CINXE.COM

Deobfuscate/Decode Files or Information, Technique T1140 - Enterprise | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Deobfuscate/Decode Files or Information, Technique T1140 - Enterprise | MITRE ATT&CK&reg;</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body> <!--stopindex--> <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent"> <!--start-indexing-for-search--> <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical"> <!--stop-indexing-for-search--> <div id="v-tab" role="tablist" aria-orientation="vertical"> <span class="heading" id="v-home-tab" aria-selected="false">TECHNIQUES</span> <div class="sidenav"> <div class="sidenav-head " id="enterprise"> <a href="/versions/v9/techniques/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043"> <a href="/versions/v9/tactics/TA0043"> Reconnaissance </a> <div class="expand-button collapsed" id="enterprise-TA0043-header" data-toggle="collapse" data-target="#enterprise-TA0043-body" aria-expanded="false" aria-controls="#enterprise-TA0043-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-body" aria-labelledby="enterprise-TA0043-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595"> <a href="/versions/v9/techniques/T1595/"> Active Scanning </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1595-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1595-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1595-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1595-body" aria-labelledby="enterprise-TA0043-T1595-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1595-T1595.001"> <a href="/versions/v9/techniques/T1595/001/"> Scanning IP Blocks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1595-T1595.002"> <a href="/versions/v9/techniques/T1595/002/"> Vulnerability Scanning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592"> <a href="/versions/v9/techniques/T1592/"> Gather Victim Host Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1592-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1592-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1592-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1592-body" aria-labelledby="enterprise-TA0043-T1592-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.001"> <a href="/versions/v9/techniques/T1592/001/"> Hardware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.002"> <a href="/versions/v9/techniques/T1592/002/"> Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.003"> <a href="/versions/v9/techniques/T1592/003/"> Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.004"> <a href="/versions/v9/techniques/T1592/004/"> Client Configurations </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589"> <a href="/versions/v9/techniques/T1589/"> Gather Victim Identity Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1589-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1589-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1589-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1589-body" aria-labelledby="enterprise-TA0043-T1589-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.001"> <a href="/versions/v9/techniques/T1589/001/"> Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.002"> <a href="/versions/v9/techniques/T1589/002/"> Email Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.003"> <a href="/versions/v9/techniques/T1589/003/"> Employee Names </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590"> <a href="/versions/v9/techniques/T1590/"> Gather Victim Network Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1590-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1590-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1590-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1590-body" aria-labelledby="enterprise-TA0043-T1590-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.001"> <a href="/versions/v9/techniques/T1590/001/"> Domain Properties </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.002"> <a href="/versions/v9/techniques/T1590/002/"> DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.003"> <a href="/versions/v9/techniques/T1590/003/"> Network Trust Dependencies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.004"> <a href="/versions/v9/techniques/T1590/004/"> Network Topology </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.005"> <a href="/versions/v9/techniques/T1590/005/"> IP Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.006"> <a href="/versions/v9/techniques/T1590/006/"> Network Security Appliances </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591"> <a href="/versions/v9/techniques/T1591/"> Gather Victim Org Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1591-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1591-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1591-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1591-body" aria-labelledby="enterprise-TA0043-T1591-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.001"> <a href="/versions/v9/techniques/T1591/001/"> Determine Physical Locations </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.002"> <a href="/versions/v9/techniques/T1591/002/"> Business Relationships </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.003"> <a href="/versions/v9/techniques/T1591/003/"> Identify Business Tempo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.004"> <a href="/versions/v9/techniques/T1591/004/"> Identify Roles </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598"> <a href="/versions/v9/techniques/T1598/"> Phishing for Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1598-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1598-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1598-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1598-body" aria-labelledby="enterprise-TA0043-T1598-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.001"> <a href="/versions/v9/techniques/T1598/001/"> Spearphishing Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.002"> <a href="/versions/v9/techniques/T1598/002/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.003"> <a href="/versions/v9/techniques/T1598/003/"> Spearphishing Link </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597"> <a href="/versions/v9/techniques/T1597/"> Search Closed Sources </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1597-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1597-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1597-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1597-body" aria-labelledby="enterprise-TA0043-T1597-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1597-T1597.001"> <a href="/versions/v9/techniques/T1597/001/"> Threat Intel Vendors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1597-T1597.002"> <a href="/versions/v9/techniques/T1597/002/"> Purchase Technical Data </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596"> <a href="/versions/v9/techniques/T1596/"> Search Open Technical Databases </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1596-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1596-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1596-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1596-body" aria-labelledby="enterprise-TA0043-T1596-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.001"> <a href="/versions/v9/techniques/T1596/001/"> DNS/Passive DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.002"> <a href="/versions/v9/techniques/T1596/002/"> WHOIS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.003"> <a href="/versions/v9/techniques/T1596/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.004"> <a href="/versions/v9/techniques/T1596/004/"> CDNs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.005"> <a href="/versions/v9/techniques/T1596/005/"> Scan Databases </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593"> <a href="/versions/v9/techniques/T1593/"> Search Open Websites/Domains </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1593-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1593-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1593-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1593-body" aria-labelledby="enterprise-TA0043-T1593-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1593-T1593.001"> <a href="/versions/v9/techniques/T1593/001/"> Social Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1593-T1593.002"> <a href="/versions/v9/techniques/T1593/002/"> Search Engines </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1594"> <a href="/versions/v9/techniques/T1594/"> Search Victim-Owned Websites </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042"> <a href="/versions/v9/tactics/TA0042"> Resource Development </a> <div class="expand-button collapsed" id="enterprise-TA0042-header" data-toggle="collapse" data-target="#enterprise-TA0042-body" aria-expanded="false" aria-controls="#enterprise-TA0042-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-body" aria-labelledby="enterprise-TA0042-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583"> <a href="/versions/v9/techniques/T1583/"> Acquire Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1583-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1583-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1583-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1583-body" aria-labelledby="enterprise-TA0042-T1583-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.001"> <a href="/versions/v9/techniques/T1583/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.002"> <a href="/versions/v9/techniques/T1583/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.003"> <a href="/versions/v9/techniques/T1583/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.004"> <a href="/versions/v9/techniques/T1583/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.005"> <a href="/versions/v9/techniques/T1583/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.006"> <a href="/versions/v9/techniques/T1583/006/"> Web Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586"> <a href="/versions/v9/techniques/T1586/"> Compromise Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1586-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1586-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1586-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1586-body" aria-labelledby="enterprise-TA0042-T1586-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1586-T1586.001"> <a href="/versions/v9/techniques/T1586/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1586-T1586.002"> <a href="/versions/v9/techniques/T1586/002/"> Email Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584"> <a href="/versions/v9/techniques/T1584/"> Compromise Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1584-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1584-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1584-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1584-body" aria-labelledby="enterprise-TA0042-T1584-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.001"> <a href="/versions/v9/techniques/T1584/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.002"> <a href="/versions/v9/techniques/T1584/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.003"> <a href="/versions/v9/techniques/T1584/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.004"> <a href="/versions/v9/techniques/T1584/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.005"> <a href="/versions/v9/techniques/T1584/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.006"> <a href="/versions/v9/techniques/T1584/006/"> Web Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587"> <a href="/versions/v9/techniques/T1587/"> Develop Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1587-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1587-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1587-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1587-body" aria-labelledby="enterprise-TA0042-T1587-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.001"> <a href="/versions/v9/techniques/T1587/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.002"> <a href="/versions/v9/techniques/T1587/002/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.003"> <a href="/versions/v9/techniques/T1587/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.004"> <a href="/versions/v9/techniques/T1587/004/"> Exploits </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585"> <a href="/versions/v9/techniques/T1585/"> Establish Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1585-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1585-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1585-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1585-body" aria-labelledby="enterprise-TA0042-T1585-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1585-T1585.001"> <a href="/versions/v9/techniques/T1585/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1585-T1585.002"> <a href="/versions/v9/techniques/T1585/002/"> Email Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588"> <a href="/versions/v9/techniques/T1588/"> Obtain Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1588-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1588-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1588-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1588-body" aria-labelledby="enterprise-TA0042-T1588-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.001"> <a href="/versions/v9/techniques/T1588/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.002"> <a href="/versions/v9/techniques/T1588/002/"> Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.003"> <a href="/versions/v9/techniques/T1588/003/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.004"> <a href="/versions/v9/techniques/T1588/004/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.005"> <a href="/versions/v9/techniques/T1588/005/"> Exploits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.006"> <a href="/versions/v9/techniques/T1588/006/"> Vulnerabilities </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608"> <a href="/versions/v9/techniques/T1608/"> Stage Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1608-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1608-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1608-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1608-body" aria-labelledby="enterprise-TA0042-T1608-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.001"> <a href="/versions/v9/techniques/T1608/001/"> Upload Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.002"> <a href="/versions/v9/techniques/T1608/002/"> Upload Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.003"> <a href="/versions/v9/techniques/T1608/003/"> Install Digital Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.004"> <a href="/versions/v9/techniques/T1608/004/"> Drive-by Target </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.005"> <a href="/versions/v9/techniques/T1608/005/"> Link Target </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001"> <a href="/versions/v9/tactics/TA0001"> Initial Access </a> <div class="expand-button collapsed" id="enterprise-TA0001-header" data-toggle="collapse" data-target="#enterprise-TA0001-body" aria-expanded="false" aria-controls="#enterprise-TA0001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-body" aria-labelledby="enterprise-TA0001-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1189"> <a href="/versions/v9/techniques/T1189/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1190"> <a href="/versions/v9/techniques/T1190/"> Exploit Public-Facing Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1133"> <a href="/versions/v9/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1200"> <a href="/versions/v9/techniques/T1200/"> Hardware Additions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566"> <a href="/versions/v9/techniques/T1566/"> Phishing </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1566-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1566-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1566-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1566-body" aria-labelledby="enterprise-TA0001-T1566-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.001"> <a