') id="scite-ref-132-a" class="scite-citeref-number" data-reference="Zscaler Kasidet">^{<a href="http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0265"> S0265 </a> </td> <td> <a href="/versions/v9/software/S0265"> Kazuar </a> </td> <td> <p><a href="/versions/v9/software/S0265">Kazuar</a> uses cmd.exe to execute commands on the victim’s machine.<span onclick=scrollToRef('scite-133') id="scite-ref-133-a" class="scite-citeref-number" data-reference="Unit 42 Kazuar May 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank" data-hasqtip="132" aria-describedby="qtip-132">[133]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0004"> G0004 </a> </td> <td> <a href="/versions/v9/groups/G0004"> Ke3chang </a> </td> <td> <p><a href="/versions/v9/groups/G0004">Ke3chang</a> has used batch scripts in its malware to install persistence mechanisms.<span onclick=scrollToRef('scite-134') id="scite-ref-134-a" class="scite-citeref-number" data-reference="NCC Group APT15 Alive and Strong">^{<a href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank" data-hasqtip="133" aria-describedby="qtip-133">[134]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0387"> S0387 </a> </td> <td> <a href="/versions/v9/software/S0387"> KeyBoy </a> </td> <td> <p><a href="/versions/v9/software/S0387">KeyBoy</a> can launch interactive shells for communicating with the victim machine.<span onclick=scrollToRef('scite-135') id="scite-ref-135-a" class="scite-citeref-number" data-reference="PWC KeyBoys Feb 2017">^{<a href="https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html" target="_blank" data-hasqtip="134" aria-describedby="qtip-134">[135]</a>}</span><span onclick=scrollToRef('scite-136') id="scite-ref-136-a" class="scite-citeref-number" data-reference="Rapid7 KeyBoy Jun 2013">^{<a href="https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" target="_blank" data-hasqtip="135" aria-describedby="qtip-135">[136]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0271"> S0271 </a> </td> <td> <a href="/versions/v9/software/S0271"> KEYMARBLE </a> </td> <td> <p><a href="/versions/v9/software/S0271">KEYMARBLE</a> can execute shell commands using cmd.exe.<span onclick=scrollToRef('scite-137') id="scite-ref-137-a" class="scite-citeref-number" data-reference="US-CERT KEYMARBLE Aug 2018">^{<a href="https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" target="_blank" data-hasqtip="136" aria-describedby="qtip-136">[137]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0526"> S0526 </a> </td> <td> <a href="/versions/v9/software/S0526"> KGH_SPY </a> </td> <td> <p><a href="/versions/v9/software/S0526">KGH_SPY</a> has the ability to set a Registry key to run a cmd.exe command.<span onclick=scrollToRef('scite-138') id="scite-ref-138-a" class="scite-citeref-number" data-reference="Cybereason Kimsuky November 2020">^{<a href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank" data-hasqtip="137" aria-describedby="qtip-137">[138]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0250"> S0250 </a> </td> <td> <a href="/versions/v9/software/S0250"> Koadic </a> </td> <td> <p><a href="/versions/v9/software/S0250">Koadic</a> can open an interactive command-shell to perform command line functions on victim machines.<span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" data-reference="Github Koadic">^{<a href="https://github.com/zerosum0x0/koadic" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a>}</span> <a href="/versions/v9/software/S0250">Koadic</a> performs most of its operations using Windows Script Host (Jscript) and runs arbitrary shellcode .<span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" data-reference="Github Koadic">^{<a href="https://github.com/zerosum0x0/koadic" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0156"> S0156 </a> </td> <td> <a href="/versions/v9/software/S0156"> KOMPROGO </a> </td> <td> <p><a href="/versions/v9/software/S0156">KOMPROGO</a> is capable of creating a reverse shell.<span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" data-reference="FireEye APT32 May 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0356"> S0356 </a> </td> <td> <a href="/versions/v9/software/S0356"> KONNI </a> </td> <td> <p><a href="/versions/v9/software/S0356">KONNI</a> has used cmd.exe execute arbitrary commands on the infected host across different stages of the infection change.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" data-reference="Talos Konni May 2017">^{<a href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a>}</span><span onclick=scrollToRef('scite-142') id="scite-ref-142-a" class="scite-citeref-number" data-reference="Medium KONNI Jan 2020">^{<a href="https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b" target="_blank" data-hasqtip="141" aria-describedby="qtip-141">[142]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0032"> G0032 </a> </td> <td> <a href="/versions/v9/groups/G0032"> Lazarus Group </a> </td> <td> <p><a href="/versions/v9/groups/G0032">Lazarus Group</a> malware uses cmd.exe to execute commands on victims.<span onclick=scrollToRef('scite-143') id="scite-ref-143-a" class="scite-citeref-number" data-reference="Novetta Blockbuster">^{<a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" data-hasqtip="142" aria-describedby="qtip-142">[143]</a>}</span><span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" data-reference="Novetta Blockbuster Destructive Malware">^{<a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a>}</span><span onclick=scrollToRef('scite-145') id="scite-ref-145-a" class="scite-citeref-number" data-reference="McAfee Lazarus Resurfaces Feb 2018">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" data-hasqtip="144" aria-describedby="qtip-144">[145]</a>}</span><span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" data-reference="US-CERT SHARPKNOT June 2018">^{<a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a>}</span><span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" data-reference="F-Secure Lazarus Cryptocurrency Aug 2020">^{<a href="https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a>}</span> A Destover-like variant used by <a href="/versions/v9/groups/G0032">Lazarus Group</a> uses a batch file mechanism to delete its binaries from the system.<span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" data-reference="McAfee GhostSecret">^{<a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0065"> G0065 </a> </td> <td> <a href="/versions/v9/groups/G0065"> Leviathan </a> </td> <td> <p><a href="/versions/v9/groups/G0065">Leviathan</a> uses a backdoor known as BADFLICK that is is capable of generating a reverse shell, and has used multiple types of scripting for execution, including JavaScript and JavaScript Scriptlets in XML.<span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" data-reference="Proofpoint Leviathan Oct 2017">^{<a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a>}</span>.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" data-reference="FireEye Periscope March 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0395"> S0395 </a> </td> <td> <a href="/versions/v9/software/S0395"> LightNeuron </a> </td> <td> <p><a href="/versions/v9/software/S0395">LightNeuron</a> is capable of executing commands via cmd.exe.<span onclick=scrollToRef('scite-150') id="scite-ref-150-a" class="scite-citeref-number" data-reference="ESET LightNeuron May 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank" data-hasqtip="149" aria-describedby="qtip-149">[150]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0211"> S0211 </a> </td> <td> <a href="/versions/v9/software/S0211"> Linfo </a> </td> <td> <p><a href="/versions/v9/software/S0211">Linfo</a> creates a backdoor through which remote attackers can start a remote shell.<span onclick=scrollToRef('scite-151') id="scite-ref-151-a" class="scite-citeref-number" data-reference="Symantec Linfo May 2012">^{<a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99" target="_blank" data-hasqtip="150" aria-describedby="qtip-150">[151]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0582"> S0582 </a> </td> <td> <a href="/versions/v9/software/S0582"> LookBack </a> </td> <td> <p><a href="/versions/v9/software/S0582">LookBack</a> executes the <code>cmd.exe</code> command.<span onclick=scrollToRef('scite-152') id="scite-ref-152-a" class="scite-citeref-number" data-reference="Proofpoint LookBack Malware Aug 2019">^{<a href="https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" target="_blank" data-hasqtip="151" aria-describedby="qtip-151">[152]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0451"> S0451 </a> </td> <td> <a href="/versions/v9/software/S0451"> LoudMiner </a> </td> <td> <p><a href="/versions/v9/software/S0451">LoudMiner</a> used a batch script to run the Linux virtual machine as a service.<span onclick=scrollToRef('scite-153') id="scite-ref-153-a" class="scite-citeref-number" data-reference="ESET LoudMiner June 2019">^{<a href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank" data-hasqtip="152" aria-describedby="qtip-152">[153]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0532"> S0532 </a> </td> <td> <a href="/versions/v9/software/S0532"> Lucifer </a> </td> <td> <p><a href="/versions/v9/software/S0532">Lucifer</a> can issue shell commands to download and execute additional payloads.<span onclick=scrollToRef('scite-154') id="scite-ref-154-a" class="scite-citeref-number" data-reference="Unit 42 Lucifer June 2020">^{<a href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank" data-hasqtip="153" aria-describedby="qtip-153">[154]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0095"> G0095 </a> </td> <td> <a href="/versions/v9/groups/G0095"> Machete </a> </td> <td> <p><a href="/versions/v9/groups/G0095">Machete</a> has used batch files to initiate additional downloads of malicious files.<span onclick=scrollToRef('scite-155') id="scite-ref-155-a" class="scite-citeref-number" data-reference="360 Machete Sep 2020">^{<a href="https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" target="_blank" data-hasqtip="154" aria-describedby="qtip-154">[155]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0059"> G0059 </a> </td> <td> <a href="/versions/v9/groups/G0059"> Magic Hound </a> </td> <td> <p><a href="/versions/v9/groups/G0059">Magic Hound</a> has used the command-line interface.<span onclick=scrollToRef('scite-156') id="scite-ref-156-a" class="scite-citeref-number" data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0449"> S0449 </a> </td> <td> <a href="/versions/v9/software/S0449"> Maze </a> </td> <td> <p>The <a href="/versions/v9/software/S0449">Maze</a> encryption process has used batch scripts with various commands.<span onclick=scrollToRef('scite-157') id="scite-ref-157-a" class="scite-citeref-number" data-reference="FireEye Maze May 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html" target="_blank" data-hasqtip="156" aria-describedby="qtip-156">[157]</a>}</span><span onclick=scrollToRef('scite-158') id="scite-ref-158-a" class="scite-citeref-number" data-reference="Sophos Maze VM September 2020">^{<a href="https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/" target="_blank" data-hasqtip="157" aria-describedby="qtip-157">[158]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0500"> S0500 </a> </td> <td> <a href="/versions/v9/software/S0500"> MCMD </a> </td> <td> <p><a href="/versions/v9/software/S0500">MCMD</a> can launch a console process (cmd.exe) with redirected standard input and output.<span onclick=scrollToRef('scite-159') id="scite-ref-159-a" class="scite-citeref-number" data-reference="Secureworks MCMD July 2019">^{<a href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank" data-hasqtip="158" aria-describedby="qtip-158">[159]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0459"> S0459 </a> </td> <td> <a href="/versions/v9/software/S0459"> MechaFlounder </a> </td> <td> <p><a href="/versions/v9/software/S0459">MechaFlounder</a> has the ability to run commands on a compromised host.<span onclick=scrollToRef('scite-160') id="scite-ref-160-a" class="scite-citeref-number" data-reference="Unit 42 MechaFlounder March 2019">^{<a href="https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/" target="_blank" data-hasqtip="159" aria-describedby="qtip-159">[160]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0576"> S0576 </a> </td> <td> <a href="/versions/v9/software/S0576"> MegaCortex </a> </td> <td> <p><a href="/versions/v9/software/S0576">MegaCortex</a> has used <code>.cmd</code> scripts on the victim's system.<span onclick=scrollToRef('scite-161') id="scite-ref-161-a" class="scite-citeref-number" data-reference="IBM MegaCortex">^{<a href="https://securityintelligence.com/posts/from-mega-to-giga-cross-version-comparison-of-top-megacortex-modifications/" target="_blank" data-hasqtip="160" aria-describedby="qtip-160">[161]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0045"> G0045 </a> </td> <td> <a href="/versions/v9/groups/G0045"> menuPass </a> </td> <td> <p><a href="/versions/v9/groups/G0045">menuPass</a> executes commands using a command-line interface and reverse shell. The group has used a modified version of pentesting script wmiexec.vbs to execute commands.<span onclick=scrollToRef('scite-162') id="scite-ref-162-a" class="scite-citeref-number" data-reference="PWC Cloud Hopper April 2017">^{<a href="https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" target="_blank" data-hasqtip="161" aria-describedby="qtip-161">[162]</a>}</span><span onclick=scrollToRef('scite-163') id="scite-ref-163-a" class="scite-citeref-number" data-reference="PWC Cloud Hopper Technical Annex April 2017">^{<a href="https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" target="_blank" data-hasqtip="162" aria-describedby="qtip-162">[163]</a>}</span><span onclick=scrollToRef('scite-164') id="scite-ref-164-a" class="scite-citeref-number" data-reference="Github AD-Pentest-Script">^{<a href="https://github.com/Twi1ight/AD-Pentest-Script/blob/master/wmiexec.vbs" target="_blank" data-hasqtip="163" aria-describedby="qtip-163">[164]</a>}</span><span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" data-reference="FireEye APT10 Sept 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a>}</span> <a href="/versions/v9/groups/G0045">menuPass</a> has used malicious macros embedded inside Office documents to execute files.<span onclick=scrollToRef('scite-166') id="scite-ref-166-a" class="scite-citeref-number" data-reference="Accenture Hogfish April 2018">^{<a href="https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" target="_blank" data-hasqtip="165" aria-describedby="qtip-165">[166]</a>}</span><span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" data-reference="FireEye APT10 Sept 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0455"> S0455 </a> </td> <td> <a href="/versions/v9/software/S0455"> Metamorfo </a> </td> <td> <p><a href="/versions/v9/software/S0455">Metamorfo</a> has used <code>cmd.exe /c</code> to execute files.<span onclick=scrollToRef('scite-167') id="scite-ref-167-a" class="scite-citeref-number" data-reference="Medium Metamorfo Apr 2020">^{<a href="https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" target="_blank" data-hasqtip="166" aria-describedby="qtip-166">[167]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0339"> S0339 </a> </td> <td> <a href="/versions/v9/software/S0339"> Micropsia </a> </td> <td> <p><a href="/versions/v9/software/S0339">Micropsia</a> creates a command-line shell using cmd.exe.<span onclick=scrollToRef('scite-168') id="scite-ref-168-a" class="scite-citeref-number" data-reference="Radware Micropsia July 2018">^{<a href="https://blog.radware.com/security/2018/07/micropsia-malware/" target="_blank" data-hasqtip="167" aria-describedby="qtip-167">[168]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0280"> S0280 </a> </td> <td> <a href="/versions/v9/software/S0280"> MirageFox </a> </td> <td> <p><a href="/versions/v9/software/S0280">MirageFox</a> has the capability to execute commands using cmd.exe.<span onclick=scrollToRef('scite-169') id="scite-ref-169-a" class="scite-citeref-number" data-reference="APT15 Intezer June 2018">^{<a href="https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" target="_blank" data-hasqtip="168" aria-describedby="qtip-168">[169]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0084"> S0084 </a> </td> <td> <a href="/versions/v9/software/S0084"> Mis-Type </a> </td> <td> <p><a href="/versions/v9/software/S0084">Mis-Type</a> uses cmd.exe to run commands for enumerating the host.<span onclick=scrollToRef('scite-170') id="scite-ref-170-a" class="scite-citeref-number" data-reference="Cylance Dust Storm">^{<a href="https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="169" aria-describedby="qtip-169">[170]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0083"> S0083 </a> </td> <td> <a href="/versions/v9/software/S0083"> Misdat </a> </td> <td> <p><a href="/versions/v9/software/S0083">Misdat</a> is capable of providing shell functionality to the attacker to execute commands.<span onclick=scrollToRef('scite-170') id="scite-ref-170-a" class="scite-citeref-number" data-reference="Cylance Dust Storm">^{<a href="https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="169" aria-describedby="qtip-169">[170]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0080"> S0080 </a> </td> <td> <a href="/versions/v9/software/S0080"> Mivast </a> </td> <td> <p><a href="/versions/v9/software/S0080">Mivast</a> has the capability to open a remote shell and run basic commands.