href="/versions/v9/techniques/T1566/001/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.002"> <a href="/versions/v9/techniques/T1566/002/"> Spearphishing Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.003"> <a href="/versions/v9/techniques/T1566/003/"> Spearphishing via Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1091"> <a href="/versions/v9/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195"> <a href="/versions/v9/techniques/T1195/"> Supply Chain Compromise </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1195-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1195-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1195-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1195-body" aria-labelledby="enterprise-TA0001-T1195-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.001"> <a href="/versions/v9/techniques/T1195/001/"> Compromise Software Dependencies and Development Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.002"> <a href="/versions/v9/techniques/T1195/002/"> Compromise Software Supply Chain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.003"> <a href="/versions/v9/techniques/T1195/003/"> Compromise Hardware Supply Chain </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1199"> <a href="/versions/v9/techniques/T1199/"> Trusted Relationship </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1078-body" aria-labelledby="enterprise-TA0001-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002"> <a href="/versions/v9/tactics/TA0002"> Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-header" data-toggle="collapse" data-target="#enterprise-TA0002-body" aria-expanded="false" aria-controls="#enterprise-TA0002-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-body" aria-labelledby="enterprise-TA0002-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059"> <a href="/versions/v9/techniques/T1059/"> Command and Scripting Interpreter </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1059-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1059-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1059-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1059-body" aria-labelledby="enterprise-TA0002-T1059-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.001"> <a href="/versions/v9/techniques/T1059/001/"> PowerShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.002"> <a href="/versions/v9/techniques/T1059/002/"> AppleScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.003"> <a href="/versions/v9/techniques/T1059/003/"> Windows Command Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.004"> <a href="/versions/v9/techniques/T1059/004/"> Unix Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.005"> <a href="/versions/v9/techniques/T1059/005/"> Visual Basic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.006"> <a href="/versions/v9/techniques/T1059/006/"> Python </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.007"> <a href="/versions/v9/techniques/T1059/007/"> JavaScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.008"> <a href="/versions/v9/techniques/T1059/008/"> Network Device CLI </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1609"> <a href="/versions/v9/techniques/T1609/"> Container Administration Command </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1610"> <a href="/versions/v9/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1203"> <a href="/versions/v9/techniques/T1203/"> Exploitation for Client Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559"> <a href="/versions/v9/techniques/T1559/"> Inter-Process Communication </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1559-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1559-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1559-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1559-body" aria-labelledby="enterprise-TA0002-T1559-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1559-T1559.001"> <a href="/versions/v9/techniques/T1559/001/"> Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1559-T1559.002"> <a href="/versions/v9/techniques/T1559/002/"> Dynamic Data Exchange </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1106"> <a href="/versions/v9/techniques/T1106/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1053-body" aria-labelledby="enterprise-TA0002-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1129"> <a href="/versions/v9/techniques/T1129/"> Shared Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1072"> <a href="/versions/v9/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569"> <a href="/versions/v9/techniques/T1569/"> System Services </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1569-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1569-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1569-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1569-body" aria-labelledby="enterprise-TA0002-T1569-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1569-T1569.001"> <a href="/versions/v9/techniques/T1569/001/"> Launchctl </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1569-T1569.002"> <a href="/versions/v9/techniques/T1569/002/"> Service Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204"> <a href="/versions/v9/techniques/T1204/"> User Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1204-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1204-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1204-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1204-body" aria-labelledby="enterprise-TA0002-T1204-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.001"> <a href="/versions/v9/techniques/T1204/001/"> Malicious Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.002"> <a href="/versions/v9/techniques/T1204/002/"> Malicious File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.003"> <a href="/versions/v9/techniques/T1204/003/"> Malicious Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1047"> <a href="/versions/v9/techniques/T1047/"> Windows Management Instrumentation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003"> <a href="/versions/v9/tactics/TA0003"> Persistence </a> <div class="expand-button collapsed" id="enterprise-TA0003-header" data-toggle="collapse" data-target="#enterprise-TA0003-body" aria-expanded="false" aria-controls="#enterprise-TA0003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-body" aria-labelledby="enterprise-TA0003-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098"> <a href="/versions/v9/techniques/T1098/"> Account Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1098-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1098-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1098-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1098-body" aria-labelledby="enterprise-TA0003-T1098-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.001"> <a href="/versions/v9/techniques/T1098/001/"> Additional Cloud Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.002"> <a href="/versions/v9/techniques/T1098/002/"> Exchange Email Delegate Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.003"> <a href="/versions/v9/techniques/T1098/003/"> Add Office 365 Global Administrator Role </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.004"> <a href="/versions/v9/techniques/T1098/004/"> SSH Authorized Keys </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1197"> <a href="/versions/v9/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547"> <a href="/versions/v9/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1547-body" aria-labelledby="enterprise-TA0003-T1547-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.001"> <a href="/versions/v9/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.002"> <a href="/versions/v9/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.003"> <a href="/versions/v9/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.004"> <a href="/versions/v9/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.005"> <a href="/versions/v9/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.006"> <a href="/versions/v9/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.007"> <a href="/versions/v9/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.008"> <a href="/versions/v9/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.009"> <a href="/versions/v9/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.010"> <a href="/versions/v9/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.011"> <a href="/versions/v9/techniques/T1547/011/"> Plist Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.012"> <a href="/versions/v9/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.013"> <a href="/versions/v9/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.014"> <a href="/versions/v9/techniques/T1547/014/"> Active Setup </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037"> <a href="/versions/v9/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1037-body" aria-labelledby="enterprise-TA0003-T1037-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.001"> <a href="/versions/v9/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.002"> <a href="/versions/v9/techniques/T1037/002/"> Logon Script (Mac) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.003"> <a href="/versions/v9/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.004"> <a href="/versions/v9/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.005"> <a href="/versions/v9/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1176"> <a href="/versions/v9/techniques/T1176/"> Browser Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1554"> <a href="/versions/v9/techniques/T1554/"> Compromise Client Software Binary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136"> <a href="/versions/v9/techniques/T1136/"> Create Account </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1136-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1136-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1136-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1136-body" aria-labelledby="enterprise-TA0003-T1136-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.001"> <a href="/versions/v9/techniques/T1136/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.002"> <a href="/versions/v9/techniques/T1136/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.003"> <a href="/versions/v9/techniques/T1136/003/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543"> <a href="/versions/v9/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1543-body" aria-labelledby="enterprise-TA0003-T1543-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.001"> <a href="/versions/v9/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.002"> <a href="/versions/v9/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.003"> <a href="/versions/v9/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.004"> <a href="/versions/v9/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546"> <a href="/versions/v9/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1546-body" aria-labelledby="enterprise-TA0003-T1546-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.001"> <a href="/versions/v9/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.002"> <a href="/versions/v9/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.003"> <a href="/versions/v9/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.004"> <a href="/versions/v9/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.005"> <a href="/versions/v9/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.006"> <a href="/versions/v9/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.007"> <a href="/versions/v9/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.008"> <a href="/versions/v9/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.009"> <a href="/versions/v9/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.010"> <a href="/versions/v9/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.011"> <a href="/versions/v9/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.012"> <a href="/versions/v9/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.013"> <a href="/versions/v9/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.014"> <a href="/versions/v9/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.015"> <a href="/versions/v9/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1133"> <a href="/versions/v9/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1574-body" aria-labelledby="enterprise-TA0003-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1525"> <a href="/versions/v9/techniques/T1525/"> Implant Internal Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1556-body" aria-labelledby="enterprise-TA0003-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137"> <a href="/versions/v9/techniques/T1137/"> Office Application Startup </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1137-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1137-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1137-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1137-body" aria-labelledby="enterprise-TA0003-T1137-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.001"> <a href="/versions/v9/techniques/T1137/001/"> Office Template Macros </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.002"> <a href="/versions/v9/techniques/T1137/002/"> Office Test </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.003"> <a href="/versions/v9/techniques/T1137/003/"> Outlook Forms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.004"> <a href="/versions/v9/techniques/T1137/004/"> Outlook Home Page </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.005"> <a href="/versions/v9/techniques/T1137/005/"> Outlook Rules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.006"> <a href="/versions/v9/techniques/T1137/006/"> Add-ins </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542"> <a href="/versions/v9/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1542-body" aria-labelledby="enterprise-TA0003-T1542-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.001"> <a href="/versions/v9/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.002"> <a href="/versions/v9/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.003"> <a href="/versions/v9/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.004"> <a href="/versions/v9/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.005"> <a href="/versions/v9/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1053-body" aria-labelledby="enterprise-TA0003-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505"> <a href="/versions/v9/techniques/T1505/"> Server Software Component </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1505-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1505-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1505-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1505-body" aria-labelledby="enterprise-TA0003-T1505-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.001"> <a href="/versions/v9/techniques/T1505/001/"> SQL Stored Procedures </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.002"> <a href="/versions/v9/techniques/T1505/002/"> Transport Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.003"> <a href="/versions/v9/techniques/T1505/003/"> Web Shell </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1205-body" aria-labelledby="enterprise-TA0003-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1078-body" aria-labelledby="enterprise-TA0003-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004"> <a href="/versions/v9/tactics/TA0004"> Privilege Escalation </a> <div class="expand-button collapsed" id="enterprise-TA0004-header" data-toggle="collapse" data-target="#enterprise-TA0004-body" aria-expanded="false" aria-controls="#enterprise-TA0004-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-body" aria-labelledby="enterprise-TA0004-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548"> <a href="/versions/v9/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1548-body" aria-labelledby="enterprise-TA0004-T1548-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.001"> <a href="/versions/v9/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.002"> <a href="/versions/v9/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.003"> <a