<span onclick=scrollToRef('scite-171') id="scite-ref-171-a" class="scite-citeref-number" data-reference="Symantec Backdoor.Mivast">^{<a href="http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2" target="_blank" data-hasqtip="170" aria-describedby="qtip-170">[171]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0553"> S0553 </a> </td> <td> <a href="/versions/v9/software/S0553"> MoleNet </a> </td> <td> <p><a href="/versions/v9/software/S0553">MoleNet</a> can execute commands via the command line utility.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" data-reference="Cybereason Molerats Dec 2020">^{<a href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0149"> S0149 </a> </td> <td> <a href="/versions/v9/software/S0149"> MoonWind </a> </td> <td> <p><a href="/versions/v9/software/S0149">MoonWind</a> can execute commands via an interactive command shell.<span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" data-reference="Palo Alto MoonWind March 2017">^{<a href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a>}</span> <a href="/versions/v9/software/S0149">MoonWind</a> uses batch scripts for various purposes, including to restart and uninstall itself.<span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" data-reference="Palo Alto MoonWind March 2017">^{<a href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0284"> S0284 </a> </td> <td> <a href="/versions/v9/software/S0284"> More_eggs </a> </td> <td> <p><a href="/versions/v9/software/S0284">More_eggs</a> has used cmd.exe for execution.<span onclick=scrollToRef('scite-173') id="scite-ref-173-a" class="scite-citeref-number" data-reference="Security Intelligence More Eggs Aug 2019">^{<a href="https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" target="_blank" data-hasqtip="172" aria-describedby="qtip-172">[173]</a>}</span><span onclick=scrollToRef('scite-174') id="scite-ref-174-a" class="scite-citeref-number" data-reference="ESET EvilNum July 2020">^{<a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" data-hasqtip="173" aria-describedby="qtip-173">[174]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0256"> S0256 </a> </td> <td> <a href="/versions/v9/software/S0256"> Mosquito </a> </td> <td> <p><a href="/versions/v9/software/S0256">Mosquito</a> executes cmd.exe and uses a pipe to read the results and send back the output to the C2 server.<span onclick=scrollToRef('scite-175') id="scite-ref-175-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito Jan 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="174" aria-describedby="qtip-174">[175]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0069"> G0069 </a> </td> <td> <a href="/versions/v9/groups/G0069"> MuddyWater </a> </td> <td> <p><a href="/versions/v9/groups/G0069">MuddyWater</a> has used a custom tool for creating reverse shells.<span onclick=scrollToRef('scite-176') id="scite-ref-176-a" class="scite-citeref-number" data-reference="Symantec MuddyWater Dec 2018">^{<a href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank" data-hasqtip="175" aria-describedby="qtip-175">[176]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0233"> S0233 </a> </td> <td> <a href="/versions/v9/software/S0233"> MURKYTOP </a> </td> <td> <p><a href="/versions/v9/software/S0233">MURKYTOP</a> uses the command-line interface.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" data-reference="FireEye Periscope March 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0129"> G0129 </a> </td> <td> <a href="/versions/v9/groups/G0129"> Mustang Panda </a> </td> <td> <p><a href="/versions/v9/groups/G0129">Mustang Panda</a> has executed HTA files via cmd.exe, and used batch scripts for collection.<span onclick=scrollToRef('scite-177') id="scite-ref-177-a" class="scite-citeref-number" data-reference="Anomali MUSTANG PANDA October 2019">^{<a href="https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations" target="_blank" data-hasqtip="176" aria-describedby="qtip-176">[177]</a>}</span><span onclick=scrollToRef('scite-178') id="scite-ref-178-a" class="scite-citeref-number" data-reference="Avira Mustang Panda January 2020">^{<a href="https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong" target="_blank" data-hasqtip="177" aria-describedby="qtip-177">[178]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0336"> S0336 </a> </td> <td> <a href="/versions/v9/software/S0336"> NanoCore </a> </td> <td> <p><a href="/versions/v9/software/S0336">NanoCore</a> can open a remote command-line interface and execute commands.<span onclick=scrollToRef('scite-179') id="scite-ref-179-a" class="scite-citeref-number" data-reference="PaloAlto NanoCore Feb 2016">^{<a href="https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/" target="_blank" data-hasqtip="178" aria-describedby="qtip-178">[179]</a>}</span> <a href="/versions/v9/software/S0336">NanoCore</a> uses JavaScript files.<span onclick=scrollToRef('scite-180') id="scite-ref-180-a" class="scite-citeref-number" data-reference="Cofense NanoCore Mar 2018">^{<a href="https://cofense.com/nanocore-rat-resurfaced-sewers/" target="_blank" data-hasqtip="179" aria-describedby="qtip-179">[180]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0247"> S0247 </a> </td> <td> <a href="/versions/v9/software/S0247"> NavRAT </a> </td> <td> <p><a href="/versions/v9/software/S0247">NavRAT</a> leverages cmd.exe to perform discovery techniques.<span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" data-reference="Talos NavRAT May 2018">^{<a href="https://blog.talosintelligence.com/2018/05/navrat.html" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a>}</span> <a href="/versions/v9/software/S0247">NavRAT</a> loads malicious shellcode and executes it in memory.<span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" data-reference="Talos NavRAT May 2018">^{<a href="https://blog.talosintelligence.com/2018/05/navrat.html" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0034"> S0034 </a> </td> <td> <a href="/versions/v9/software/S0034"> NETEAGLE </a> </td> <td> <p><a href="/versions/v9/software/S0034">NETEAGLE</a> allows adversaries to execute shell commands on the infected host.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" data-reference="FireEye APT30">^{<a href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0457"> S0457 </a> </td> <td> <a href="/versions/v9/software/S0457"> Netwalker </a> </td> <td> <p>Operators deploying <a href="/versions/v9/software/S0457">Netwalker</a> have used batch scripts to retrieve the <a href="/versions/v9/software/S0457">Netwalker</a> payload.<span onclick=scrollToRef('scite-182') id="scite-ref-182-a" class="scite-citeref-number" data-reference="Sophos Netwalker May 2020">^{<a href="https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/" target="_blank" data-hasqtip="181" aria-describedby="qtip-181">[182]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0198"> S0198 </a> </td> <td> <a href="/versions/v9/software/S0198"> NETWIRE </a> </td> <td> <p><a href="/versions/v9/software/S0198">NETWIRE</a> can issue commands using cmd.exe.<span onclick=scrollToRef('scite-183') id="scite-ref-183-a" class="scite-citeref-number" data-reference="Red Canary NETWIRE January 2020">^{<a href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank" data-hasqtip="182" aria-describedby="qtip-182">[183]</a>}</span><span onclick=scrollToRef('scite-184') id="scite-ref-184-a" class="scite-citeref-number" data-reference="Proofpoint NETWIRE December 2020">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns" target="_blank" data-hasqtip="183" aria-describedby="qtip-183">[184]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0385"> S0385 </a> </td> <td> <a href="/versions/v9/software/S0385"> njRAT </a> </td> <td> <p><a href="/versions/v9/software/S0385">njRAT</a> can launch a command shell interface for executing commands.<span onclick=scrollToRef('scite-185') id="scite-ref-185-a" class="scite-citeref-number" data-reference="Fidelis njRAT June 2013">^{<a href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank" data-hasqtip="184" aria-describedby="qtip-184">[185]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0346"> S0346 </a> </td> <td> <a href="/versions/v9/software/S0346"> OceanSalt </a> </td> <td> <p><a href="/versions/v9/software/S0346">OceanSalt</a> can create a reverse shell on the infected endpoint using cmd.exe.<span onclick=scrollToRef('scite-186') id="scite-ref-186-a" class="scite-citeref-number" data-reference="McAfee Oceansalt Oct 2018">^{<a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" target="_blank" data-hasqtip="185" aria-describedby="qtip-185">[186]</a>}</span> <a href="/versions/v9/software/S0346">OceanSalt</a> has been executed via malicious macros.<span onclick=scrollToRef('scite-186') id="scite-ref-186-a" class="scite-citeref-number" data-reference="McAfee Oceansalt Oct 2018">^{<a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" target="_blank" data-hasqtip="185" aria-describedby="qtip-185">[186]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0049"> G0049 </a> </td> <td> <a href="/versions/v9/groups/G0049"> OilRig </a> </td> <td> <p><a href="/versions/v9/groups/G0049">OilRig</a> has used macros to deliver malware such as <a href="/versions/v9/software/S0269">QUADAGENT</a> and <a href="/versions/v9/software/S0264">OopsIE</a>.<span onclick=scrollToRef('scite-187') id="scite-ref-187-a" class="scite-citeref-number" data-reference="FireEye APT34 Dec 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank" data-hasqtip="186" aria-describedby="qtip-186">[187]</a>}</span><span onclick=scrollToRef('scite-188') id="scite-ref-188-a" class="scite-citeref-number" data-reference="OilRig ISMAgent July 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" target="_blank" data-hasqtip="187" aria-describedby="qtip-187">[188]</a>}</span><span onclick=scrollToRef('scite-189') id="scite-ref-189-a" class="scite-citeref-number" data-reference="Unit 42 OopsIE! Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank" data-hasqtip="188" aria-describedby="qtip-188">[189]</a>}</span><span onclick=scrollToRef('scite-190') id="scite-ref-190-a" class="scite-citeref-number" data-reference="Unit 42 QUADAGENT July 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank" data-hasqtip="189" aria-describedby="qtip-189">[190]</a>}</span><span onclick=scrollToRef('scite-191') id="scite-ref-191-a" class="scite-citeref-number" data-reference="Unit42 OilRig Nov 2018">^{<a href="https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/" target="_blank" data-hasqtip="190" aria-describedby="qtip-190">[191]</a>}</span> <a href="/versions/v9/groups/G0049">OilRig</a> has used batch scripts.<span onclick=scrollToRef('scite-187') id="scite-ref-187-a" class="scite-citeref-number" data-reference="FireEye APT34 Dec 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank" data-hasqtip="186" aria-describedby="qtip-186">[187]</a>}</span><span onclick=scrollToRef('scite-188') id="scite-ref-188-a" class="scite-citeref-number" data-reference="OilRig ISMAgent July 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" target="_blank" data-hasqtip="187" aria-describedby="qtip-187">[188]</a>}</span><span onclick=scrollToRef('scite-189') id="scite-ref-189-a" class="scite-citeref-number" data-reference="Unit 42 OopsIE! Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank" data-hasqtip="188" aria-describedby="qtip-188">[189]</a>}</span><span onclick=scrollToRef('scite-190') id="scite-ref-190-a" class="scite-citeref-number" data-reference="Unit 42 QUADAGENT July 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank" data-hasqtip="189" aria-describedby="qtip-189">[190]</a>}</span><span onclick=scrollToRef('scite-191') id="scite-ref-191-a" class="scite-citeref-number" data-reference="Unit42 OilRig Nov 2018">^{<a href="https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/" target="_blank" data-hasqtip="190" aria-describedby="qtip-190">[191]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0439"> S0439 </a> </td> <td> <a href="/versions/v9/software/S0439"> Okrum </a> </td> <td> <p><a href="/versions/v9/software/S0439">Okrum</a>'s backdoor has used cmd.exe to execute arbitrary commands as well as batch scripts to update itself to a newer version.<span onclick=scrollToRef('scite-192') id="scite-ref-192-a" class="scite-citeref-number" data-reference="ESET Okrum July 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank" data-hasqtip="191" aria-describedby="qtip-191">[192]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0264"> S0264 </a> </td> <td> <a href="/versions/v9/software/S0264"> OopsIE </a> </td> <td> <p><a href="/versions/v9/software/S0264">OopsIE</a> uses the command prompt to execute commands on the victim's machine.<span onclick=scrollToRef('scite-189') id="scite-ref-189-a" class="scite-citeref-number" data-reference="Unit 42 OopsIE! Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank" data-hasqtip="188" aria-describedby="qtip-188">[189]</a>}</span><span onclick=scrollToRef('scite-193') id="scite-ref-193-a" class="scite-citeref-number" data-reference="Unit 42 OilRig Sept 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" target="_blank" data-hasqtip="192" aria-describedby="qtip-192">[193]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0116"> G0116 </a> </td> <td> <a href="/versions/v9/groups/G0116"> Operation Wocao </a> </td> <td> <p><a href="/versions/v9/groups/G0116">Operation Wocao</a> has spawned a new <code>cmd.exe</code> process to execute commands.<span onclick=scrollToRef('scite-194') id="scite-ref-194-a" class="scite-citeref-number" data-reference="FoxIT Wocao December 2019">^{<a href="https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf" target="_blank" data-hasqtip="193" aria-describedby="qtip-193">[194]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0229"> S0229 </a> </td> <td> <a href="/versions/v9/software/S0229"> Orz </a> </td> <td> <p><a href="/versions/v9/software/S0229">Orz</a> can execute shell commands.<span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" data-reference="Proofpoint Leviathan Oct 2017">^{<a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a>}</span> <a href="/versions/v9/software/S0229">Orz</a> can execute commands with JavaScript.<span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" data-reference="Proofpoint Leviathan Oct 2017">^{<a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0594"> S0594 </a> </td> <td> <a href="/versions/v9/software/S0594"> Out1 </a> </td> <td> <p><a href="/versions/v9/software/S0594">Out1</a> can use native command line for execution.<span onclick=scrollToRef('scite-195') id="scite-ref-195-a" class="scite-citeref-number" data-reference="Trend Micro Muddy Water March 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" data-hasqtip="194" aria-describedby="qtip-194">[195]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0040"> G0040 </a> </td> <td> <a href="/versions/v9/groups/G0040"> Patchwork </a> </td> <td> <p><a href="/versions/v9/groups/G0040">Patchwork</a> ran a reverse shell with Meterpreter.<span onclick=scrollToRef('scite-196') id="scite-ref-196-a" class="scite-citeref-number" data-reference="Cymmetria Patchwork">^{<a href="https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" target="_blank" data-hasqtip="195" aria-describedby="qtip-195">[196]</a>}</span> <a href="/versions/v9/groups/G0040">Patchwork</a> used JavaScript code and .SCT files on victim machines.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" data-reference="TrendMicro Patchwork Dec 2017">^{<a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-197') id="scite-ref-197-a" class="scite-citeref-number" data-reference="Volexity Patchwork June 2018">^{<a href="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" target="_blank" data-hasqtip="196" aria-describedby="qtip-196">[197]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0158"> S0158 </a> </td> <td> <a href="/versions/v9/software/S0158"> PHOREAL </a> </td> <td> <p><a href="/versions/v9/software/S0158">PHOREAL</a> is capable of creating reverse shell.<span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" data-reference="FireEye APT32 May 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0124"> S0124 </a> </td> <td> <a href="/versions/v9/software/S0124"> Pisloader </a> </td> <td> <p><a href="/versions/v9/software/S0124">Pisloader</a> uses cmd.exe to set the Registry Run key value. It also has a command to spawn a command shell.<span onclick=scrollToRef('scite-198') id="scite-ref-198-a" class="scite-citeref-number" data-reference="Palo Alto DNS Requests">^{<a href="http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank" data-hasqtip="197" aria-describedby="qtip-197">[198]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0254"> S0254 </a> </td> <td> <a href="/versions/v9/software/S0254"> PLAINTEE </a> </td> <td> <p><a href="/versions/v9/software/S0254">PLAINTEE</a> uses cmd.exe to execute commands on the victim’s machine.