href="/versions/v9/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.004"> <a href="/versions/v9/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134"> <a href="/versions/v9/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1134-body" aria-labelledby="enterprise-TA0004-T1134-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.001"> <a href="/versions/v9/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.002"> <a href="/versions/v9/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.003"> <a href="/versions/v9/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.004"> <a href="/versions/v9/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.005"> <a href="/versions/v9/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547"> <a href="/versions/v9/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1547-body" aria-labelledby="enterprise-TA0004-T1547-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.001"> <a href="/versions/v9/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.002"> <a href="/versions/v9/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.003"> <a href="/versions/v9/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.004"> <a href="/versions/v9/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.005"> <a href="/versions/v9/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.006"> <a href="/versions/v9/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.007"> <a href="/versions/v9/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.008"> <a href="/versions/v9/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.009"> <a href="/versions/v9/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.010"> <a href="/versions/v9/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.011"> <a href="/versions/v9/techniques/T1547/011/"> Plist Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.012"> <a href="/versions/v9/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.013"> <a href="/versions/v9/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.014"> <a href="/versions/v9/techniques/T1547/014/"> Active Setup </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037"> <a href="/versions/v9/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1037-body" aria-labelledby="enterprise-TA0004-T1037-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.001"> <a href="/versions/v9/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.002"> <a href="/versions/v9/techniques/T1037/002/"> Logon Script (Mac) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.003"> <a href="/versions/v9/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.004"> <a href="/versions/v9/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.005"> <a href="/versions/v9/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543"> <a href="/versions/v9/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1543-body" aria-labelledby="enterprise-TA0004-T1543-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.001"> <a href="/versions/v9/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.002"> <a href="/versions/v9/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.003"> <a href="/versions/v9/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.004"> <a href="/versions/v9/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484"> <a href="/versions/v9/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1484-body" aria-labelledby="enterprise-TA0004-T1484-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1484-T1484.001"> <a href="/versions/v9/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1484-T1484.002"> <a href="/versions/v9/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1611"> <a href="/versions/v9/techniques/T1611/"> Escape to Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546"> <a href="/versions/v9/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1546-body" aria-labelledby="enterprise-TA0004-T1546-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.001"> <a href="/versions/v9/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.002"> <a href="/versions/v9/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.003"> <a href="/versions/v9/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.004"> <a href="/versions/v9/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.005"> <a href="/versions/v9/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.006"> <a href="/versions/v9/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.007"> <a href="/versions/v9/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.008"> <a href="/versions/v9/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.009"> <a href="/versions/v9/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.010"> <a href="/versions/v9/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.011"> <a href="/versions/v9/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.012"> <a href="/versions/v9/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.013"> <a href="/versions/v9/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.014"> <a href="/versions/v9/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.015"> <a href="/versions/v9/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1068"> <a href="/versions/v9/techniques/T1068/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1574-body" aria-labelledby="enterprise-TA0004-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055"> <a href="/versions/v9/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1055-body" aria-labelledby="enterprise-TA0004-T1055-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.001"> <a href="/versions/v9/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.002"> <a href="/versions/v9/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.003"> <a href="/versions/v9/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.004"> <a href="/versions/v9/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.005"> <a href="/versions/v9/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.008"> <a href="/versions/v9/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.009"> <a href="/versions/v9/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.011"> <a href="/versions/v9/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.012"> <a href="/versions/v9/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.013"> <a href="/versions/v9/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.014"> <a href="/versions/v9/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1053-body" aria-labelledby="enterprise-TA0004-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1078-body" aria-labelledby="enterprise-TA0004-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005"> <a href="/versions/v9/tactics/TA0005"> Defense Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-header" data-toggle="collapse" data-target="#enterprise-TA0005-body" aria-expanded="false" aria-controls="#enterprise-TA0005-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-body" aria-labelledby="enterprise-TA0005-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548"> <a href="/versions/v9/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1548-body" aria-labelledby="enterprise-TA0005-T1548-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.001"> <a href="/versions/v9/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.002"> <a href="/versions/v9/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.003"> <a href="/versions/v9/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.004"> <a href="/versions/v9/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134"> <a href="/versions/v9/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1134-body" aria-labelledby="enterprise-TA0005-T1134-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.001"> <a href="/versions/v9/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.002"> <a href="/versions/v9/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.003"> <a href="/versions/v9/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.004"> <a href="/versions/v9/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.005"> <a href="/versions/v9/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1197"> <a href="/versions/v9/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1612"> <a href="/versions/v9/techniques/T1612/"> Build Image on Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="enterprise-TA0005-T1140"> <a href="/versions/v9/techniques/T1140/"> Deobfuscate/Decode Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1610"> <a href="/versions/v9/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1006"> <a href="/versions/v9/techniques/T1006/"> Direct Volume Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484"> <a href="/versions/v9/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1484-body" aria-labelledby="enterprise-TA0005-T1484-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1484-T1484.001"> <a href="/versions/v9/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1484-T1484.002"> <a href="/versions/v9/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1480"> <a href="/versions/v9/techniques/T1480/"> Execution Guardrails </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1480-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1480-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1480-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1480-body" aria-labelledby="enterprise-TA0005-T1480-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1480-T1480.001"> <a href="/versions/v9/techniques/T1480/001/"> Environmental Keying </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1211"> <a href="/versions/v9/techniques/T1211/"> Exploitation for Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222"> <a href="/versions/v9/techniques/T1222/"> File and Directory Permissions Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1222-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1222-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1222-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1222-body" aria-labelledby="enterprise-TA0005-T1222-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1222-T1222.001"> <a href="/versions/v9/techniques/T1222/001/"> Windows File and Directory Permissions Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1222-T1222.002"> <a href="/versions/v9/techniques/T1222/002/"> Linux and Mac File and Directory Permissions Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564"> <a href="/versions/v9/techniques/T1564/"> Hide Artifacts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1564-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1564-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1564-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1564-body" aria-labelledby="enterprise-TA0005-T1564-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.001"> <a href="/versions/v9/techniques/T1564/001/"> Hidden Files and Directories </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.002"> <a href="/versions/v9/techniques/T1564/002/"> Hidden Users </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.003"> <a href="/versions/v9/techniques/T1564/003/"> Hidden Window </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.004"> <a href="/versions/v9/techniques/T1564/004/"> NTFS File Attributes </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.005"> <a href="/versions/v9/techniques/T1564/005/"> Hidden File System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.006"> <a href="/versions/v9/techniques/T1564/006/"> Run Virtual Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.007"> <a href="/versions/v9/techniques/T1564/007/"> VBA Stomping </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1574-body" aria-labelledby="enterprise-TA0005-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562"> <a href="/versions/v9/techniques/T1562/"> Impair Defenses </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1562-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1562-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1562-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1562-body" aria-labelledby="enterprise-TA0005-T1562-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.001"> <a href="/versions/v9/techniques/T1562/001/"> Disable or Modify Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.002"> <a href="/versions/v9/techniques/T1562/002/"> Disable Windows Event Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.003"> <a href="/versions/v9/techniques/T1562/003/"> Impair Command History Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.004"> <a href="/versions/v9/techniques/T1562/004/"> Disable or Modify System Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.006"> <a href="/versions/v9/techniques/T1562/006/"> Indicator Blocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.007"> <a href="/versions/v9/techniques/T1562/007/"> Disable or Modify Cloud Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.008"> <a href="/versions/v9/techniques/T1562/008/"> Disable Cloud Logs </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070"> <a href="/versions/v9/techniques/T1070/"> Indicator Removal on Host </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1070-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1070-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1070-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1070-body" aria-labelledby="enterprise-TA0005-T1070-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.001"> <a href="/versions/v9/techniques/T1070/001/"> Clear Windows Event Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.002"> <a href="/versions/v9/techniques/T1070/002/"> Clear Linux or Mac System Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.003"> <a href="/versions/v9/techniques/T1070/003/"> Clear Command History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.004"> <a href="/versions/v9/techniques/T1070/004/"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.005"> <a href="/versions/v9/techniques/T1070/005/"> Network Share Connection Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.006"> <a href="/versions/v9/techniques/T1070/006/"> Timestomp </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1202"> <a href="/versions/v9/techniques/T1202/"> Indirect Command Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036"> <a href="/versions/v9/techniques/T1036/"> Masquerading </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1036-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1036-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1036-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1036-body" aria-labelledby="enterprise-TA0005-T1036-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.001"> <a href="/versions/v9/techniques/T1036/001/"> Invalid Code Signature </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.002"> <a href="/versions/v9/techniques/T1036/002/"> Right-to-Left Override </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.003"> <a href="/versions/v9/techniques/T1036/003/"> Rename System Utilities </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.004"> <a href="/versions/v9/techniques/T1036/004/"> Masquerade Task or Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.005"> <a href="/versions/v9/techniques/T1036/005/"> Match Legitimate Name or Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.006"> <a href="/versions/v9/techniques/T1036/006/"> Space after Filename </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1556-body" aria-labelledby="enterprise-TA0005-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578"> <a href="/versions/v9/techniques/T1578/"> Modify Cloud Compute Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1578-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1578-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1578-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1578-body" aria-labelledby="enterprise-TA0005-T1578-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.001"> <a href="/versions/v9/techniques/T1578/001/"> Create Snapshot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.002"> <a href="/versions/v9/techniques/T1578/002/"> Create Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.003"> <a href="/versions/v9/techniques/T1578/003/"> Delete Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.004"> <a