<span onclick=scrollToRef('scite-199') id="scite-ref-199-a" class="scite-citeref-number" data-reference="Rancor Unit42 June 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank" data-hasqtip="198" aria-describedby="qtip-198">[199]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0435"> S0435 </a> </td> <td> <a href="/versions/v9/software/S0435"> PLEAD </a> </td> <td> <p><a href="/versions/v9/software/S0435">PLEAD</a> has the ability to execute shell commands on the compromised host.<span onclick=scrollToRef('scite-200') id="scite-ref-200-a" class="scite-citeref-number" data-reference="JPCert PLEAD Downloader June 2018">^{<a href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" target="_blank" data-hasqtip="199" aria-describedby="qtip-199">[200]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0013"> S0013 </a> </td> <td> <a href="/versions/v9/software/S0013"> PlugX </a> </td> <td> <p><a href="/versions/v9/software/S0013">PlugX</a> allows actors to spawn a reverse shell on a victim.<span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" data-reference="Dell TG-3390">^{<a href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a>}</span><span onclick=scrollToRef('scite-201') id="scite-ref-201-a" class="scite-citeref-number" data-reference="CIRCL PlugX March 2013">^{<a href="http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf" target="_blank" data-hasqtip="200" aria-describedby="qtip-200">[201]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0428"> S0428 </a> </td> <td> <a href="/versions/v9/software/S0428"> PoetRAT </a> </td> <td> <p><a href="/versions/v9/software/S0428">PoetRAT</a> has called cmd through a Word document macro.<span onclick=scrollToRef('scite-202') id="scite-ref-202-a" class="scite-citeref-number" data-reference="Talos PoetRAT October 2020">^{<a href="https://blog.talosintelligence.com/2020/10/poetrat-update.html" target="_blank" data-hasqtip="201" aria-describedby="qtip-201">[202]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0012"> S0012 </a> </td> <td> <a href="/versions/v9/software/S0012"> PoisonIvy </a> </td> <td> <p><a href="/versions/v9/software/S0012">PoisonIvy</a> creates a backdoor through which remote attackers can open a command-line interface.<span onclick=scrollToRef('scite-203') id="scite-ref-203-a" class="scite-citeref-number" data-reference="Symantec Darkmoon Aug 2005">^{<a href="https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" target="_blank" data-hasqtip="202" aria-describedby="qtip-202">[203]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0453"> S0453 </a> </td> <td> <a href="/versions/v9/software/S0453"> Pony </a> </td> <td> <p><a href="/versions/v9/software/S0453">Pony</a> has used batch scripts to delete itself after execution.<span onclick=scrollToRef('scite-204') id="scite-ref-204-a" class="scite-citeref-number" data-reference="Malwarebytes Pony April 2016">^{<a href="https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/" target="_blank" data-hasqtip="203" aria-describedby="qtip-203">[204]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0139"> S0139 </a> </td> <td> <a href="/versions/v9/software/S0139"> PowerDuke </a> </td> <td> <p><a href="/versions/v9/software/S0139">PowerDuke</a> runs <code>cmd.exe /c</code> and sends the output to its C2.<span onclick=scrollToRef('scite-205') id="scite-ref-205-a" class="scite-citeref-number" data-reference="Volexity PowerDuke November 2016">^{<a href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank" data-hasqtip="204" aria-describedby="qtip-204">[205]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0184"> S0184 </a> </td> <td> <a href="/versions/v9/software/S0184"> POWRUNER </a> </td> <td> <p><a href="/versions/v9/software/S0184">POWRUNER</a> can execute commands from its C2 server.<span onclick=scrollToRef('scite-187') id="scite-ref-187-a" class="scite-citeref-number" data-reference="FireEye APT34 Dec 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank" data-hasqtip="186" aria-describedby="qtip-186">[187]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0238"> S0238 </a> </td> <td> <a href="/versions/v9/software/S0238"> Proxysvc </a> </td> <td> <p><a href="/versions/v9/software/S0238">Proxysvc</a> executes a binary on the system and logs the results into a temp file by using: <code>cmd.exe /c "<file_path> &gt; %temp%\PM* .tmp 2&gt;&amp;1"</code>.<span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" data-reference="McAfee GhostSecret">^{<a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0147"> S0147 </a> </td> <td> <a href="/versions/v9/software/S0147"> Pteranodon </a> </td> <td> <p><a href="/versions/v9/software/S0147">Pteranodon</a> can execute commands on the victim.<span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" data-reference="Palo Alto Gamaredon Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0269"> S0269 </a> </td> <td> <a href="/versions/v9/software/S0269"> QUADAGENT </a> </td> <td> <p><a href="/versions/v9/software/S0269">QUADAGENT</a> uses cmd.exe to execute scripts and commands on the victim’s machine.<span onclick=scrollToRef('scite-190') id="scite-ref-190-a" class="scite-citeref-number" data-reference="Unit 42 QUADAGENT July 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank" data-hasqtip="189" aria-describedby="qtip-189">[190]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0262"> S0262 </a> </td> <td> <a href="/versions/v9/software/S0262"> QuasarRAT </a> </td> <td> <p><a href="/versions/v9/software/S0262">QuasarRAT</a> can launch a remote shell to execute commands on the victim’s machine.<span onclick=scrollToRef('scite-206') id="scite-ref-206-a" class="scite-citeref-number" data-reference="GitHub QuasarRAT">^{<a href="https://github.com/quasar/QuasarRAT" target="_blank" data-hasqtip="205" aria-describedby="qtip-205">[206]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0481"> S0481 </a> </td> <td> <a href="/versions/v9/software/S0481"> Ragnar Locker </a> </td> <td> <p><a href="/versions/v9/software/S0481">Ragnar Locker</a> has used cmd.exe and batch scripts to execute commands.<span onclick=scrollToRef('scite-207') id="scite-ref-207-a" class="scite-citeref-number" data-reference="Sophos Ragnar May 2020">^{<a href="https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/" target="_blank" data-hasqtip="206" aria-describedby="qtip-206">[207]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0075"> G0075 </a> </td> <td> <a href="/versions/v9/groups/G0075"> Rancor </a> </td> <td> <p><a href="/versions/v9/groups/G0075">Rancor</a> has used cmd.exe to execute commmands.<span onclick=scrollToRef('scite-199') id="scite-ref-199-a" class="scite-citeref-number" data-reference="Rancor Unit42 June 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank" data-hasqtip="198" aria-describedby="qtip-198">[199]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0241"> S0241 </a> </td> <td> <a href="/versions/v9/software/S0241"> RATANKBA </a> </td> <td> <p><a href="/versions/v9/software/S0241">RATANKBA</a> uses cmd.exe to execute commands.<span onclick=scrollToRef('scite-208') id="scite-ref-208-a" class="scite-citeref-number" data-reference="Lazarus RATANKBA">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" target="_blank" data-hasqtip="207" aria-describedby="qtip-207">[208]</a>}</span><span onclick=scrollToRef('scite-209') id="scite-ref-209-a" class="scite-citeref-number" data-reference="RATANKBA">^{<a href="https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" target="_blank" data-hasqtip="208" aria-describedby="qtip-208">[209]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0495"> S0495 </a> </td> <td> <a href="/versions/v9/software/S0495"> RDAT </a> </td> <td> <p><a href="/versions/v9/software/S0495">RDAT</a> has executed commands using <code>cmd.exe /c</code>.<span onclick=scrollToRef('scite-210') id="scite-ref-210-a" class="scite-citeref-number" data-reference="Unit42 RDAT July 2020">^{<a href="https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" target="_blank" data-hasqtip="209" aria-describedby="qtip-209">[210]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0153"> S0153 </a> </td> <td> <a href="/versions/v9/software/S0153"> RedLeaves </a> </td> <td> <p><a href="/versions/v9/software/S0153">RedLeaves</a> can receive and execute commands with cmd.exe. It can also provide a reverse shell.<span onclick=scrollToRef('scite-163') id="scite-ref-163-a" class="scite-citeref-number" data-reference="PWC Cloud Hopper Technical Annex April 2017">^{<a href="https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" target="_blank" data-hasqtip="162" aria-describedby="qtip-162">[163]</a>}</span><span onclick=scrollToRef('scite-211') id="scite-ref-211-a" class="scite-citeref-number" data-reference="FireEye APT10 April 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" target="_blank" data-hasqtip="210" aria-describedby="qtip-210">[211]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0332"> S0332 </a> </td> <td> <a href="/versions/v9/software/S0332"> Remcos </a> </td> <td> <p><a href="/versions/v9/software/S0332">Remcos</a> can launch a remote command line to execute commands on the victim’s machine.<span onclick=scrollToRef('scite-212') id="scite-ref-212-a" class="scite-citeref-number" data-reference="Fortinet Remcos Feb 2017">^{<a href="https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html" target="_blank" data-hasqtip="211" aria-describedby="qtip-211">[212]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0375"> S0375 </a> </td> <td> <a href="/versions/v9/software/S0375"> Remexi </a> </td> <td> <p><a href="/versions/v9/software/S0375">Remexi</a> silently executes received commands with cmd.exe.<span onclick=scrollToRef('scite-213') id="scite-ref-213-a" class="scite-citeref-number" data-reference="Securelist Remexi Jan 2019">^{<a href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank" data-hasqtip="212" aria-describedby="qtip-212">[213]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0379"> S0379 </a> </td> <td> <a href="/versions/v9/software/S0379"> Revenge RAT </a> </td> <td> <p><a href="/versions/v9/software/S0379">Revenge RAT</a> uses cmd.exe to execute commands and run scripts on the victim's machine.<span onclick=scrollToRef('scite-214') id="scite-ref-214-a" class="scite-citeref-number" data-reference="Cofense RevengeRAT Feb 2019">^{<a href="https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/" target="_blank" data-hasqtip="213" aria-describedby="qtip-213">[214]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0496"> S0496 </a> </td> <td> <a href="/versions/v9/software/S0496"> REvil </a> </td> <td> <p><a href="/versions/v9/software/S0496">REvil</a> can use the Windows command line to delete volume shadow copies and disable recovery.<span onclick=scrollToRef('scite-215') id="scite-ref-215-a" class="scite-citeref-number" data-reference="Cylance Sodinokibi July 2019">^{<a href="https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html" target="_blank" data-hasqtip="214" aria-describedby="qtip-214">[215]</a>}</span><span onclick=scrollToRef('scite-216') id="scite-ref-216-a" class="scite-citeref-number" data-reference="Talos Sodinokibi April 2019">^{<a href="https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" target="_blank" data-hasqtip="215" aria-describedby="qtip-215">[216]</a>}</span><span onclick=scrollToRef('scite-217') id="scite-ref-217-a" class="scite-citeref-number" data-reference="Picus Sodinokibi January 2020">^{<a href="https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware" target="_blank" data-hasqtip="216" aria-describedby="qtip-216">[217]</a>}</span><span onclick=scrollToRef('scite-218') id="scite-ref-218-a" class="scite-citeref-number" data-reference="Secureworks REvil September 2019">^{<a href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank" data-hasqtip="217" aria-describedby="qtip-217">[218]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0258"> S0258 </a> </td> <td> <a href="/versions/v9/software/S0258"> RGDoor </a> </td> <td> <p><a href="/versions/v9/software/S0258">RGDoor</a> uses cmd.exe to execute commands on the victim’s machine.<span onclick=scrollToRef('scite-219') id="scite-ref-219-a" class="scite-citeref-number" data-reference="Unit 42 RGDoor Jan 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" target="_blank" data-hasqtip="218" aria-describedby="qtip-218">[219]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0448"> S0448 </a> </td> <td> <a href="/versions/v9/software/S0448"> Rising Sun </a> </td> <td> <p><a href="/versions/v9/software/S0448">Rising Sun</a> executed commands using cmd.exe.<span onclick=scrollToRef('scite-220') id="scite-ref-220-a" class="scite-citeref-number" data-reference="McAfee Sharpshooter December 2018">^{<a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank" data-hasqtip="219" aria-describedby="qtip-219">[220]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0400"> S0400 </a> </td> <td> <a href="/versions/v9/software/S0400"> RobbinHood </a> </td> <td> <p><a href="/versions/v9/software/S0400">RobbinHood</a> uses cmd.exe on the victim's computer.<span onclick=scrollToRef('scite-221') id="scite-ref-221-a" class="scite-citeref-number" data-reference="CarbonBlack RobbinHood May 2019">^{<a href="https://www.carbonblack.com/2019/05/17/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/" target="_blank" data-hasqtip="220" aria-describedby="qtip-220">[221]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0270"> S0270 </a> </td> <td> <a href="/versions/v9/software/S0270"> RogueRobin </a> </td> <td> <p><a href="/versions/v9/software/S0270">RogueRobin</a> uses Windows Script Components.<span onclick=scrollToRef('scite-222') id="scite-ref-222-a" class="scite-citeref-number" data-reference="Unit42 DarkHydrus Jan 2019">^{<a href="https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/" target="_blank" data-hasqtip="221" aria-describedby="qtip-221">[222]</a>}</span><span onclick=scrollToRef('scite-223') id="scite-ref-223-a" class="scite-citeref-number" data-reference="Unit 42 DarkHydrus July 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank" data-hasqtip="222" aria-describedby="qtip-222">[223]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0148"> S0148 </a> </td> <td> <a href="/versions/v9/software/S0148"> RTM </a> </td> <td> <p><a href="/versions/v9/software/S0148">RTM</a> uses the command line and rundll32.exe to execute.<span onclick=scrollToRef('scite-224') id="scite-ref-224-a" class="scite-citeref-number" data-reference="ESET RTM Feb 2017">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank" data-hasqtip="223" aria-describedby="qtip-223">[224]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0253"> S0253 </a> </td> <td> <a href="/versions/v9/software/S0253"> RunningRAT </a> </td> <td> <p><a href="/versions/v9/software/S0253">RunningRAT</a> uses a batch file to kill a security program task and then attempts to remove itself.<span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" data-reference="McAfee Gold Dragon">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0446"> S0446 </a> </td> <td> <a href="/versions/v9/software/S0446"> Ryuk </a> </td> <td> <p><a href="/versions/v9/software/S0446">Ryuk</a> has used <code>cmd.exe</code> to create a Registry entry to establish persistence.<span onclick=scrollToRef('scite-225') id="scite-ref-225-a" class="scite-citeref-number" data-reference="CrowdStrike Ryuk January 2019">^{<a href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" target="_blank" data-hasqtip="224" aria-describedby="qtip-224">[225]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0074"> S0074 </a> </td> <td> <a href="/versions/v9/software/S0074"> Sakula </a> </td> <td> <p><a href="/versions/v9/software/S0074">Sakula</a> calls cmd.exe to run various DLL files via rundll32 and also to perform file cleanup. <a href="/versions/v9/software/S0074">Sakula</a> also has the capability to invoke a reverse shell.<span onclick=scrollToRef('scite-226') id="scite-ref-226-a" class="scite-citeref-number" data-reference="Dell Sakula">^{<a href="http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/" target="_blank" data-hasqtip="225" aria-describedby="qtip-225">[226]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0370"> S0370 </a> </td> <td> <a href="/versions/v9/software/S0370"> SamSam </a> </td> <td> <p><a href="/versions/v9/software/S0370">SamSam</a> uses custom batch scripts to execute some of its components.<span onclick=scrollToRef('scite-227') id="scite-ref-227-a" class="scite-citeref-number" data-reference="Sophos SamSam Apr 2018">^{<a href="https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf" target="_blank" data-hasqtip="226" aria-describedby="qtip-226">[227]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0461"> S0461 </a> </td> <td> <a href="/versions/v9/software/S0461"> SDBbot </a> </td> <td> <p><a href="/versions/v9/software/S0461">SDBbot</a> has the ability to use the command shell to execute commands on a compromised host.<span onclick=scrollToRef('scite-228') id="scite-ref-228-a" class="scite-citeref-number" data-reference="Proofpoint TA505 October 2019">^{<a href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank" data-hasqtip="227" aria-describedby="qtip-227">[228]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0053"> S0053 </a> </td> <td> <a href="/versions/v9/software/S0053"> SeaDuke </a> </td> <td> <p><a href="/versions/v9/software/S0053">SeaDuke</a> is capable of executing commands.