href="/versions/v9/techniques/T1578/004/"> Revert Cloud Instance </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1112"> <a href="/versions/v9/techniques/T1112/"> Modify Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601"> <a href="/versions/v9/techniques/T1601/"> Modify System Image </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1601-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1601-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1601-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1601-body" aria-labelledby="enterprise-TA0005-T1601-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1601-T1601.001"> <a href="/versions/v9/techniques/T1601/001/"> Patch System Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1601-T1601.002"> <a href="/versions/v9/techniques/T1601/002/"> Downgrade System Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1599"> <a href="/versions/v9/techniques/T1599/"> Network Boundary Bridging </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1599-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1599-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1599-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1599-body" aria-labelledby="enterprise-TA0005-T1599-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1599-T1599.001"> <a href="/versions/v9/techniques/T1599/001/"> Network Address Translation Traversal </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027"> <a href="/versions/v9/techniques/T1027/"> Obfuscated Files or Information </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1027-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1027-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1027-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1027-body" aria-labelledby="enterprise-TA0005-T1027-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.001"> <a href="/versions/v9/techniques/T1027/001/"> Binary Padding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.002"> <a href="/versions/v9/techniques/T1027/002/"> Software Packing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.003"> <a href="/versions/v9/techniques/T1027/003/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.004"> <a href="/versions/v9/techniques/T1027/004/"> Compile After Delivery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.005"> <a href="/versions/v9/techniques/T1027/005/"> Indicator Removal from Tools </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542"> <a href="/versions/v9/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1542-body" aria-labelledby="enterprise-TA0005-T1542-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.001"> <a href="/versions/v9/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.002"> <a href="/versions/v9/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.003"> <a href="/versions/v9/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.004"> <a href="/versions/v9/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.005"> <a href="/versions/v9/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055"> <a href="/versions/v9/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1055-body" aria-labelledby="enterprise-TA0005-T1055-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.001"> <a href="/versions/v9/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.002"> <a href="/versions/v9/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.003"> <a href="/versions/v9/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.004"> <a href="/versions/v9/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.005"> <a href="/versions/v9/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.008"> <a href="/versions/v9/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.009"> <a href="/versions/v9/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.011"> <a href="/versions/v9/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.012"> <a href="/versions/v9/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.013"> <a href="/versions/v9/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.014"> <a href="/versions/v9/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1207"> <a href="/versions/v9/techniques/T1207/"> Rogue Domain Controller </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1014"> <a href="/versions/v9/techniques/T1014/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218"> <a href="/versions/v9/techniques/T1218/"> Signed Binary Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1218-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1218-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1218-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1218-body" aria-labelledby="enterprise-TA0005-T1218-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.001"> <a href="/versions/v9/techniques/T1218/001/"> Compiled HTML File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.002"> <a href="/versions/v9/techniques/T1218/002/"> Control Panel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.003"> <a href="/versions/v9/techniques/T1218/003/"> CMSTP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.004"> <a href="/versions/v9/techniques/T1218/004/"> InstallUtil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.005"> <a href="/versions/v9/techniques/T1218/005/"> Mshta </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.007"> <a href="/versions/v9/techniques/T1218/007/"> Msiexec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.008"> <a href="/versions/v9/techniques/T1218/008/"> Odbcconf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.009"> <a href="/versions/v9/techniques/T1218/009/"> Regsvcs/Regasm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.010"> <a href="/versions/v9/techniques/T1218/010/"> Regsvr32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.011"> <a href="/versions/v9/techniques/T1218/011/"> Rundll32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.012"> <a href="/versions/v9/techniques/T1218/012/"> Verclsid </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1216"> <a href="/versions/v9/techniques/T1216/"> Signed Script Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1216-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1216-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1216-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1216-body" aria-labelledby="enterprise-TA0005-T1216-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1216-T1216.001"> <a href="/versions/v9/techniques/T1216/001/"> PubPrn </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553"> <a href="/versions/v9/techniques/T1553/"> Subvert Trust Controls </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1553-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1553-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1553-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1553-body" aria-labelledby="enterprise-TA0005-T1553-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.001"> <a href="/versions/v9/techniques/T1553/001/"> Gatekeeper Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.002"> <a href="/versions/v9/techniques/T1553/002/"> Code Signing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.003"> <a href="/versions/v9/techniques/T1553/003/"> SIP and Trust Provider Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.004"> <a href="/versions/v9/techniques/T1553/004/"> Install Root Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.005"> <a href="/versions/v9/techniques/T1553/005/"> Mark-of-the-Web Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.006"> <a href="/versions/v9/techniques/T1553/006/"> Code Signing Policy Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1221"> <a href="/versions/v9/techniques/T1221/"> Template Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1205-body" aria-labelledby="enterprise-TA0005-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1127"> <a href="/versions/v9/techniques/T1127/"> Trusted Developer Utilities Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1127-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1127-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1127-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1127-body" aria-labelledby="enterprise-TA0005-T1127-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1127-T1127.001"> <a href="/versions/v9/techniques/T1127/001/"> MSBuild </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1535"> <a href="/versions/v9/techniques/T1535/"> Unused/Unsupported Cloud Regions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550"> <a href="/versions/v9/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1550-body" aria-labelledby="enterprise-TA0005-T1550-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.001"> <a href="/versions/v9/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.002"> <a href="/versions/v9/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.003"> <a href="/versions/v9/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.004"> <a href="/versions/v9/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1078-body" aria-labelledby="enterprise-TA0005-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497"> <a href="/versions/v9/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1497-body" aria-labelledby="enterprise-TA0005-T1497-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.001"> <a href="/versions/v9/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.002"> <a href="/versions/v9/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.003"> <a href="/versions/v9/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600"> <a href="/versions/v9/techniques/T1600/"> Weaken Encryption </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1600-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1600-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1600-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1600-body" aria-labelledby="enterprise-TA0005-T1600-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1600-T1600.001"> <a href="/versions/v9/techniques/T1600/001/"> Reduce Key Space </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1600-T1600.002"> <a href="/versions/v9/techniques/T1600/002/"> Disable Crypto Hardware </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1220"> <a href="/versions/v9/techniques/T1220/"> XSL Script Processing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006"> <a href="/versions/v9/tactics/TA0006"> Credential Access </a> <div class="expand-button collapsed" id="enterprise-TA0006-header" data-toggle="collapse" data-target="#enterprise-TA0006-body" aria-expanded="false" aria-controls="#enterprise-TA0006-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-body" aria-labelledby="enterprise-TA0006-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110"> <a href="/versions/v9/techniques/T1110/"> Brute Force </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1110-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1110-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1110-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1110-body" aria-labelledby="enterprise-TA0006-T1110-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.001"> <a href="/versions/v9/techniques/T1110/001/"> Password Guessing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.002"> <a href="/versions/v9/techniques/T1110/002/"> Password Cracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.003"> <a href="/versions/v9/techniques/T1110/003/"> Password Spraying </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.004"> <a href="/versions/v9/techniques/T1110/004/"> Credential Stuffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555"> <a href="/versions/v9/techniques/T1555/"> Credentials from Password Stores </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1555-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1555-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1555-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1555-body" aria-labelledby="enterprise-TA0006-T1555-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.001"> <a href="/versions/v9/techniques/T1555/001/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.002"> <a href="/versions/v9/techniques/T1555/002/"> Securityd Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.003"> <a href="/versions/v9/techniques/T1555/003/"> Credentials from Web Browsers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.004"> <a href="/versions/v9/techniques/T1555/004/"> Windows Credential Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.005"> <a href="/versions/v9/techniques/T1555/005/"> Password Managers </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1212"> <a href="/versions/v9/techniques/T1212/"> Exploitation for Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1187"> <a href="/versions/v9/techniques/T1187/"> Forced Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606"> <a href="/versions/v9/techniques/T1606/"> Forge Web Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1606-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1606-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1606-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1606-body" aria-labelledby="enterprise-TA0006-T1606-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1606-T1606.001"> <a href="/versions/v9/techniques/T1606/001/"> Web Cookies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1606-T1606.002"> <a href="/versions/v9/techniques/T1606/002/"> SAML Tokens </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056"> <a href="/versions/v9/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1056-body" aria-labelledby="enterprise-TA0006-T1056-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.001"> <a href="/versions/v9/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.002"> <a href="/versions/v9/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.003"> <a href="/versions/v9/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.004"> <a href="/versions/v9/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557"> <a href="/versions/v9/techniques/T1557/"> Man-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1557-body" aria-labelledby="enterprise-TA0006-T1557-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1557-T1557.001"> <a href="/versions/v9/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1557-T1557.002"> <a href="/versions/v9/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1556-body" aria-labelledby="enterprise-TA0006-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1040"> <a href="/versions/v9/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003"> <a href="/versions/v9/techniques/T1003/"> OS Credential Dumping </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1003-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1003-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1003-body" aria-labelledby="enterprise-TA0006-T1003-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.001"> <a href="/versions/v9/techniques/T1003/001/"> LSASS Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.002"> <a href="/versions/v9/techniques/T1003/002/"> Security Account Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.003"> <a href="/versions/v9/techniques/T1003/003/"> NTDS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.004"> <a href="/versions/v9/techniques/T1003/004/"> LSA Secrets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.005"> <a href="/versions/v9/techniques/T1003/005/"> Cached Domain Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.006"> <a href="/versions/v9/techniques/T1003/006/"> DCSync </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.007"> <a href="/versions/v9/techniques/T1003/007/"> Proc Filesystem </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.008"> <a href="/versions/v9/techniques/T1003/008/"> /etc/passwd and /etc/shadow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1528"> <a href="/versions/v9/techniques/T1528/"> Steal Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558"> <a href="/versions/v9/techniques/T1558/"> Steal or Forge Kerberos Tickets </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1558-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1558-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1558-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1558-body" aria-labelledby="enterprise-TA0006-T1558-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.001"> <a href="/versions/v9/techniques/T1558/001/"> Golden Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.002"> <a href="/versions/v9/techniques/T1558/002/"> Silver Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.003"> <a href="/versions/v9/techniques/T1558/003/"> Kerberoasting </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.004"> <a href="/versions/v9/techniques/T1558/004/"> AS-REP Roasting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1539"> <a href="/versions/v9/techniques/T1539/"> Steal Web Session Cookie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1111"> <a href="/versions/v9/techniques/T1111/"> Two-Factor Authentication Interception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552"> <a href="/versions/v9/techniques/T1552/"> Unsecured Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1552-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1552-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1552-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1552-body" aria-labelledby="enterprise-TA0006-T1552-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.001"> <a href="/versions/v9/techniques/T1552/001/"> Credentials In Files </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.002"> <a href="/versions/v9/techniques/T1552/002/"> Credentials in Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.003"> <a href="/versions/v9/techniques/T1552/003/"> Bash History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.004"> <a href="/versions/v9/techniques/T1552/004/"> Private Keys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.005"> <a href="/versions/v9/techniques/T1552/005/"> Cloud Instance Metadata API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.006"> <a href="/versions/v9/techniques/T1552/006/"> Group Policy Preferences </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.007"> <a href="/versions/v9/techniques/T1552/007/"> Container API </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007"> <a href="/versions/v9/tactics/TA0007"> Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-header" data-toggle="collapse" data-target="#enterprise-TA0007-body" aria-expanded="false" aria-controls="#enterprise-TA0007-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-body" aria-labelledby="enterprise-TA0007-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087"> <a href="/versions/v9/techniques/T1087/"> Account Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1087-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1087-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1087-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1087-body" aria-labelledby="enterprise-TA0007-T1087-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.001"> <a href="/versions/v9/techniques/T1087/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.002"> <a href="/versions/v9/techniques/T1087/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.003"> <a href="/versions/v9/techniques/T1087/003/"> Email Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.004"> <a href="/versions/v9/techniques/T1087/004/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1010"> <a href="/versions/v9/techniques/T1010/"> Application Window Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1217"> <a href="/versions/v9/techniques/T1217/"> Browser Bookmark Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1580"> <a href="/versions/v9/techniques/T1580/"> Cloud Infrastructure Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1538"> <a href="/versions/v9/techniques/T1538/"> Cloud Service Dashboard </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1526"> <a href="/versions/v9/techniques/T1526/"> Cloud Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1613"> <a href="/versions/v9/techniques/T1613/"> Container and Resource Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1482"> <a href="/versions/v9/techniques/T1482/"> Domain Trust Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1083"> <a href="/versions/v9/techniques/T1083/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1046"> <a href="/versions/v9/techniques/T1046/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1135"> <a href="/versions/v9/techniques/T1135/"> Network Share Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1040"> <a href="/versions/v9/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1201"> <a href="/versions/v9/techniques/T1201/"> Password Policy Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1120"> <a href="/versions/v9/techniques/T1120/"> Peripheral Device Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069"> <a href="/versions/v9/techniques/T1069/"> Permission Groups Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1069-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1069-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1069-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1069-body" aria-labelledby="enterprise-TA0007-T1069-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.001"> <a href="/versions/v9/techniques/T1069/001/"> Local Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.002"> <a href="/versions/v9/techniques/T1069/002/"> Domain Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.003"> <a href="/versions/v9/techniques/T1069/003/"> Cloud Groups </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1057"> <a href="/versions/v9/techniques/T1057/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1012"> <a href="/versions/v9/techniques/T1012/"> Query Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1018"> <a href="/versions/v9/techniques/T1018/"> Remote System Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1518"> <a href="/versions/v9/techniques/T1518/"> Software Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1518-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1518-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1518-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1518-body" aria-labelledby="enterprise-TA0007-T1518-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1518-T1518.001"> <a href="/versions/v9/techniques/T1518/001/"> Security Software Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1082"> <a href="/versions/v9/techniques/T1082/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1614"> <a href="/versions/v9/techniques/T1614/"> System Location Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1016"> <a href="/versions/v9/techniques/T1016/"> System Network Configuration Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1016-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1016-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1016-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1016-body" aria-labelledby="enterprise-TA0007-T1016-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1016-T1016.001"> <a href="/versions/v9/techniques/T1016/001/"> Internet Connection Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1049"> <a href="/versions/v9/techniques/T1049/"> System Network Connections Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1033"> <a href="/versions/v9/techniques/T1033/"> System Owner/User Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1007"> <a href="/versions/v9/techniques/T1007/"> System Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1124"> <a href="/versions/v9/techniques/T1124/"> System Time Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497"> <a href="/versions/v9/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1497-body" aria-labelledby="enterprise-TA0007-T1497-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.001"> <a href="/versions/v9/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.002"> <a href="/versions/v9/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.003"> <a href="/versions/v9/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008"> <a href="/versions/v9/tactics/TA0008"> Lateral Movement </a> <div class="expand-button collapsed" id="enterprise-TA0008-header" data-toggle="collapse" data-target="#enterprise-TA0008-body" aria-expanded="false" aria-controls="#enterprise-TA0008-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-body" aria-labelledby="enterprise-TA0008-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1210"> <a href="/versions/v9/techniques/T1210/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1534"> <a href="/versions/v9/techniques/T1534/"> Internal Spearphishing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1570"> <a href="/versions/v9/techniques/T1570/"> Lateral Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563"> <a href="/versions/v9/techniques/T1563/"> Remote Service Session Hijacking </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1563-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1563-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1563-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1563-body" aria-labelledby="enterprise-TA0008-T1563-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1563-T1563.001"> <a href="/versions/v9/techniques/T1563/001/"> SSH Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1563-T1563.002"> <a href="/versions/v9/techniques/T1563/002/"> RDP Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021"> <a href="/versions/v9/techniques/T1021/"> Remote Services </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1021-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1021-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1021-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1021-body" aria-labelledby="enterprise-TA0008-T1021-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.001"> <a href="/versions/v9/techniques/T1021/001/"> Remote Desktop Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.002"> <a href="/versions/v9/techniques/T1021/002/"> SMB/Windows Admin Shares </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.003"> <a href="/versions/v9/techniques/T1021/003/"> Distributed Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.004"> <a href="/versions/v9/techniques/T1021/004/"> SSH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.005"> <a href="/versions/v9/techniques/T1021/005/"> VNC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.006"> <a href="/versions/v9/techniques/T1021/006/"> Windows Remote Management </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1091"> <a href="/versions/v9/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1072"> <a href="/versions/v9/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1080"> <a href="/versions/v9/techniques/T1080/"> Taint Shared Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550"> <a href="/versions/v9/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1550-body" aria-labelledby="enterprise-TA0008-T1550-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.001"> <a href="/versions/v9/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.002"> <a href="/versions/v9/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.003"> <a href="/versions/v9/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.004"> <a href="/versions/v9/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009"> <a href="/versions/v9/tactics/TA0009"> Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-header" data-toggle="collapse" data-target="#enterprise-TA0009-body" aria-expanded="false" aria-controls="#enterprise-TA0009-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-body" aria-labelledby="enterprise-TA0009-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560"> <a href="/versions/v9/techniques/T1560/"> Archive Collected Data </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1560-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1560-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1560-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1560-body" aria-labelledby="enterprise-TA0009-T1560-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.001"> <a href="/versions/v9/techniques/T1560/001/"> Archive via Utility </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.002"> <a href="/versions/v9/techniques/T1560/002/"> Archive via Library </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.003"> <a href="/versions/v9/techniques/T1560/003/"> Archive via Custom Method </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1123"> <a href="/versions/v9/techniques/T1123/"> Audio Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1119"> <a href="/versions/v9/techniques/T1119/"> Automated Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1115"> <a href="/versions/v9/techniques/T1115/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1530"> <a href="/versions/v9/techniques/T1530/"> Data from Cloud Storage Object </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602"> <a href="/versions/v9/techniques/T1602/"> Data from Configuration Repository </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1602-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1602-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1602-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1602-body" aria-labelledby="enterprise-TA0009-T1602-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1602-T1602.001"> <a href="/versions/v9/techniques/T1602/001/"> SNMP (MIB Dump) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1602-T1602.002"> <a href="/versions/v9/techniques/T1602/002/"> Network Device Configuration Dump </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213"> <a href="/versions/v9/techniques/T1213/"> Data from Information Repositories </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1213-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1213-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1213-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1213-body" aria-labelledby="enterprise-TA0009-T1213-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1213-T1213.001"> <a href="/versions/v9/techniques/T1213/001/"> Confluence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1213-T1213.002"> <a href="/versions/v9/techniques/T1213/002/"> Sharepoint </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1005"> <a href="/versions/v9/techniques/T1005/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1039"> <a href="/versions/v9/techniques/T1039/"> Data from Network Shared Drive </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1025"> <a href="/versions/v9/techniques/T1025/"> Data from Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074"> <a href="/versions/v9/techniques/T1074/"> Data Staged </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1074-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1074-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1074-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1074-body" aria-labelledby="enterprise-TA0009-T1074-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1074-T1074.001"> <a href="/versions/v9/techniques/T1074/001/"> Local Data Staging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1074-T1074.002"> <a href="/versions/v9/techniques/T1074/002/"> Remote Data Staging </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114"> <a href="/versions/v9/techniques/T1114/"> Email Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1114-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1114-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1114-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1114-body" aria-labelledby="enterprise-TA0009-T1114-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.001"> <a href="/versions/v9/techniques/T1114/001/"> Local Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.002"> <a href="/versions/v9/techniques/T1114/002/"> Remote Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.003"> <a href="/versions/v9/techniques/T1114/003/"> Email Forwarding Rule </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056"> <a href="/versions/v9/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1056-body" aria-labelledby="enterprise-TA0009-T1056-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.001"> <a href="/versions/v9/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.002"> <a href="/versions/v9/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.003"> <a href="/versions/v9/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.004"> <a href="/versions/v9/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1185"> <a href="/versions/v9/techniques/T1185/"> Man in the Browser </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557"> <a href="/versions/v9/techniques/T1557/"> Man-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1557-body" aria-labelledby="enterprise-TA0009-T1557-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1557-T1557.001"> <a href="/versions/v9/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1557-T1557.002"> <a href="/versions/v9/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1113"> <a href="/versions/v9/techniques/T1113/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1125"> <a href="/versions/v9/techniques/T1125/"> Video Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011"> <a href="/versions/v9/tactics/TA0011"> Command and Control </a> <div class="expand-button collapsed" id="enterprise-TA0011-header" data-toggle="collapse" data-target="#enterprise-TA0011-body" aria-expanded="false" aria-controls="#enterprise-TA0011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-body" aria-labelledby="enterprise-TA0011-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071"> <a href="/versions/v9/techniques/T1071/"> Application Layer Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1071-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1071-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1071-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1071-body" aria-labelledby="enterprise-TA0011-T1071-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.001"> <a href="/versions/v9/techniques/T1071/001/"> Web Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.002"> <a href="/versions/v9/techniques/T1071/002/"> File Transfer Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.003"> <a href="/versions/v9/techniques/T1071/003/"> Mail Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.004"> <a href="/versions/v9/techniques/T1071/004/"> DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1092"> <a href="/versions/v9/techniques/T1092/"> Communication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132"> <a href="/versions/v9/techniques/T1132/"> Data Encoding </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1132-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1132-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1132-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1132-body" aria-labelledby="enterprise-TA0011-T1132-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1132-T1132.001"> <a href="/versions/v9/techniques/T1132/001/"> Standard Encoding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1132-T1132.002"> <a href="/versions/v9/techniques/T1132/002/"> Non-Standard Encoding </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001"> <a href="/versions/v9/techniques/T1001/"> Data Obfuscation </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1001-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1001-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1001-body" aria-labelledby="enterprise-TA0011-T1001-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.001"> <a href="/versions/v9/techniques/T1001/001/"> Junk Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.002"> <a href="/versions/v9/techniques/T1001/002/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.003"> <a href="/versions/v9/techniques/T1001/003/"> Protocol Impersonation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568"> <a href="/versions/v9/techniques/T1568/"> Dynamic Resolution </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1568-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1568-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1568-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1568-body" aria-labelledby="enterprise-TA0011-T1568-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.001"> <a href="/versions/v9/techniques/T1568/001/"> Fast Flux DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.002"> <a href="/versions/v9/techniques/T1568/002/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.003"> <a href="/versions/v9/techniques/T1568/003/"> DNS Calculation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573"> <a href="/versions/v9/techniques/T1573/"> Encrypted Channel </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1573-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1573-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1573-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1573-body" aria-labelledby="enterprise-TA0011-T1573-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1573-T1573.001"> <a href="/versions/v9/techniques/T1573/001/"> Symmetric Cryptography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1573-T1573.002"> <a href="/versions/v9/techniques/T1573/002/"> Asymmetric Cryptography </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1008"> <a href="/versions/v9/techniques/T1008/"> Fallback Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1105"> <a href="/versions/v9/techniques/T1105/"> Ingress Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1104"> <a href="/versions/v9/techniques/T1104/"> Multi-Stage Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1095"> <a href="/versions/v9/techniques/T1095/"> Non-Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1571"> <a href="/versions/v9/techniques/T1571/"> Non-Standard Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1572"> <a href="/versions/v9/techniques/T1572/"> Protocol Tunneling </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090"> <a href="/versions/v9/techniques/T1090/"> Proxy </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1090-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1090-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1090-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1090-body" aria-labelledby="enterprise-TA0011-T1090-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.001"> <a href="/versions/v9/techniques/T1090/001/"> Internal Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.002"> <a href="/versions/v9/techniques/T1090/002/"> External Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.003"> <a href="/versions/v9/techniques/T1090/003/"> Multi-hop Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.004"> <a href="/versions/v9/techniques/T1090/004/"> Domain Fronting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1219"> <a href="/versions/v9/techniques/T1219/"> Remote Access Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1205-body" aria-labelledby="enterprise-TA0011-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102"> <a href="/versions/v9/techniques/T1102/"> Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1102-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1102-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1102-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1102-body" aria-labelledby="enterprise-TA0011-T1102-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.001"> <a href="/versions/v9/techniques/T1102/001/"> Dead Drop Resolver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.002"> <a href="/versions/v9/techniques/T1102/002/"> Bidirectional Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.003"> <a href="/versions/v9/techniques/T1102/003/"> One-Way Communication </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010"> <a href="/versions/v9/tactics/TA0010"> Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-header" data-toggle="collapse" data-target="#enterprise-TA0010-body" aria-expanded="false" aria-controls="#enterprise-TA0010-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-body" aria-labelledby="enterprise-TA0010-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1020"> <a href="/versions/v9/techniques/T1020/"> Automated Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1020-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1020-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1020-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1020-body" aria-labelledby="enterprise-TA0010-T1020-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1020-T1020.001"> <a href="/versions/v9/techniques/T1020/001/"> Traffic Duplication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1030"> <a href="/versions/v9/techniques/T1030/"> Data Transfer Size Limits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048"> <a href="/versions/v9/techniques/T1048/"> Exfiltration Over Alternative Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1048-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1048-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1048-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1048-body" aria-labelledby="enterprise-TA0010-T1048-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.001"> <a href="/versions/v9/techniques/T1048/001/"> Exfiltration Over Symmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.002"> <a href="/versions/v9/techniques/T1048/002/"> Exfiltration Over Asymmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.003"> <a href="/versions/v9/techniques/T1048/003/"> Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1041"> <a href="/versions/v9/techniques/T1041/"> Exfiltration Over C2 Channel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1011"> <a href="/versions/v9/techniques/T1011/"> Exfiltration Over Other Network Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1011-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1011-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1011-body" aria-labelledby="enterprise-TA0010-T1011-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1011-T1011.001"> <a href="/versions/v9/techniques/T1011/001/"> Exfiltration Over Bluetooth </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1052"> <a href="/versions/v9/techniques/T1052/"> Exfiltration Over Physical Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1052-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1052-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1052-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1052-body" aria-labelledby="enterprise-TA0010-T1052-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1052-T1052.001"> <a href="/versions/v9/techniques/T1052/001/"> Exfiltration over USB </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567"> <a href="/versions/v9/techniques/T1567/"> Exfiltration Over Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1567-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1567-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1567-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1567-body" aria-labelledby="enterprise-TA0010-T1567-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1567-T1567.001"> <a href="/versions/v9/techniques/T1567/001/"> Exfiltration to Code Repository </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1567-T1567.002"> <a href="/versions/v9/techniques/T1567/002/"> Exfiltration to Cloud Storage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1029"> <a href="/versions/v9/techniques/T1029/"> Scheduled Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1537"> <a href="/versions/v9/techniques/T1537/"> Transfer Data to Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040"> <a href="/versions/v9/tactics/TA0040"> Impact </a> <div class="expand-button collapsed" id="enterprise-TA0040-header" data-toggle="collapse" data-target="#enterprise-TA0040-body" aria-expanded="false" aria-controls="#enterprise-TA0040-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-body" aria-labelledby="enterprise-TA0040-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1531"> <a href="/versions/v9/techniques/T1531/"> Account Access Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1485"> <a href="/versions/v9/techniques/T1485/"> Data Destruction </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1486"> <a href="/versions/v9/techniques/T1486/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565"> <a href="/versions/v9/techniques/T1565/"> Data Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1565-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1565-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1565-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1565-body" aria-labelledby="enterprise-TA0040-T1565-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.001"> <a href="/versions/v9/techniques/T1565/001/"> Stored Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.002"> <a href="/versions/v9/techniques/T1565/002/"> Transmitted Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.003"> <a href="/versions/v9/techniques/T1565/003/"> Runtime Data Manipulation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491"> <a href="/versions/v9/techniques/T1491/"> Defacement </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1491-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1491-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1491-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1491-body" aria-labelledby="enterprise-TA0040-T1491-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1491-T1491.001"> <a href="/versions/v9/techniques/T1491/001/"> Internal Defacement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1491-T1491.002"> <a href="/versions/v9/techniques/T1491/002/"> External Defacement </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561"> <a href="/versions/v9/techniques/T1561/"> Disk Wipe </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1561-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1561-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1561-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1561-body" aria-labelledby="enterprise-TA0040-T1561-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1561-T1561.001"> <a href="/versions/v9/techniques/T1561/001/"> Disk Content Wipe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1561-T1561.002"> <a href="/versions/v9/techniques/T1561/002/"> Disk Structure Wipe </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499"> <a href="/versions/v9/techniques/T1499/"> Endpoint Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1499-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1499-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1499-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1499-body" aria-labelledby="enterprise-TA0040-T1499-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.001"> <a href="/versions/v9/techniques/T1499/001/"> OS Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.002"> <a href="/versions/v9/techniques/T1499/002/"> Service Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.003"> <a href="/versions/v9/techniques/T1499/003/"> Application Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.004"> <a href="/versions/v9/techniques/T1499/004/"> Application or System Exploitation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1495"> <a href="/versions/v9/techniques/T1495/"> Firmware Corruption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1490"> <a href="/versions/v9/techniques/T1490/"> Inhibit System Recovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498"> <a href="/versions/v9/techniques/T1498/"> Network Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1498-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1498-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1498-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1498-body" aria-labelledby="enterprise-TA0040-T1498-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1498-T1498.001"> <a href="/versions/v9/techniques/T1498/001/"> Direct Network Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1498-T1498.002"> <a href="/versions/v9/techniques/T1498/002/"> Reflection Amplification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1496"> <a href="/versions/v9/techniques/T1496/"> Resource Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1489"> <a href="/versions/v9/techniques/T1489/"> Service Stop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1529"> <a href="/versions/v9/techniques/T1529/"> System Shutdown/Reboot </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v9/techniques/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027"> <a href="/versions/v9/tactics/TA0027"> Initial Access </a> <div class="expand-button collapsed" id="mobile-TA0027-header" data-toggle="collapse" data-target="#mobile-TA0027-body" aria-expanded="false" aria-controls="#mobile-TA0027-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0027-body" aria-labelledby="mobile-TA0027-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1475"> <a href="/versions/v9/techniques/T1475/"> Deliver Malicious App via Authorized App Store </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1476"> <a href="/versions/v9/techniques/T1476/"> Deliver Malicious App via Other Means </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1456"> <a href="/versions/v9/techniques/T1456/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1458"> <a href="/versions/v9/techniques/T1458/"> Exploit via Charging Station or PC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1477"> <a href="/versions/v9/techniques/T1477/"> Exploit via Radio Interfaces </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1478"> <a href="/versions/v9/techniques/T1478/"> Install Insecure or Malicious Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1461"> <a href="/versions/v9/techniques/T1461/"> Lockscreen Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1444"> <a href="/versions/v9/techniques/T1444/"> Masquerade as Legitimate Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1474"> <a href="/versions/v9/techniques/T1474/"> Supply Chain Compromise </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041"> <a href="/versions/v9/tactics/TA0041"> Execution </a> <div class="expand-button collapsed" id="mobile-TA0041-header" data-toggle="collapse" data-target="#mobile-TA0041-body" aria-expanded="false" aria-controls="#mobile-TA0041-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0041-body" aria-labelledby="mobile-TA0041-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1402"> <a href="/versions/v9/techniques/T1402/"> Broadcast Receivers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1605"> <a href="/versions/v9/techniques/T1605/"> Command-Line Interface </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1575"> <a href="/versions/v9/techniques/T1575/"> Native Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1603"> <a href="/versions/v9/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028"> <a href="/versions/v9/tactics/TA0028"> Persistence </a> <div class="expand-button collapsed" id="mobile-TA0028-header" data-toggle="collapse" data-target="#mobile-TA0028-body" aria-expanded="false" aria-controls="#mobile-TA0028-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-body" aria-labelledby="mobile-TA0028-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1402"> <a href="/versions/v9/techniques/T1402/"> Broadcast Receivers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1577"> <a href="/versions/v9/techniques/T1577/"> Compromise Application Executable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1541"> <a href="/versions/v9/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1403"> <a href="/versions/v9/techniques/T1403/"> Modify Cached Executable Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1398"> <a href="/versions/v9/techniques/T1398/"> Modify OS Kernel or Boot Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1399"> <a href="/versions/v9/techniques/T1399/"> Modify Trusted Execution Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1603"> <a href="/versions/v9/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029"> <a href="/versions/v9/tactics/TA0029"> Privilege Escalation </a> <div class="expand-button collapsed" id="mobile-TA0029-header" data-toggle="collapse" data-target="#mobile-TA0029-body" aria-expanded="false" aria-controls="#mobile-TA0029-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-body" aria-labelledby="mobile-TA0029-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1401"> <a href="/versions/v9/techniques/T1401/"> Device Administrator Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1404"> <a href="/versions/v9/techniques/T1404/"> Exploit OS Vulnerability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1405"> <a href="/versions/v9/techniques/T1405/"> Exploit TEE Vulnerability </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030"> <a href="/versions/v9/tactics/TA0030"> Defense Evasion </a> <div class="expand-button collapsed" id="mobile-TA0030-header" data-toggle="collapse" data-target="#mobile-TA0030-body" aria-expanded="false" aria-controls="#mobile-TA0030-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-body" aria-labelledby="mobile-TA0030-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1418"> <a href="/versions/v9/techniques/T1418/"> Application Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1447"> <a href="/versions/v9/techniques/T1447/"> Delete Device Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1446"> <a href="/versions/v9/techniques/T1446/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1408"> <a href="/versions/v9/techniques/T1408/"> Disguise Root/Jailbreak Indicators </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1407"> <a href="/versions/v9/techniques/T1407/"> Download New Code at Runtime </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1523"> <a href="/versions/v9/techniques/T1523/"> Evade Analysis Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1581"> <a href="/versions/v9/techniques/T1581/"> Geofencing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1516"> <a href="/versions/v9/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1478"> <a href="/versions/v9/techniques/T1478/"> Install Insecure or Malicious Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1444"> <a href="/versions/v9/techniques/T1444/"> Masquerade as Legitimate Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1398"> <a href="/versions/v9/techniques/T1398/"> Modify OS Kernel or Boot Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1399"> <a href="/versions/v9/techniques/T1399/"> Modify Trusted Execution Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1575"> <a href="/versions/v9/techniques/T1575/"> Native Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1406"> <a href="/versions/v9/techniques/T1406/"> Obfuscated Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1604"> <a href="/versions/v9/techniques/T1604/"> Proxy Through Victim </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1508"> <a href="/versions/v9/techniques/T1508/"> Suppress Application Icon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1576"> <a href="/versions/v9/techniques/T1576/"> Uninstall Malicious Application </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031"> <a href="/versions/v9/tactics/TA0031"> Credential Access </a> <div class="expand-button collapsed" id="mobile-TA0031-header" data-toggle="collapse" data-target="#mobile-TA0031-body" aria-expanded="false" aria-controls="#mobile-TA0031-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-body" aria-labelledby="mobile-TA0031-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1517"> <a href="/versions/v9/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1413"> <a href="/versions/v9/techniques/T1413/"> Access Sensitive Data in Device Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1409"> <a href="/versions/v9/techniques/T1409/"> Access Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1414"> <a href="/versions/v9/techniques/T1414/"> Capture Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1412"> <a href="/versions/v9/techniques/T1412/"> Capture SMS Messages </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1405"> <a href="/versions/v9/techniques/T1405/"> Exploit TEE Vulnerability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1417"> <a href="/versions/v9/techniques/T1417/"> Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1411"> <a href="/versions/v9/techniques/T1411/"> Input Prompt </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1579"> <a href="/versions/v9/techniques/T1579/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1410"> <a href="/versions/v9/techniques/T1410/"> Network Traffic Capture or Redirection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1416"> <a href="/versions/v9/techniques/T1416/"> URI Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032"> <a href="/versions/v9/tactics/TA0032"> Discovery </a> <div class="expand-button collapsed" id="mobile-TA0032-header" data-toggle="collapse" data-target="#mobile-TA0032-body" aria-expanded="false" aria-controls="#mobile-TA0032-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-body" aria-labelledby="mobile-TA0032-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1418"> <a href="/versions/v9/techniques/T1418/"> Application Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1523"> <a href="/versions/v9/techniques/T1523/"> Evade Analysis Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1420"> <a href="/versions/v9/techniques/T1420/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1430"> <a href="/versions/v9/techniques/T1430/"> Location Tracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1423"> <a href="/versions/v9/techniques/T1423/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1424"> <a href="/versions/v9/techniques/T1424/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1426"> <a href="/versions/v9/techniques/T1426/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1422"> <a href="/versions/v9/techniques/T1422/"> System Network Configuration Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1421"> <a href="/versions/v9/techniques/T1421/"> System Network Connections Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033"> <a href="/versions/v9/tactics/TA0033"> Lateral Movement </a> <div class="expand-button collapsed" id="mobile-TA0033-header" data-toggle="collapse" data-target="#mobile-TA0033-body" aria-expanded="false" aria-controls="#mobile-TA0033-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0033-body" aria-labelledby="mobile-TA0033-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0033-T1427"> <a href="/versions/v9/techniques/T1427/"> Attack PC via USB Connection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0033-T1428"> <a href="/versions/v9/techniques/T1428/"> Exploit Enterprise Resources </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035"> <a href="/versions/v9/tactics/TA0035"> Collection </a> <div class="expand-button collapsed" id="mobile-TA0035-header" data-toggle="collapse" data-target="#mobile-TA0035-body" aria-expanded="false" aria-controls="#mobile-TA0035-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-body" aria-labelledby="mobile-TA0035-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1435"> <a href="/versions/v9/techniques/T1435/"> Access Calendar Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1433"> <a href="/versions/v9/techniques/T1433/"> Access Call Log </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1432"> <a href="/versions/v9/techniques/T1432/"> Access Contact List </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1517"> <a href="/versions/v9/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1413"> <a href="/versions/v9/techniques/T1413/"> Access Sensitive Data in Device Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1409"> <a href="/versions/v9/techniques/T1409/"> Access Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1429"> <a href="/versions/v9/techniques/T1429/"> Capture Audio </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1512"> <a href="/versions/v9/techniques/T1512/"> Capture Camera </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1414"> <a href="/versions/v9/techniques/T1414/"> Capture Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1412"> <a href="/versions/v9/techniques/T1412/"> Capture SMS Messages </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1533"> <a href="/versions/v9/techniques/T1533/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1541"> <a href="/versions/v9/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1417"> <a href="/versions/v9/techniques/T1417/"> Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1430"> <a href="/versions/v9/techniques/T1430/"> Location Tracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1507"> <a href="/versions/v9/techniques/T1507/"> Network Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1410"> <a href="/versions/v9/techniques/T1410/"> Network Traffic Capture or Redirection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1513"> <a href="/versions/v9/techniques/T1513/"> Screen Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037"> <a href="/versions/v9/tactics/TA0037"> Command and Control </a> <div class="expand-button collapsed" id="mobile-TA0037-header" data-toggle="collapse" data-target="#mobile-TA0037-body" aria-expanded="false" aria-controls="#mobile-TA0037-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-body" aria-labelledby="mobile-TA0037-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1438"> <a href="/versions/v9/techniques/T1438/"> Alternate Network Mediums </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1436"> <a href="/versions/v9/techniques/T1436/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1520"> <a href="/versions/v9/techniques/T1520/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1544"> <a href="/versions/v9/techniques/T1544/"> Remote File Copy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1437"> <a href="/versions/v9/techniques/T1437/"> Standard Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1521"> <a href="/versions/v9/techniques/T1521/"> Standard Cryptographic Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1509"> <a href="/versions/v9/techniques/T1509/"> Uncommonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1481"> <a href="/versions/v9/techniques/T1481/"> Web Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036"> <a href="/versions/v9/tactics/TA0036"> Exfiltration </a> <div class="expand-button collapsed" id="mobile-TA0036-header" data-toggle="collapse" data-target="#mobile-TA0036-body" aria-expanded="false" aria-controls="#mobile-TA0036-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0036-body" aria-labelledby="mobile-TA0036-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1438"> <a href="/versions/v9/techniques/T1438/"> Alternate Network Mediums </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1436"> <a href="/versions/v9/techniques/T1436/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1532"> <a href="/versions/v9/techniques/T1532/"> Data Encrypted </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1437"> <a href="/versions/v9/techniques/T1437/"> Standard Application Layer Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034"> <a href="/versions/v9/tactics/TA0034"> Impact </a> <div class="expand-button collapsed" id="mobile-TA0034-header" data-toggle="collapse" data-target="#mobile-TA0034-body" aria-expanded="false" aria-controls="#mobile-TA0034-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0034-body" aria-labelledby="mobile-TA0034-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1448"> <a href="/versions/v9/techniques/T1448/"> Carrier Billing Fraud </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1510"> <a href="/versions/v9/techniques/T1510/"> Clipboard Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1471"> <a href="/versions/v9/techniques/T1471/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1447"> <a href="/versions/v9/techniques/T1447/"> Delete Device Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1446"> <a href="/versions/v9/techniques/T1446/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1472"> <a href="/versions/v9/techniques/T1472/"> Generate Fraudulent Advertising Revenue </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1516"> <a href="/versions/v9/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1452"> <a href="/versions/v9/techniques/T1452/"> Manipulate App Store Rankings or Ratings </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1582"> <a href="/versions/v9/techniques/T1582/"> SMS Control </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0038"> <a href="/versions/v9/tactics/TA0038"> Network Effects </a> <div