<span onclick=scrollToRef('scite-229') id="scite-ref-229-a" class="scite-citeref-number" data-reference="Unit 42 SeaDuke 2015">^{<a href="http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/" target="_blank" data-hasqtip="228" aria-describedby="qtip-228">[229]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0345"> S0345 </a> </td> <td> <a href="/versions/v9/software/S0345"> Seasalt </a> </td> <td> <p><a href="/versions/v9/software/S0345">Seasalt</a> uses cmd.exe to create a reverse shell on the infected endpoint.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" data-reference="Mandiant APT1 Appendix">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0185"> S0185 </a> </td> <td> <a href="/versions/v9/software/S0185"> SEASHARPEE </a> </td> <td> <p><a href="/versions/v9/software/S0185">SEASHARPEE</a> can execute commands on victims.<span onclick=scrollToRef('scite-230') id="scite-ref-230-a" class="scite-citeref-number" data-reference="FireEye APT34 Webinar Dec 2017">^{<a href="https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" target="_blank" data-hasqtip="229" aria-describedby="qtip-229">[230]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0382"> S0382 </a> </td> <td> <a href="/versions/v9/software/S0382"> ServHelper </a> </td> <td> <p><a href="/versions/v9/software/S0382">ServHelper</a> can execute shell commands against <a href="/versions/v9/software/S0106">cmd</a>.<span onclick=scrollToRef('scite-231') id="scite-ref-231-a" class="scite-citeref-number" data-reference="Proofpoint TA505 Jan 2019">^{<a href="https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" target="_blank" data-hasqtip="230" aria-describedby="qtip-230">[231]</a>}</span><span onclick=scrollToRef('scite-232') id="scite-ref-232-a" class="scite-citeref-number" data-reference="Deep Instinct TA505 Apr 2019">^{<a href="https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/" target="_blank" data-hasqtip="231" aria-describedby="qtip-231">[232]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0546"> S0546 </a> </td> <td> <a href="/versions/v9/software/S0546"> SharpStage </a> </td> <td> <p><a href="/versions/v9/software/S0546">SharpStage</a> can execute arbitrary commands with the command line.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" data-reference="Cybereason Molerats Dec 2020">^{<a href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a>}</span><span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" data-reference="BleepingComputer Molerats Dec 2020">^{<a href="https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0444"> S0444 </a> </td> <td> <a href="/versions/v9/software/S0444"> ShimRat </a> </td> <td> <p><a href="/versions/v9/software/S0444">ShimRat</a> can be issued a command shell function from the C2.<span onclick=scrollToRef('scite-233') id="scite-ref-233-a" class="scite-citeref-number" data-reference="FOX-IT May 2016 Mofang">^{<a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="232" aria-describedby="qtip-232">[233]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0091"> G0091 </a> </td> <td> <a href="/versions/v9/groups/G0091"> Silence </a> </td> <td> <p><a href="/versions/v9/groups/G0091">Silence</a> has used Windows command-line to run commands.<span onclick=scrollToRef('scite-234') id="scite-ref-234-a" class="scite-citeref-number" data-reference="Cyber Forensicator Silence Jan 2019">^{<a href="https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/" target="_blank" data-hasqtip="233" aria-describedby="qtip-233">[234]</a>}</span><span onclick=scrollToRef('scite-235') id="scite-ref-235-a" class="scite-citeref-number" data-reference="SecureList Silence Nov 2017">^{<a href="https://securelist.com/the-silence/83009/" target="_blank" data-hasqtip="234" aria-describedby="qtip-234">[235]</a>}</span><span onclick=scrollToRef('scite-236') id="scite-ref-236-a" class="scite-citeref-number" data-reference="Group IB Silence Sept 2018">^{<a href="https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf" target="_blank" data-hasqtip="235" aria-describedby="qtip-235">[236]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0533"> S0533 </a> </td> <td> <a href="/versions/v9/software/S0533"> SLOTHFULMEDIA </a> </td> <td> <p><a href="/versions/v9/software/S0533">SLOTHFULMEDIA</a> can open a command line to execute commands.<span onclick=scrollToRef('scite-237') id="scite-ref-237-a" class="scite-citeref-number" data-reference="CISA MAR SLOTHFULMEDIA October 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank" data-hasqtip="236" aria-describedby="qtip-236">[237]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0159"> S0159 </a> </td> <td> <a href="/versions/v9/software/S0159"> SNUGRIDE </a> </td> <td> <p><a href="/versions/v9/software/S0159">SNUGRIDE</a> is capable of executing commands and spawning a reverse shell.<span onclick=scrollToRef('scite-211') id="scite-ref-211-a" class="scite-citeref-number" data-reference="FireEye APT10 April 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" target="_blank" data-hasqtip="210" aria-describedby="qtip-210">[211]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0054"> G0054 </a> </td> <td> <a href="/versions/v9/groups/G0054"> Sowbug </a> </td> <td> <p><a href="/versions/v9/groups/G0054">Sowbug</a> has used command line during its intrusions.<span onclick=scrollToRef('scite-238') id="scite-ref-238-a" class="scite-citeref-number" data-reference="Symantec Sowbug Nov 2017">^{<a href="https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" target="_blank" data-hasqtip="237" aria-describedby="qtip-237">[238]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0543"> S0543 </a> </td> <td> <a href="/versions/v9/software/S0543"> Spark </a> </td> <td> <p><a href="/versions/v9/software/S0543">Spark</a> can use cmd.exe to run commands.<span onclick=scrollToRef('scite-239') id="scite-ref-239-a" class="scite-citeref-number" data-reference="Unit42 Molerat Mar 2020">^{<a href="https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" target="_blank" data-hasqtip="238" aria-describedby="qtip-238">[239]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0390"> S0390 </a> </td> <td> <a href="/versions/v9/software/S0390"> SQLRat </a> </td> <td> <p><a href="/versions/v9/software/S0390">SQLRat</a> has used SQL to execute JavaScript and VB scripts on the host system.<span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" data-reference="Flashpoint FIN 7 March 2019">^{<a href="https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0142"> S0142 </a> </td> <td> <a href="/versions/v9/software/S0142"> StreamEx </a> </td> <td> <p><a href="/versions/v9/software/S0142">StreamEx</a> has the ability to remotely execute commands.<span onclick=scrollToRef('scite-240') id="scite-ref-240-a" class="scite-citeref-number" data-reference="Cylance Shell Crew Feb 2017">^{<a href="https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" target="_blank" data-hasqtip="239" aria-describedby="qtip-239">[240]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0039"> G0039 </a> </td> <td> <a href="/versions/v9/groups/G0039"> Suckfly </a> </td> <td> <p>Several tools used by <a href="/versions/v9/groups/G0039">Suckfly</a> have been command-line driven.<span onclick=scrollToRef('scite-241') id="scite-ref-241-a" class="scite-citeref-number" data-reference="Symantec Suckfly May 2016">^{<a href="http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" target="_blank" data-hasqtip="240" aria-describedby="qtip-240">[241]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0464"> S0464 </a> </td> <td> <a href="/versions/v9/software/S0464"> SYSCON </a> </td> <td> <p><a href="/versions/v9/software/S0464">SYSCON</a> has the ability to execute commands through <a href="/versions/v9/software/S0106">cmd</a> on a compromised host.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" data-reference="Unit 42 CARROTBAT January 2020">^{<a href="https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0092"> G0092 </a> </td> <td> <a href="/versions/v9/groups/G0092"> TA505 </a> </td> <td> <p><a href="/versions/v9/groups/G0092">TA505</a> has executed commands using <code>cmd.exe</code>.<span onclick=scrollToRef('scite-242') id="scite-ref-242-a" class="scite-citeref-number" data-reference="Trend Micro TA505 June 2019">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/" target="_blank" data-hasqtip="241" aria-describedby="qtip-241">[242]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0127"> G0127 </a> </td> <td> <a href="/versions/v9/groups/G0127"> TA551 </a> </td> <td> <p><a href="/versions/v9/groups/G0127">TA551</a> has used <code>cmd.exe</code> to execute commands.<span onclick=scrollToRef('scite-243') id="scite-ref-243-a" class="scite-citeref-number" data-reference="Unit 42 TA551 Jan 2021">^{<a href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/" target="_blank" data-hasqtip="242" aria-describedby="qtip-242">[243]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0586"> S0586 </a> </td> <td> <a href="/versions/v9/software/S0586"> TAINTEDSCRIBE </a> </td> <td> <p><a href="/versions/v9/software/S0586">TAINTEDSCRIBE</a> can enable Windows CLI access and execute files.<span onclick=scrollToRef('scite-244') id="scite-ref-244-a" class="scite-citeref-number" data-reference="CISA MAR-10288834-2.v1 TAINTEDSCRIBE MAY 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" target="_blank" data-hasqtip="243" aria-describedby="qtip-243">[244]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0164"> S0164 </a> </td> <td> <a href="/versions/v9/software/S0164"> TDTESS </a> </td> <td> <p><a href="/versions/v9/software/S0164">TDTESS</a> provides a reverse shell on the victim.<span onclick=scrollToRef('scite-245') id="scite-ref-245-a" class="scite-citeref-number" data-reference="ClearSky Wilted Tulip July 2017">^{<a href="http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" target="_blank" data-hasqtip="244" aria-describedby="qtip-244">[245]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0146"> S0146 </a> </td> <td> <a href="/versions/v9/software/S0146"> TEXTMATE </a> </td> <td> <p><a href="/versions/v9/software/S0146">TEXTMATE</a> executes cmd.exe to provide a reverse shell to adversaries.<span onclick=scrollToRef('scite-246') id="scite-ref-246-a" class="scite-citeref-number" data-reference="FireEye FIN7 March 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" target="_blank" data-hasqtip="245" aria-describedby="qtip-245">[246]</a>}</span><span onclick=scrollToRef('scite-247') id="scite-ref-247-a" class="scite-citeref-number" data-reference="Cisco DNSMessenger March 2017">^{<a href="http://blog.talosintelligence.com/2017/03/dnsmessenger.html" target="_blank" data-hasqtip="246" aria-describedby="qtip-246">[247]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0028"> G0028 </a> </td> <td> <a href="/versions/v9/groups/G0028"> Threat Group-1314 </a> </td> <td> <p><a href="/versions/v9/groups/G0028">Threat Group-1314</a> actors spawned shells on remote systems on a victim network to execute commands.<span onclick=scrollToRef('scite-248') id="scite-ref-248-a" class="scite-citeref-number" data-reference="Dell TG-1314">^{<a href="http://www.secureworks.com/resources/blog/living-off-the-land/" target="_blank" data-hasqtip="247" aria-describedby="qtip-247">[248]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0027"> G0027 </a> </td> <td> <a href="/versions/v9/groups/G0027"> Threat Group-3390 </a> </td> <td> <p><a href="/versions/v9/groups/G0027">Threat Group-3390</a> has used command-line interfaces for execution.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" data-reference="SecureWorks BRONZE UNION June 2017">^{<a href="https://www.secureworks.com/research/bronze-union" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span><span onclick=scrollToRef('scite-249') id="scite-ref-249-a" class="scite-citeref-number" data-reference="Unit42 Emissary Panda May 2019">^{<a href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" target="_blank" data-hasqtip="248" aria-describedby="qtip-248">[249]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0004"> S0004 </a> </td> <td> <a href="/versions/v9/software/S0004"> TinyZBot </a> </td> <td> <p><a href="/versions/v9/software/S0004">TinyZBot</a> supports execution from the command-line.<span onclick=scrollToRef('scite-250') id="scite-ref-250-a" class="scite-citeref-number" data-reference="Cylance Cleaver">^{<a href="https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" target="_blank" data-hasqtip="249" aria-describedby="qtip-249">[250]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0266"> S0266 </a> </td> <td> <a href="/versions/v9/software/S0266"> TrickBot </a> </td> <td> <p><a href="/versions/v9/software/S0266">TrickBot</a> has used macros in Excel documents to download and deploy the malware on the user’s machine.<span onclick=scrollToRef('scite-251') id="scite-ref-251-a" class="scite-citeref-number" data-reference="TrendMicro Trickbot Feb 2019">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/" target="_blank" data-hasqtip="250" aria-describedby="qtip-250">[251]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0094"> S0094 </a> </td> <td> <a href="/versions/v9/software/S0094"> Trojan.Karagany </a> </td> <td> <p><a href="/versions/v9/software/S0094">Trojan.Karagany</a> can perform reconnaissance commands on a victim machine via a cmd.exe process.<span onclick=scrollToRef('scite-252') id="scite-ref-252-a" class="scite-citeref-number" data-reference="Secureworks Karagany July 2019">^{<a href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank" data-hasqtip="251" aria-describedby="qtip-251">[252]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0081"> G0081 </a> </td> <td> <a href="/versions/v9/groups/G0081"> Tropic Trooper </a> </td> <td> <p><a href="/versions/v9/groups/G0081">Tropic Trooper</a> has used Windows command scripts.<span onclick=scrollToRef('scite-253') id="scite-ref-253-a" class="scite-citeref-number" data-reference="TrendMicro Tropic Trooper May 2020">^{<a href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank" data-hasqtip="252" aria-describedby="qtip-252">[253]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0436"> S0436 </a> </td> <td> <a href="/versions/v9/software/S0436"> TSCookie </a> </td> <td> <p><a href="/versions/v9/software/S0436">TSCookie</a> has the ability to execute shell commands on the infected host.<span onclick=scrollToRef('scite-254') id="scite-ref-254-a" class="scite-citeref-number" data-reference="JPCert TSCookie March 2018">^{<a href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" target="_blank" data-hasqtip="253" aria-describedby="qtip-253">[254]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0010"> G0010 </a> </td> <td> <a href="/versions/v9/groups/G0010"> Turla </a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> RPC backdoors have used cmd.exe to execute commands.<span onclick=scrollToRef('scite-255') id="scite-ref-255-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019">^{<a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="254" aria-describedby="qtip-254">[255]</a>}</span><span onclick=scrollToRef('scite-256') id="scite-ref-256-a" class="scite-citeref-number" data-reference="Symantec Waterbug Jun 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank" data-hasqtip="255" aria-describedby="qtip-255">[256]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0199"> S0199 </a> </td> <td> <a href="/versions/v9/software/S0199"> TURNEDUP </a> </td> <td> <p><a href="/versions/v9/software/S0199">TURNEDUP</a> is capable of creating a reverse shell.<span onclick=scrollToRef('scite-257') id="scite-ref-257-a" class="scite-citeref-number" data-reference="FireEye APT33 Sept 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank" data-hasqtip="256" aria-describedby="qtip-256">[257]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0263"> S0263 </a> </td> <td> <a href="/versions/v9/software/S0263"> TYPEFRAME </a> </td> <td> <p><a href="/versions/v9/software/S0263">TYPEFRAME</a> can uninstall malware components using a batch script.<span onclick=scrollToRef('scite-258') id="scite-ref-258-a" class="scite-citeref-number" data-reference="US-CERT TYPEFRAME June 2018">^{<a href="https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" target="_blank" data-hasqtip="257" aria-describedby="qtip-257">[258]</a>}</span> <a href="/versions/v9/software/S0263">TYPEFRAME</a> can execute commands using a shell.<span onclick=scrollToRef('scite-258') id="scite-ref-258-a" class="scite-citeref-number" data-reference="US-CERT TYPEFRAME June 2018">^{<a href="https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" target="_blank" data-hasqtip="257" aria-describedby="qtip-257">[258]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0333"> S0333 </a> </td> <td> <a href="/versions/v9/software/S0333"> UBoatRAT </a> </td> <td> <p><a href="/versions/v9/software/S0333">UBoatRAT</a> can start a command shell.<span onclick=scrollToRef('scite-259') id="scite-ref-259-a" class="scite-citeref-number" data-reference="PaloAlto UBoatRAT Nov 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/" target="_blank" data-hasqtip="258" aria-describedby="qtip-258">[259]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0221"> S0221 </a> </td> <td> <a href="/versions/v9/software/S0221"> Umbreon </a> </td> <td> <p><a href="/versions/v9/software/S0221">Umbreon</a> provides access using both standard facilities like SSH and additional access using its backdoor Espeon, providing a reverse shell upon receipt of a special packet<span onclick=scrollToRef('scite-260') id="scite-ref-260-a" class="scite-citeref-number" data-reference="Umbreon Trend Micro">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/?_ga=2.180041126.367598458.1505420282-1759340220.1502477046" target="_blank" data-hasqtip="259" aria-describedby="qtip-259">[260]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0275"> S0275 </a> </td> <td> <a href="/versions/v9/software/S0275"> UPPERCUT </a> </td> <td> <p><a href="/versions/v9/software/S0275">UPPERCUT</a> uses cmd.exe to execute commands on the victim’s machine.<span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" data-reference="FireEye APT10 Sept 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0452"> S0452 </a> </td> <td> <a href="/versions/v9/software/S0452"> USBferry </a> </td> <td> <p><a href="/versions/v9/software/S0452">USBferry</a> can execute various Windows commands.<span onclick=scrollToRef('scite-253') id="scite-ref-253-a" class="scite-citeref-number" data-reference="TrendMicro Tropic Trooper May 2020">^{<a href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank" data-hasqtip="252" aria-describedby="qtip-252">[253]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0180"> S0180 </a> </td> <td> <a href="/versions/v9/software/S0180"> Volgmer </a> </td> <td> <p><a href="/versions/v9/software/S0180">Volgmer</a> can execute commands on the victim's machine.<span onclick=scrollToRef('scite-261') id="scite-ref-261-a" class="scite-citeref-number" data-reference="US-CERT Volgmer Nov 2017">^{<a href="https://www.us-cert.gov/ncas/alerts/TA17-318B" target="_blank" data-hasqtip="260" aria-describedby="qtip-260">[261]</a>}</span><span onclick=scrollToRef('scite-262') id="scite-ref-262-a" class="scite-citeref-number" data-reference="US-CERT Volgmer 2 Nov 2017">^{<a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF" target="_blank" data-hasqtip="261" aria-describedby="qtip-261">[262]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0109"> S0109 </a> </td> <td> <a href="/versions/v9/software/S0109"> WEBC2 </a> </td> <td> <p><a href="/versions/v9/software/S0109">WEBC2</a> can open an interactive command shell.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="Mandiant APT1">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0514"> S0514 </a> </td> <td> <a href="/versions/v9/software/S0514"> WellMess </a> </td> <td> <p><a href="/versions/v9/software/S0514">WellMess</a> can execute command line scripts received from C2.<span onclick=scrollToRef('scite-263') id="scite-ref-263-a" class="scite-citeref-number" data-reference="PWC WellMess July 2020">^{<a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank" data-hasqtip="262" aria-describedby="qtip-262">[263]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0206"> S0206 </a> </td> <td> <a href="/versions/v9/software/S0206"> Wiarp </a> </td> <td> <p><a href="/versions/v9/software/S0206">Wiarp</a> creates a backdoor through which remote attackers can open a command line interface.<span onclick=scrollToRef('scite-264') id="scite-ref-264-a" class="scite-citeref-number" data-reference="Symantec Wiarp May 2012">^{<a href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99" target="_blank" data-hasqtip="263" aria-describedby="qtip-263">[264]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0102"> G0102 </a> </td> <td> <a href="/versions/v9/groups/G0102"> Wizard Spider </a> </td> <td> <p><a href="/versions/v9/groups/G0102">Wizard Spider</a> has used cmd.exe to execute commands on a victim's machine.<span onclick=scrollToRef('scite-265') id="scite-ref-265-a" class="scite-citeref-number" data-reference="DFIR Ryuk's Return October 2020">^{<a href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank" data-hasqtip="264" aria-describedby="qtip-264">[265]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0117"> S0117 </a> </td> <td> <a href="/versions/v9/software/S0117"> XTunnel </a> </td> <td> <p><a href="/versions/v9/software/S0117">XTunnel</a> has been used to execute remote commands.<span onclick=scrollToRef('scite-266') id="scite-ref-266-a" class="scite-citeref-number" data-reference="Crowdstrike DNC June 2016">^{<a href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank" data-hasqtip="265" aria-describedby="qtip-265">[266]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0251"> S0251 </a> </td> <td> <a href="/versions/v9/software/S0251"> Zebrocy </a> </td> <td> <p><a href="/versions/v9/software/S0251">Zebrocy</a> uses cmd.exe to execute commands on the system.<span onclick=scrollToRef('scite-267') id="scite-ref-267-a" class="scite-citeref-number" data-reference="ESET Zebrocy May 2019">^{<a href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank" data-hasqtip="266" aria-describedby="qtip-266">[267]</a>}</span><span onclick=scrollToRef('scite-268') id="scite-ref-268-a" class="scite-citeref-number" data-reference="CISA Zebrocy Oct 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b" target="_blank" data-hasqtip="267" aria-describedby="qtip-267">[268]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0330"> S0330 </a> </td> <td> <a href="/versions/v9/software/S0330"> Zeus Panda </a> </td> <td> <p><a href="/versions/v9/software/S0330">Zeus Panda</a> can launch an interface where it can execute several commands on the victim’s PC.<span onclick=scrollToRef('scite-269') id="scite-ref-269-a" class="scite-citeref-number" data-reference="GDATA Zeus Panda June 2017">^{<a href="https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" target="_blank" data-hasqtip="268" aria-describedby="qtip-268">[269]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0128"> G0128 </a> </td> <td> <a href="/versions/v9/groups/G0128"> ZIRCONIUM </a> </td> <td> <p><a href="/versions/v9/groups/G0128">ZIRCONIUM</a> has used a tool to open a Windows Command Shell on a remote host.<span onclick=scrollToRef('scite-270') id="scite-ref-270-a" class="scite-citeref-number" data-reference="Zscaler APT31 Covid-19 October 2020">^{<a href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank" data-hasqtip="269" aria-describedby="qtip-269">[270]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0086"> S0086 </a> </td> <td> <a href="/versions/v9/software/S0086"> ZLib </a> </td> <td> <p><a href="/versions/v9/software/S0086">ZLib</a> has the ability to execute shell commands.<span onclick=scrollToRef('scite-170') id="scite-ref-170-a" class="scite-citeref-number" data-reference="Cylance Dust Storm">^{<a href="https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="169" aria-describedby="qtip-169">[170]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0350"> S0350 </a> </td> <td> <a href="/versions/v9/software/S0350"> zwShell </a> </td> <td> <p><a href="/versions/v9/software/S0350">zwShell</a> can launch command-line shells.<span onclick=scrollToRef('scite-271') id="scite-ref-271-a" class="scite-citeref-number" data-reference="McAfee Night Dragon">^{<a href="https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" target="_blank" data-hasqtip="270" aria-describedby="qtip-270">[271]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0412"> S0412 </a> </td> <td> <a href="/versions/v9/software/S0412"> ZxShell </a> </td> <td> <p><a href="/versions/v9/software/S0412">ZxShell</a> can launch a reverse command shell.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" data-reference="FireEye APT41 Aug 2019">^{<a href="https://content.fireeye.com/apt-41/rpt-apt41" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-272') id="scite-ref-272-a" class="scite-citeref-number" data-reference="Talos ZxShell Oct 2014 ">^{<a href="https://blogs.cisco.com/security/talos/opening-zxshell" target="_blank" data-hasqtip="271" aria-describedby="qtip-271">[272]</a>}</span><span onclick=scrollToRef('scite-273') id="scite-ref-273-a" class="scite-citeref-number" data-reference="Secureworks BRONZEUNION Feb 2019">^{<a href="https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox" target="_blank" data-hasqtip="272" aria-describedby="qtip-272">[273]</a>}</span></p> </td> </tr> </tbody> </table> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/mitigations/M1038"> M1038 </a> </td> <td> <a href="/versions/v9/mitigations/M1038"> Execution Prevention </a> </td> <td> <p>Use application control where appropriate.</p> </td> </tr> </tbody> </table> <h2 class="pt-3" id="detection">Detection</h2> <div> <p>Usage of the Windows command shell may be common on administrator, developer, or power user systems depending on job function. If scripting is restricted for normal users, then any attempt to enable scripts running on a system would be considered suspicious. If scripts are not commonly used on a system, but enabled, scripts running out of cycle from patching or other administrator functions are suspicious. Scripts should be captured from the file system when possible to determine their actions and intent.</p><p>Scripts are likely to perform actions with various effects on a system that may generate events, depending on the types of monitoring used. Monitor processes and command-line arguments for script execution and subsequent behavior. Actions may be related to network and system information Discovery, Collection, or other scriptable post-compromise behaviors and could be used as indicators of detection leading back to the source script.</p> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" target="_blank"> Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank"> Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank"> Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" target="_blank"> FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank"> Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank"> Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank"> Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank"> Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.anomali.com/blog/evasive-maneuvers-the-wekby-group-attempts-to-evade-analysis-via-custom-rop" target="_blank"> Shelmire, A. (2015, July 06). Evasive Maneuvers by the Wekby group with custom ROP-packing and DNS covert channels. Retrieved November 15, 2018. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://pan-unit42.github.io/playbook_viewer/" target="_blank"> Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank"> Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank"> Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank"> Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.trendmicro.com/en_us/research/20/l/pawn-storm-lack-of-sophistication-as-a-strategy.html" target="_blank"> Hacquebord, F., Remorin, L. (2020, December 17). Pawn Storm’s Lack of Sophistication as a Strategy. Retrieved January 13, 2021. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank"> Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank"> MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html" target="_blank"> Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank"> Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt_APT37.pdf" target="_blank"> FireEye. (2018, February 20). APT37 (Reaper): The Overlooked North Korean Actor. Retrieved March 1, 2018. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://content.fireeye.com/apt/rpt-apt38" target="_blank"> FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://content.fireeye.com/apt-41/rpt-apt41" target="_blank"> Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html" target="_blank"> Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank"> Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/" target="_blank"> Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://unit42.paloaltonetworks.com/new-babyshark-malware-targets-u-s-national-security-think-tanks/" target="_blank"> Unit 42. (2019, February 22). New BabyShark Malware Targets U.S. National Security Think Tanks. Retrieved October 7, 2019. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank"> Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank"> FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank"> Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank"> Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www.eff.org/files/2016/08/03/i-got-a-letter-from-the-government.pdf" target="_blank"> Galperin, E., Et al.. (2016, August). I Got a Letter From the Government the Other Day.... Retrieved April 25, 2018. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" target="_blank"> Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF" target="_blank"> US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank"> Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://www.zscaler.com/blogs/research/spear-phishing-campaign-delivers-buer-and-bazar-malware" target="_blank"> Sadique, M. and Singh, A. (2020, September 29). Spear Phishing Campaign Delivers Buer and Bazar Malware. Retrieved November 19, 2020. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" target="_blank"> Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" target="_blank"> Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://www2.fireeye.com/rs/fireye/images/APT17_Report.pdf" target="_blank"> FireEye Labs/FireEye Threat Intelligence. (2015, May 14). Hiding in Plain Sight: FireEye and Microsoft Expose Obfuscation Tactic. Retrieved January 22, 2016. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://www.microsoft.com/security/blog/2019/12/12/gallium-targeting-global-telecom/" target="_blank"> MSTIC. (2019, December 12). GALLIUM: Targeting global telecom. Retrieved January 13, 2021. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank"> US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank"> Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" target="_blank"> Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank"> Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" target="_blank"> Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank"> Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" target="_blank"> McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank"> ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank"> Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://www.secureworks.com/research/bronze-union" target="_blank"> Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://www.fireeye.com/blog/threat-research/2013/08/breaking-down-the-china-chopper-web-shell-part-i.html" target="_blank"> Lee, T., Hanzlik, D., Ahl, I. (2013, August 7). Breaking Down the China Chopper Web Shell - Part I. Retrieved March 27, 2015. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://www.ncsc.gov.uk/report/joint-report-on-publicly-available-hacking-tools" target="_blank"> The Australian Cyber Security Centre (ACSC), the Canadian Centre for Cyber Security (CCCS), the New Zealand National Cyber Security Centre (NZ NCSC), CERT New Zealand, the UK National Cyber Security Centre (UK NCSC) and the US National Cybersecurity and Communications Integration Center (NCCIC). (2018, October 11). Joint report on publicly available hacking tools. Retrieved March 11, 2019. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://technet.microsoft.com/en-us/library/bb490880.aspx" target="_blank"> Microsoft. (n.d.). Cmd. Retrieved April 18, 2016. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://blog.morphisec.com/cobalt-gang-2.0" target="_blank"> Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank"> Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://www.ptsecurity.com/upload/corporate/ww-en/analytics/Cobalt-2017-eng.pdf" target="_blank"> Positive Technologies. (2017, August 16). Cobalt Strikes Back: An Evolving Multinational Threat to Finance. Retrieved September 5, 2018. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://www.group-ib.com/blog/cobalt" target="_blank"> Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-new-techniques-uncover-attribute-cobalt-gang-commodity-builders-infrastructure-revealed/" target="_blank"> Unit 42. (2018, October 25). New Techniques to Uncover and Attribute Financial actors Commodity Builders and Infrastructure Revealed. Retrieved December 11, 2018. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://blog.trendmicro.com/trendlabs-security-intelligence/cobalt-spam-runs-use-macros-cve-2017-8759-exploit/" target="_blank"> Giagone, R., Bermejo, L., and Yarochkin, F. (2017, November 20). Cobalt Strikes Again: Spam Runs Use Macros and CVE-2017-8759 Exploit Against Russian Banks. Retrieved March 7, 2019. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://www.cobaltstrike.com/downloads/reports/tacticstechniquesandprocedures.pdf" target="_blank"> Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href=" https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf" target="_blank"> Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://www.zscaler.com/blogs/research/cobian-rat-backdoored-rat" target="_blank"> Yadav, A., et al. (2017, August 31). Cobian RAT – A backdoored RAT. Retrieved November 13, 2018. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/" target="_blank"> Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/" target="_blank"> Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank"> Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" target="_blank"> Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163418/CozyDuke.pdf" target="_blank"> F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" target="_blank"> Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://blog.malwarebytes.com/threat-analysis/2012/06/you-dirty-rat-part-1-darkcomet/" target="_blank"> Kujawa, A. (2018, March 27). You dirty RAT! Part 1: DarkComet. Retrieved November 6, 2018. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://securelist.com/darkhotels-attacks-in-2015/71713/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" target="_blank"> Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-sofacy-uses-dealerschoice-target-european-government-agency/" target="_blank"> Falcone, R. (2018, March 15). Sofacy Uses DealersChoice to Target European Government Agency. Retrieved June 4, 2018. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://www.cybereason.com/blog/operation-cobalt-kitty-apt" target="_blank"> Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="http://www.clearskysec.com/wp-content/uploads/2017/12/Charming_Kitten_2017.pdf" target="_blank"> ClearSky Cyber Security. (2017, December). Charming Kitten. Retrieved December 27, 2017. </a> </span> </span> </li> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank"> US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://www.us-cert.gov/ncas/alerts/TA17-293A" target="_blank"> US-CERT. (2017, October 20). Alert (TA17-293A): Advanced Persistent Threat Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved November 2, 2017. </a> </span> </span> </li> <li> <span id="scite-78" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-78" href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank"> Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. </a> </span> </span> </li> <li> <span id="scite-79" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-79" href="https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" target="_blank"> Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. </a> </span> </span> </li> <li> <span id="scite-80" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-80" href="https://www.cyberbit.com/blog/endpoint-security/dtrack-apt-malware-found-in-nuclear-power-plant/" target="_blank"> Hod Gavriel. (2019, November 21). Dtrack: In-depth analysis of APT on a nuclear power plant. Retrieved January 20, 2021. </a> </span> </span> </li> <li> <span id="scite-81" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-81" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a" target="_blank"> Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021. </a> </span> </span> </li> <li> <span id="scite-82" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-82" href="https://www.joesandbox.com/analysis/318027/0/html" target="_blank"> Joe Security. (n.d.). Analysis Report fasm.dll. Retrieved January 6, 2021. </a> </span> </span> </li> <li> <span id="scite-83" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-83" href="https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware" target="_blank"> Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020. </a> </span> </span> </li> <li> <span id="scite-84" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-84" href="http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/" target="_blank"> Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016. </a> </span> </span> </li> <li> <span id="scite-85" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-85" href="https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html" target="_blank"> Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-86" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-86" href="https://github.com/EmpireProject/Empire" target="_blank"> Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. </a> </span> </span> </li> <li> <span id="scite-87" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-87" href="https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/" target="_blank"> Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. </a> </span> </span> </li> <li> <span id="scite-88" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-88" href="https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" target="_blank"> Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. </a> </span> </span> </li> <li> <span id="scite-89" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-89" href="https://blogs.forcepoint.com/security-labs/playing-cat-mouse-introducing-felismus-malware" target="_blank"> Somerville, L. and Toro, A. (2017, March 30). Playing Cat & Mouse: Introducing the Felismus Malware. Retrieved November 16, 2017. </a> </span> </span> </li> <li> <span id="scite-90" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-90" href="https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" target="_blank"> Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018. </a> </span> </span> </li> <li> <span id="scite-91" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-91" href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank"> Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. </a> </span> </span> </li> <li> <span id="scite-92" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-92" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf" target="_blank"> FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. </a> </span> </span> </li> <li> <span id="scite-93" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-93" href="https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" target="_blank"> McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-94" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-94" href="https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" target="_blank"> Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. </a> </span> </span> </li> <li> <span id="scite-95" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-95" href="https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" target="_blank"> Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. </a> </span> </span> </li> <li> <span id="scite-96" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-96" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </span> </span> </li> <li> <span id="scite-97" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-97" href="https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" target="_blank"> Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. </a> </span> </span> </li> <li> <span id="scite-98" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-98" href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank"> CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. </a> </span> </span> </li> <li> <span id="scite-99" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-99" href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank"> Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. </a> </span> </span> </li> <li> <span id="scite-100" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-100" href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"> Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. </a> </span> </span> </li> <li> <span id="scite-101" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-101" href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank"> Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. </a> </span> </span> </li> <li> <span id="scite-102" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-102" href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank"> Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. </a> </span> </span> </li> <li> <span id="scite-103" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-103" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/gold-dragon-widens-olympics-malware-attacks-gains-permanent-presence-on-victims-systems/" target="_blank"> Sherstobitoff, R., Saavedra-Morales, J. (2018, February 02). Gold Dragon Widens Olympics Malware Attacks, Gains Permanent Presence on Victims’ Systems. Retrieved June 6, 2018. </a> </span> </span> </li> <li> <span id="scite-104" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-104" href="https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/" target="_blank"> Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. </a> </span> </span> </li> <li> <span id="scite-105" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-105" href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank"> Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. </a> </span> </span> </li> <li> <span id="scite-106" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-106" href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank"> Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. </a> </span> </span> </li> <li> <span id="scite-107" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-107" href="https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" target="_blank"> Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. </a> </span> </span> </li> <li> <span id="scite-108" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-108" href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-109" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-109" href="http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities-part-2" target="_blank"> Reynolds, J.. (2016, September 14). H1N1: Technical analysis reveals new capabilities – part 2. Retrieved September 26, 2016. </a> </span> </span> </li> <li> <span id="scite-110" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-110" href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-F.pdf" target="_blank"> US-CERT. (2018, February 05). Malware Analysis Report (MAR) - 10135536-F. Retrieved June 11, 2018. </a> </span> </span> </li> <li> <span id="scite-111" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-111" href="https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" target="_blank"> Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019. </a> </span> </span> </li> <li> <span id="scite-112" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-112" href="http://www.secureworks.com/resources/blog/where-you-at-indicators-of-lateral-movement-using-at-exe-on-windows-7-systems/" target="_blank"> Carvey, H.. (2014, September 2). Where you AT?: Indicators of lateral movement using at.exe on Windows 7 systems. Retrieved January 25, 2016. </a> </span> </span> </li> <li> <span id="scite-113" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-113" href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank"> Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. </a> </span> </span> </li> <li> <span id="scite-114" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-114" href="https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL_0.pdf" target="_blank"> Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016. </a> </span> </span> </li> <li> <span id="scite-115" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-115" href="https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" target="_blank"> Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019. </a> </span> </span> </li> <li> <span id="scite-116" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-116" href="https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" target="_blank"> Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. </a> </span> </span> </li> <li> <span id="scite-117" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-117" href="https://www.zscaler.com/blogs/security-research/return-higaisa-apt" target="_blank"> Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. </a> </span> </span> </li> <li> <span id="scite-118" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-118" href="https://www.ptsecurity.com/ww-en/analytics/pt-esc-threat-intelligence/covid-19-and-new-year-greetings-the-higaisa-group/" target="_blank"> PT ESC Threat Intelligence. (2020, June 4). COVID-19 and New Year greetings: an investigation into the tools and methods used by the Higaisa group. Retrieved March 2, 2021. </a> </span> </span> </li> <li> <span id="scite-119" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-119" href="https://www.fireeye.com/blog/threat-research/2012/08/hikit-rootkit-advanced-persistent-attack-techniques-part-2.html" target="_blank"> Glyer, C., Kazanciyan, R. (2012, August 22). The “Hikit” Rootkit: Advanced and Persistent Attack Techniques (Part 2). Retrieved May 4, 2020. </a> </span> </span> </li> <li> <span id="scite-120" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-120" href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank"> FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. </a> </span> </span> </li> <li> <span id="scite-121" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-121" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank"> Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-122" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-122" href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank"> US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. </a> </span> </span> </li> <li> <span id="scite-123" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-123" href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank"> Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. </a> </span> </span> </li> <li> <span id="scite-124" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-124" href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank"> Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. </a> </span> </span> </li> <li> <span id="scite-125" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-125" href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank"> Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. </a> </span> </span> </li> <li> <span id="scite-126" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-126" href="https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" target="_blank"> ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. </a> </span> </span> </li> <li> <span id="scite-127" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-127" href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank"> Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-128" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-128" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank"> Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. </a> </span> </span> </li> <li> <span id="scite-129" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-129" href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp_ixeshe.pdf" target="_blank"> Sancho, D., et al. (2012, May 22). IXESHE An APT Campaign. Retrieved June 7, 2019. </a> </span> </span> </li> <li> <span id="scite-130" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-130" href="https://www.carbonblack.com/2019/05/14/cb-tau-threat-intelligence-notification-jcry-ransomware-pretends-to-be-adobe-flash-player-update-installer/" target="_blank"> Lee, S.. (2019, May 14). JCry Ransomware. Retrieved June 18, 2019. </a> </span> </span> </li> <li> <span id="scite-131" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-131" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07195002/KL_AdwindPublicReport_2016.pdf" target="_blank"> Kamluk, V. & Gostev, A. (2016, February). Adwind - A Cross-Platform RAT. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-132" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-132" href="http://research.zscaler.com/2016/01/malicious-office-files-dropping-kasidet.html" target="_blank"> Yadav, A., et al. (2016, January 29). Malicious Office files dropping Kasidet and Dridex. Retrieved March 24, 2016. </a> </span> </span> </li> <li> <span id="scite-133" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-133" href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank"> Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. </a> </span> </span> </li> <li> <span id="scite-134" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-134" href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank"> Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. </a> </span> </span> </li> <li> <span id="scite-135" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-135" href="https://www.pwc.co.uk/issues/cyber-security-data-privacy/research/the-keyboys-are-back-in-town.html" target="_blank"> Parys, B. (2017, February 11). The KeyBoys are back in town. Retrieved June 13, 2019. </a> </span> </span> </li> <li> <span id="scite-136" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-136" href="https://blog.rapid7.com/2013/06/07/keyboy-targeted-attacks-against-vietnam-and-india/" target="_blank"> Guarnieri, C., Schloesser M. (2013, June 7). KeyBoy, Targeted Attacks against Vietnam and India. Retrieved June 14, 2019. </a> </span> </span> </li> <li> <span id="scite-137" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-137" href="https://www.us-cert.gov/ncas/analysis-reports/AR18-221A" target="_blank"> US-CERT. (2018, August 09). MAR-10135536-17 – North Korean Trojan: KEYMARBLE. Retrieved August 16, 2018. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="138.0"> <li> <span id="scite-138" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-138" href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank"> Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. </a> </span> </span> </li> <li> <span id="scite-139" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-139" href="https://github.com/zerosum0x0/koadic" target="_blank"> Magius, J., et al. (2017, July 19). Koadic. Retrieved June 18, 2018. </a> </span> </span> </li> <li> <span id="scite-140" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-140" href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank"> Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. </a> </span> </span> </li> <li> <span id="scite-141" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-141" href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank"> Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-142" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-142" href="https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b" target="_blank"> Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020. </a> </span> </span> </li> <li> <span id="scite-143" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-143" href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. </a> </span> </span> </li> <li> <span id="scite-144" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-144" href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Destructive-Malware-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Destructive Malware Report. Retrieved March 2, 2016. </a> </span> </span> </li> <li> <span id="scite-145" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-145" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank"> Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. </a> </span> </span> </li> <li> <span id="scite-146" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-146" href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536.11.WHITE.pdf" target="_blank"> US-CERT. (2018, March 09). Malware Analysis Report (MAR) - 10135536.11.WHITE. Retrieved June 13, 2018. </a> </span> </span> </li> <li> <span id="scite-147" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-147" href="https://labs.f-secure.com/assets/BlogFiles/f-secureLABS-tlp-white-lazarus-threat-intel-report2.pdf" target="_blank"> F-Secure Labs. (2020, August 18). Lazarus Group Campaign Targeting the Cryptocurrency Vertical. Retrieved September 1, 2020. </a> </span> </span> </li> <li> <span id="scite-148" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-148" href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank"> Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-149" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-149" href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank"> Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-150" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-150" href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank"> Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. </a> </span> </span> </li> <li> <span id="scite-151" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-151" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051605-2535-99" target="_blank"> Zhou, R. (2012, May 15). Backdoor.Linfo. Retrieved February 23, 2018. </a> </span> </span> </li> <li> <span id="scite-152" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-152" href="https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" target="_blank"> Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. </a> </span> </span> </li> <li> <span id="scite-153" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-153" href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank"> Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. </a> </span> </span> </li> <li> <span id="scite-154" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-154" href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank"> Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. </a> </span> </span> </li> <li> <span id="scite-155" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-155" href="https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" target="_blank"> kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. </a> </span> </span> </li> <li> <span id="scite-156" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-156" href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank"> Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. </a> </span> </span> </li> <li> <span id="scite-157" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-157" href="https://www.fireeye.com/blog/threat-research/2020/05/tactics-techniques-procedures-associated-with-maze-ransomware-incidents.html" target="_blank"> Kennelly, J., Goody, K., Shilko, J. (2020, May 7). Navigating the MAZE: Tactics, Techniques and Procedures Associated With MAZE Ransomware Incidents. Retrieved May 18, 2020. </a> </span> </span> </li> <li> <span id="scite-158" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-158" href="https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/" target="_blank"> Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020. </a> </span> </span> </li> <li> <span id="scite-159" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-159" href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank"> Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. </a> </span> </span> </li> <li> <span id="scite-160" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-160" href="https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/" target="_blank"> Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020. </a> </span> </span> </li> <li> <span id="scite-161" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-161" href="https://securityintelligence.com/posts/from-mega-to-giga-cross-version-comparison-of-top-megacortex-modifications/" target="_blank"> Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. </a> </span> </span> </li> <li> <span id="scite-162" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-162" href="https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-report-final-v4.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper. Retrieved April 5, 2017. </a> </span> </span> </li> <li> <span id="scite-163" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-163" href="https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. </a> </span> </span> </li> <li> <span id="scite-164" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-164" href="https://github.com/Twi1ight/AD-Pentest-Script/blob/master/wmiexec.vbs" target="_blank"> Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017. </a> </span> </span> </li> <li> <span id="scite-165" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-165" href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank"> Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. </a> </span> </span> </li> <li> <span id="scite-166" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-166" href="https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" target="_blank"> Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. </a> </span> </span> </li> <li> <span id="scite-167" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-167" href="https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" target="_blank"> Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-168" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-168" href="https://blog.radware.com/security/2018/07/micropsia-malware/" target="_blank"> Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. </a> </span> </span> </li> <li> <span id="scite-169" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-169" href="https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" target="_blank"> Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018. </a> </span> </span> </li> <li> <span id="scite-170" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-170" href="https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" target="_blank"> Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017. </a> </span> </span> </li> <li> <span id="scite-171" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-171" href="http://www.symantec.com/security_response/writeup.jsp?docid=2015-020623-0740-99&tabid=2" target="_blank"> Stama, D.. (2015, February 6). Backdoor.Mivast. Retrieved February 15, 2016. </a> </span> </span> </li> <li> <span id="scite-172" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-172" href="http://researchcenter.paloaltonetworks.com/2017/03/unit42-trochilus-rat-new-moonwind-rat-used-attack-thai-utility-organizations/" target="_blank"> Miller-Osborn, J. and Grunzweig, J.. (2017, March 30). Trochilus and New MoonWind RATs Used In Attack Against Thai Organizations. Retrieved March 30, 2017. </a> </span> </span> </li> <li> <span id="scite-173" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-173" href="https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" target="_blank"> Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. </a> </span> </span> </li> <li> <span id="scite-174" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-174" href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank"> Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. </a> </span> </span> </li> <li> <span id="scite-175" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-175" href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank"> ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. </a> </span> </span> </li> <li> <span id="scite-176" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-176" href="https://www.symantec.com/blogs/threat-intelligence/seedworm-espionage-group" target="_blank"> Symantec DeepSight Adversary Intelligence Team. (2018, December 10). Seedworm: Group Compromises Government Agencies, Oil & Gas, NGOs, Telecoms, and IT Firms. Retrieved December 14, 2018. </a> </span> </span> </li> <li> <span id="scite-177" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-177" href="https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations" target="_blank"> Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. </a> </span> </span> </li> <li> <span id="scite-178" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-178" href="https://www.avira.com/en/blog/new-wave-of-plugx-targets-hong-kong" target="_blank"> Hamzeloofard, S. (2020, January 31). New wave of PlugX targets Hong Kong | Avira Blog. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-179" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-179" href="https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/" target="_blank"> Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018. </a> </span> </span> </li> <li> <span id="scite-180" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-180" href="https://cofense.com/nanocore-rat-resurfaced-sewers/" target="_blank"> Patel, K. (2018, March 02). The NanoCore RAT Has Resurfaced From the Sewers. Retrieved November 9, 2018. </a> </span> </span> </li> <li> <span id="scite-181" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-181" href="https://blog.talosintelligence.com/2018/05/navrat.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, May 31). NavRAT Uses US-North Korea Summit As Decoy For Attacks In South Korea. Retrieved June 11, 2018. </a> </span> </span> </li> <li> <span id="scite-182" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-182" href="https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/" target="_blank"> Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020. </a> </span> </span> </li> <li> <span id="scite-183" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-183" href="https://redcanary.com/blog/netwire-remote-access-trojan-on-linux/" target="_blank"> Lambert, T. (2020, January 29). Intro to Netwire. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-184" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-184" href="https://www.proofpoint.com/us/blog/threat-insight/geofenced-netwire-campaigns" target="_blank"> Proofpoint. (2020, December 2). Geofenced NetWire Campaigns. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-185" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-185" href="https://www.threatminer.org/_reports/2013/fta-1009---njrat-uncovered-1.pdf" target="_blank"> Fidelis Cybersecurity. (2013, June 28). Fidelis Threat Advisory #1009: "njRAT" Uncovered. Retrieved June 4, 2019. </a> </span> </span> </li> <li> <span id="scite-186" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-186" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-oceansalt.pdf" target="_blank"> Sherstobitoff, R., Malhotra, A. (2018, October 18). ‘Operation Oceansalt’ Attacks South Korea, U.S., and Canada With Source Code From Chinese Hacker Group. Retrieved November 30, 2018. </a> </span> </span> </li> <li> <span id="scite-187" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-187" href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank"> Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-188" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-188" href="https://researchcenter.paloaltonetworks.com/2017/07/unit42-oilrig-uses-ismdoor-variant-possibly-linked-greenbug-threat-group/" target="_blank"> Falcone, R. and Lee, B. (2017, July 27). OilRig Uses ISMDoor Variant; Possibly Linked to Greenbug Threat Group. Retrieved January 8, 2018. </a> </span> </span> </li> <li> <span id="scite-189" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-189" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank"> Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-190" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-190" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank"> Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. </a> </span> </span> </li> <li> <span id="scite-191" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-191" href="https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/" target="_blank"> Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-192" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-192" href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank"> Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-193" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-193" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" target="_blank"> Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. </a> </span> </span> </li> <li> <span id="scite-194" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-194" href="https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </span> </span> </li> <li> <span id="scite-195" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-195" href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank"> Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. </a> </span> </span> </li> <li> <span id="scite-196" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-196" href="https://s3-us-west-2.amazonaws.com/cymmetria-blog/public/Unveiling_Patchwork.pdf" target="_blank"> Cymmetria. (2016). Unveiling Patchwork - The Copy-Paste APT. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-197" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-197" href="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" target="_blank"> Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-198" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-198" href="http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank"> Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016. </a> </span> </span> </li> <li> <span id="scite-199" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-199" href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank"> Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. </a> </span> </span> </li> <li> <span id="scite-200" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-200" href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" target="_blank"> Tomonaga, S.. (2018, June 8). PLEAD Downloader Used by BlackTech. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-201" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-201" href="http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf" target="_blank"> Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-202" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-202" href="https://blog.talosintelligence.com/2020/10/poetrat-update.html" target="_blank"> Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. </a> </span> </span> </li> <li> <span id="scite-203" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-203" href="https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" target="_blank"> Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. </a> </span> </span> </li> <li> <span id="scite-204" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-204" href="https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/" target="_blank"> hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. </a> </span> </span> </li> <li> <span id="scite-205" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-205" href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank"> Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-206" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-206" href="https://github.com/quasar/QuasarRAT" target="_blank"> MaxXor. (n.d.). QuasarRAT. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-207" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-207" href="https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/" target="_blank"> SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. </a> </span> </span> </li> <li> <span id="scite-208" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-208" href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" target="_blank"> Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018. </a> </span> </span> </li> <li> <span id="scite-209" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-209" href="https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" target="_blank"> Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018. </a> </span> </span> </li> <li> <span id="scite-210" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-210" href="https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" target="_blank"> Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. </a> </span> </span> </li> <li> <span id="scite-211" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-211" href="https://www.fireeye.com/blog/threat-research/2017/04/apt10_menupass_grou.html" target="_blank"> FireEye iSIGHT Intelligence. (2017, April 6). APT10 (MenuPass Group): New Tools, Global Campaign Latest Manifestation of Longstanding Threat. Retrieved June 29, 2017. </a> </span> </span> </li> <li> <span id="scite-212" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-212" href="https://www.fortinet.com/blog/threat-research/remcos-a-new-rat-in-the-wild-2.html" target="_blank"> Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018. </a> </span> </span> </li> <li> <span id="scite-213" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-213" href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank"> Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-214" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-214" href="https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/" target="_blank"> Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019. </a> </span> </span> </li> <li> <span id="scite-215" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-215" href="https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html" target="_blank"> Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-216" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-216" href="https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-weblogic.html" target="_blank"> Cadieux, P, et al (2019, April 30). Sodinokibi ransomware exploits WebLogic Server vulnerability. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-217" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-217" href="https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware" target="_blank"> Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. </a> </span> </span> </li> <li> <span id="scite-218" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-218" href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank"> Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-219" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-219" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" target="_blank"> Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018. </a> </span> </span> </li> <li> <span id="scite-220" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-220" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank"> Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. </a> </span> </span> </li> <li> <span id="scite-221" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-221" href="https://www.carbonblack.com/2019/05/17/cb-tau-threat-intelligence-notification-robbinhood-ransomware-stops-181-windows-services-before-encryption/" target="_blank"> Lee, S. (2019, May 17). CB TAU Threat Intelligence Notification: RobbinHood Ransomware Stops 181 Windows Services Before Encryption. Retrieved July 29, 2019. </a> </span> </span> </li> <li> <span id="scite-222" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-222" href="https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/" target="_blank"> Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-223" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-223" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank"> Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. </a> </span> </span> </li> <li> <span id="scite-224" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-224" href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank"> Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. </a> </span> </span> </li> <li> <span id="scite-225" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-225" href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" target="_blank"> Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-226" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-226" href="http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/" target="_blank"> Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. </a> </span> </span> </li> <li> <span id="scite-227" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-227" href="https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf" target="_blank"> Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019. </a> </span> </span> </li> <li> <span id="scite-228" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-228" href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank"> Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. </a> </span> </span> </li> <li> <span id="scite-229" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-229" href="http://researchcenter.paloaltonetworks.com/2015/07/unit-42-technical-analysis-seaduke/" target="_blank"> Grunzweig, J.. (2015, July 14). Unit 42 Technical Analysis: Seaduke. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-230" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-230" href="https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" target="_blank"> Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-231" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-231" href="https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" target="_blank"> Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. </a> </span> </span> </li> <li> <span id="scite-232" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-232" href="https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/" target="_blank"> Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019. </a> </span> </span> </li> <li> <span id="scite-233" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-233" href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank"> Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-234" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-234" href="https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/" target="_blank"> Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019. </a> </span> </span> </li> <li> <span id="scite-235" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-235" href="https://securelist.com/the-silence/83009/" target="_blank"> GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019. </a> </span> </span> </li> <li> <span id="scite-236" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-236" href="https://www.group-ib.com/resources/threat-research/silence_moving-into-the-darkside.pdf" target="_blank"> Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. </a> </span> </span> </li> <li> <span id="scite-237" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-237" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank"> DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. </a> </span> </span> </li> <li> <span id="scite-238" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-238" href="https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" target="_blank"> Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. </a> </span> </span> </li> <li> <span id="scite-239" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-239" href="https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" target="_blank"> Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. </a> </span> </span> </li> <li> <span id="scite-240" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-240" href="https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" target="_blank"> Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017. </a> </span> </span> </li> <li> <span id="scite-241" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-241" href="http://www.symantec.com/connect/blogs/indian-organizations-targeted-suckfly-attacks" target="_blank"> DiMaggio, J.. (2016, May 17). Indian organizations targeted in Suckfly attacks. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-242" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-242" href="https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/" target="_blank"> Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. </a> </span> </span> </li> <li> <span id="scite-243" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-243" href="https://unit42.paloaltonetworks.com/ta551-shathak-icedid/" target="_blank"> Duncan, B. (2021, January 7). TA551: Email Attack Campaign Switches from Valak to IcedID. Retrieved March 17, 2021. </a> </span> </span> </li> <li> <span id="scite-244" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-244" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-133b" target="_blank"> USG. (2020, May 12). MAR-10288834-2.v1 – North Korean Trojan: TAINTEDSCRIBE. Retrieved March 5, 2021. </a> </span> </span> </li> <li> <span id="scite-245" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-245" href="http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" target="_blank"> ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. </a> </span> </span> </li> <li> <span id="scite-246" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-246" href="https://www.fireeye.com/blog/threat-research/2017/03/fin7_spear_phishing.html" target="_blank"> Miller, S., et al. (2017, March 7). FIN7 Spear Phishing Campaign Targets Personnel Involved in SEC Filings. Retrieved March 8, 2017. </a> </span> </span> </li> <li> <span id="scite-247" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-247" href="http://blog.talosintelligence.com/2017/03/dnsmessenger.html" target="_blank"> Brumaghin, E. and Grady, C.. (2017, March 2). Covert Channels and Poor Decisions: The Tale of DNSMessenger. Retrieved March 8, 2017. </a> </span> </span> </li> <li> <span id="scite-248" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-248" href="http://www.secureworks.com/resources/blog/living-off-the-land/" target="_blank"> Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016. </a> </span> </span> </li> <li> <span id="scite-249" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-249" href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" target="_blank"> Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. </a> </span> </span> </li> <li> <span id="scite-250" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-250" href="https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" target="_blank"> Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. </a> </span> </span> </li> <li> <span id="scite-251" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-251" href="https://blog.trendmicro.com/trendlabs-security-intelligence/trickbot-adds-remote-application-credential-grabbing-capabilities-to-its-repertoire/" target="_blank"> Llimos, N., Pascual, C.. (2019, February 12). Trickbot Adds Remote Application Credential-Grabbing Capabilities to Its Repertoire. Retrieved March 12, 2019. </a> </span> </span> </li> <li> <span id="scite-252" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-252" href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank"> Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. </a> </span> </span> </li> <li> <span id="scite-253" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-253" href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank"> Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. </a> </span> </span> </li> <li> <span id="scite-254" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-254" href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" target="_blank"> Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-255" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-255" href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank"> Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. </a> </span> </span> </li> <li> <span id="scite-256" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-256" href="https://www.symantec.com/blogs/threat-intelligence/waterbug-espionage-governments" target="_blank"> Symantec DeepSight Adversary Intelligence Team. (2019, June 20). Waterbug: Espionage Group Rolls Out Brand-New Toolset in Attacks Against Governments. Retrieved July 8, 2019. </a> </span> </span> </li> <li> <span id="scite-257" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-257" href="https://www.fireeye.com/blog/threat-research/2017/09/apt33-insights-into-iranian-cyber-espionage.html" target="_blank"> O'Leary, J., et al. (2017, September 20). Insights into Iranian Cyber Espionage: APT33 Targets Aerospace and Energy Sectors and has Ties to Destructive Malware. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-258" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-258" href="https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" target="_blank"> US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. </a> </span> </span> </li> <li> <span id="scite-259" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-259" href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/" target="_blank"> Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018. </a> </span> </span> </li> <li> <span id="scite-260" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-260" href="https://blog.trendmicro.com/trendlabs-security-intelligence/pokemon-themed-umbreon-linux-rootkit-hits-x86-arm-systems/?_ga=2.180041126.367598458.1505420282-1759340220.1502477046" target="_blank"> Fernando Mercês. (2016, September 5). Pokémon-themed Umbreon Linux Rootkit Hits x86, ARM Systems. Retrieved March 5, 2018. </a> </span> </span> </li> <li> <span id="scite-261" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-261" href="https://www.us-cert.gov/ncas/alerts/TA17-318B" target="_blank"> US-CERT. (2017, November 22). Alert (TA17-318B): HIDDEN COBRA – North Korean Trojan: Volgmer. Retrieved December 7, 2017. </a> </span> </span> </li> <li> <span id="scite-262" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-262" href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF" target="_blank"> US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-263" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-263" href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank"> PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. </a> </span> </span> </li> <li> <span id="scite-264" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-264" href="https://www.symantec.com/security_response/writeup.jsp?docid=2012-051606-1005-99" target="_blank"> Zhou, R. (2012, May 15). Backdoor.Wiarp. Retrieved February 22, 2018. </a> </span> </span> </li> <li> <span id="scite-265" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-265" href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank"> The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. </a> </span> </span> </li> <li> <span id="scite-266" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-266" href="https://www.crowdstrike.com/blog/bears-midst-intrusion-democratic-national-committee/" target="_blank"> Alperovitch, D.. (2016, June 15). Bears in the Midst: Intrusion into the Democratic National Committee. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-267" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-267" href="https://www.welivesecurity.com/2019/05/22/journey-zebrocy-land/" target="_blank"> ESET Research. (2019, May 22). A journey to Zebrocy land. Retrieved June 20, 2019. </a> </span> </span> </li> <li> <span id="scite-268" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-268" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b" target="_blank"> CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. </a> </span> </span> </li> <li> <span id="scite-269" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-269" href="https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" target="_blank"> Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-270" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-270" href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank"> Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. </a> </span> </span> </li> <li> <span id="scite-271" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-271" href="https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" target="_blank"> McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. </a> </span> </span> </li> <li> <span id="scite-272" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-272" href="https://blogs.cisco.com/security/talos/opening-zxshell" target="_blank"> Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. </a> </span> </span> </li> <li> <span id="scite-273" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-273" href="https://www.secureworks.com/research/a-peek-into-bronze-unions-toolbox" target="_blank"> Counter Threat Unit Research Team. (2019, February 27). A Peek into BRONZE UNION’s Toolbox. Retrieved September 24, 2019. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> © 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&amp;CK content version 9.0&#013;Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?4266"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/navigation.js"></script> <script src="/versions/v9/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v9/theme/scripts/settings.js"></script> <script src="/versions/v9/theme/scripts/tour/tour-subtechniques.js"></script> </body> </html>