class="expand-button collapsed" id="mobile-TA0038-header" data-toggle="collapse" data-target="#mobile-TA0038-body" aria-expanded="false" aria-controls="#mobile-TA0038-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0038-body" aria-labelledby="mobile-TA0038-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1466"> <a href="/versions/v9/techniques/T1466/"> Downgrade to Insecure Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1439"> <a href="/versions/v9/techniques/T1439/"> Eavesdrop on Insecure Network Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1449"> <a href="/versions/v9/techniques/T1449/"> Exploit SS7 to Redirect Phone Calls/SMS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1450"> <a href="/versions/v9/techniques/T1450/"> Exploit SS7 to Track Device Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1464"> <a href="/versions/v9/techniques/T1464/"> Jamming or Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1463"> <a href="/versions/v9/techniques/T1463/"> Manipulate Device Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1467"> <a href="/versions/v9/techniques/T1467/"> Rogue Cellular Base Station </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1465"> <a href="/versions/v9/techniques/T1465/"> Rogue Wi-Fi Access Points </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1451"> <a href="/versions/v9/techniques/T1451/"> SIM Card Swap </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0039"> <a href="/versions/v9/tactics/TA0039"> Remote Service Effects </a> <div class="expand-button collapsed" id="mobile-TA0039-header" data-toggle="collapse" data-target="#mobile-TA0039-body" aria-expanded="false" aria-controls="#mobile-TA0039-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0039-body" aria-labelledby="mobile-TA0039-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1470"> <a href="/versions/v9/techniques/T1470/"> Obtain Device Cloud Backups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1468"> <a href="/versions/v9/techniques/T1468/"> Remotely Track Device Without Authorization </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1469"> <a href="/versions/v9/techniques/T1469/"> Remotely Wipe Data Without Authorization </a> </div> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v9/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Deobfuscate/Decode Files or Information</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Deobfuscate/Decode Files or Information </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Adversaries may use <a href="/versions/v9/techniques/T1027">Obfuscated Files or Information</a> to hide artifacts of an intrusion from analysis. They may require separate mechanisms to decode or deobfuscate that information depending on how they intend to use it. Methods for doing that include built-in functionality of malware or by using utilities present on the system.</p><p>One such example is use of <a href="/versions/v9/software/S0160">certutil</a> to decode a remote access tool portable executable file that has been hidden inside a certificate file. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Malwarebytes Targeted Attack against Saudi Arabia"><sup><a href="https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> Another example is using the Windows <code>copy /b</code> command to reassemble binary fragments into a malicious payload. <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="Carbon Black Obfuscation Sept 2016"><sup><a href="https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p><p>Sometimes a user's action may be required to open it for deobfuscation or decryption as part of <a href="/versions/v9/techniques/T1204">User Execution</a>. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Volexity PowerDuke November 2016"><sup><a href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1140 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-techniques:&nbsp;</span> No sub-techniques </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/versions/v9/tactics/TA0005">Defense Evasion</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Linux, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The lowest level of permissions the adversary is required to be operating within to perform the (sub-)technique on a system">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Permissions Required:&nbsp;</span>User </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Source of information collected by a sensor or logging system that may be used to collect information relevant to identifying the action being performed, sequence of actions, or the results of those actions by an adversary">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Data Sources:&nbsp;</span><a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/file.yml'>File</a>: File Modification, <a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/process.yml'>Process</a>: Process Creation, <a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/script.yml'>Script</a>: Script Execution </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="If the (sub-)technique can be used to bypass or evade a particular defensive tool, methodology, or process">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Defense Bypassed:&nbsp;</span>Anti-virus, Host intrusion prevention systems, Network intrusion detection system, Signature-based detection </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors:&nbsp;</span>Matthew Demaske, Adaptforward; Red Canary </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>1.1 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>14 December 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>09 July 2020 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1140" href="/versions/v9/techniques/T1140/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1140" href="/techniques/T1140/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/software/S0469"> S0469 </a> </td> <td> <a href="/versions/v9/software/S0469"> ABK </a> </td> <td> <p><a href="/versions/v9/software/S0469">ABK</a> has the ability to decrypt AES encrypted payloads.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Trend Micro Tick November 2019"><sup><a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0331"> S0331 </a> </td> <td> <a href="/versions/v9/software/S0331"> Agent Tesla </a> </td> <td> <p><a href="/versions/v9/software/S0331">Agent Tesla</a> has the ability to decrypt strings encrypted with the Rijndael symmetric encryption algorithm.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="Malwarebytes Agent Tesla April 2020"><sup><a href="https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0584"> S0584 </a> </td> <td> <a href="/versions/v9/software/S0584"> AppleJeus </a> </td> <td> <p><a href="/versions/v9/software/S0584">AppleJeus</a> has decoded files received from a C2.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="CISA AppleJeus Feb 2021"><sup><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0073"> G0073 </a> </td> <td> <a href="/versions/v9/groups/G0073"> APT19 </a> </td> <td> <p>An <a href="/versions/v9/groups/G0073">APT19</a> HTTP malware variant decrypts strings using single-byte XOR keys.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Unit 42 C0d0so0 Jan 2016"><sup><a href="https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0007"> G0007 </a> </td> <td> <a href="/versions/v9/groups/G0007"> APT28 </a> </td> <td> <p>An <a href="/versions/v9/groups/G0007">APT28</a> macro uses the command <code>certutil -decode</code> to decode contents of a .txt file storing the base64 encoded payload.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="Unit 42 Sofacy Feb 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="Palo Alto Sofacy 06-2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0016"> G0016 </a> </td> <td> <a href="/versions/v9/groups/G0016"> APT29 </a> </td> <td> <p><a href="/versions/v9/groups/G0016">APT29</a> used 7-Zip to decode its <a href="/versions/v9/software/S0565">Raindrop</a> malware.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Symantec RAINDROP January 2021"><sup><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0087"> G0087 </a> </td> <td> <a href="/versions/v9/groups/G0087"> APT39 </a> </td> <td> <p><a href="/versions/v9/groups/G0087">APT39</a> has used malware to decrypt encrypted CAB files.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="FBI FLASH APT39 September 2020"><sup><a href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0456"> S0456 </a> </td> <td> <a href="/versions/v9/software/S0456"> Aria-body </a> </td> <td> <p><a href="/versions/v9/software/S0456">Aria-body</a> has the ability to decrypt the loader configuration and payload DLL.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="CheckPoint Naikon May 2020"><sup><a href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0373"> S0373 </a> </td> <td> <a href="/versions/v9/software/S0373"> Astaroth </a> </td> <td> <p><a href="/versions/v9/software/S0373">Astaroth</a> uses a fromCharCode() deobfuscation method to avoid explicitly writing execution commands and to hide its code. <span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="Cybereason Astaroth Feb 2019"><sup><a href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Securelist Brazilian Banking Malware July 2020"><sup><a href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0347"> S0347 </a> </td> <td> <a href="/versions/v9/software/S0347"> AuditCred </a> </td> <td> <p><a href="/versions/v9/software/S0347">AuditCred</a> uses XOR and RC4 to perform decryption on the code functions.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="TrendMicro Lazarus Nov 2018"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0473"> S0473 </a> </td> <td> <a href="/versions/v9/software/S0473"> Avenger </a> </td> <td> <p><a href="/versions/v9/software/S0473">Avenger</a> has the ability to decrypt files downloaded from C2.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Trend Micro Tick November 2019"><sup><a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0344"> S0344 </a> </td> <td> <a href="/versions/v9/software/S0344"> Azorult </a> </td> <td> <p><a href="/versions/v9/software/S0344">Azorult</a> uses an XOR key to decrypt content and uses Base64 to decode the C2 address.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="Unit42 Azorult Nov 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="Proofpoint Azorult July 2018"><sup><a href="https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0414"> S0414 </a> </td> <td> <a href="/versions/v9/software/S0414"> BabyShark </a> </td> <td> <p><a href="/versions/v9/software/S0414">BabyShark</a> has the ability to decode downloaded files prior to execution.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="CISA AA20-301A Kimsuky"><sup><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0475"> S0475 </a> </td> <td> <a href="/versions/v9/software/S0475"> BackConfig </a> </td> <td> <p><a href="/versions/v9/software/S0475">BackConfig</a> has used a custom routine to decrypt strings.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Unit 42 BackConfig May 2020"><sup><a href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0239"> S0239 </a> </td> <td> <a href="/versions/v9/software/S0239"> Bankshot </a> </td> <td> <p><a href="/versions/v9/software/S0239">Bankshot</a> decodes embedded XOR strings.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" data-reference="US-CERT Bankshot Dec 2017"><sup><a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0534"> S0534 </a> </td> <td> <a href="/versions/v9/software/S0534"> Bazar </a> </td> <td> <p><a href="/versions/v9/software/S0534">Bazar</a> can decrypt downloaded payloads. <a href="/versions/v9/software/S0534">Bazar</a> also resolves strings and API calls at runtime.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" data-reference="Cybereason Bazar July 2020"><sup><a href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" data-reference="NCC Group Team9 June 2020"><sup><a href="https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0470"> S0470 </a> </td> <td> <a href="/versions/v9/software/S0470"> BBK </a> </td> <td> <p><a href="/versions/v9/software/S0470">BBK</a> has the ability to decrypt AES encrypted payloads.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Trend Micro Tick November 2019"><sup><a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0127"> S0127 </a> </td> <td> <a href="/versions/v9/software/S0127"> BBSRAT </a> </td> <td> <p><a href="/versions/v9/software/S0127">BBSRAT</a> uses <a href="/versions/v9/software/S0361">Expand</a> to decompress a CAB file into executable content.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" data-reference="Palo Alto Networks BBSRAT"><sup><a href="http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0574"> S0574 </a> </td> <td> <a href="/versions/v9/software/S0574"> BendyBear </a> </td> <td> <p><a href="/versions/v9/software/S0574">BendyBear</a> has decrypted function blocks using a XOR key during runtime to evade detection.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" data-reference="Unit42 BendyBear Feb 2021"><sup><a href="https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0268"> S0268 </a> </td> <td> <a href="/versions/v9/software/S0268"> Bisonal </a> </td> <td> <p><a href="/versions/v9/software/S0268">Bisonal</a> decodes strings in the malware using XOR and RC4.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" data-reference="Unit 42 Bisonal July 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0520"> S0520 </a> </td> <td> <a href="/versions/v9/software/S0520"> BLINDINGCAN </a> </td> <td> <p><a href="/versions/v9/software/S0520">BLINDINGCAN</a> has used AES and XOR to decrypt its DLLs.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" data-reference="US-CERT BLINDINGCAN Aug 2020"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0415"> S0415 </a> </td> <td> <a href="/versions/v9/software/S0415"> BOOSTWRITE </a> </td> <td> <p><a href="/versions/v9/software/S0415">BOOSTWRITE</a> has used a a 32-byte long multi-XOR key to decode data inside its payload.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="FireEye FIN7 Oct 2019"><sup><a href="https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0060"> G0060 </a> </td> <td> <a href="/versions/v9/groups/G0060"> BRONZE BUTLER </a> </td> <td> <p><a href="/versions/v9/groups/G0060">BRONZE BUTLER</a> downloads encoded payloads and decodes them on the victim.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" data-reference="Secureworks BRONZE BUTLER Oct 2017"><sup><a href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0482"> S0482 </a> </td> <td> <a href="/versions/v9/software/S0482"> Bundlore </a> </td> <td> <p><a href="/versions/v9/software/S0482">Bundlore</a> has used <code>openssl</code> to decrypt AES encrypted payload data. <a href="/versions/v9/software/S0482">Bundlore</a> has also used base64 and RC4 with a hardcoded key to deobfuscate data.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" data-reference="MacKeeper Bundlore Apr 2019"><sup><a href="https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0335"> S0335 </a> </td> <td> <a href="/versions/v9/software/S0335"> Carbon </a> </td> <td> <p><a href="/versions/v9/software/S0335">Carbon</a> decrypts task and configuration files for execution.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" data-reference="ESET Carbon Mar 2017"><sup><a href="https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a></sup></span><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" data-reference="Accenture HyperStack October 2020"><sup><a href="https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0348"> S0348 </a> </td> <td> <a href="/versions/v9/software/S0348"> Cardinal RAT </a> </td> <td> <p><a href="/versions/v9/software/S0348">Cardinal RAT</a> decodes many of its artifacts and is decrypted (AES-128) after being downloaded.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" data-reference="PaloAlto CardinalRat Apr 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0160"> S0160 </a> </td> <td> <a href="/versions/v9/software/S0160"> certutil </a> </td> <td> <p><a href="/versions/v9/software/S0160">certutil</a> has been used to decode binaries hidden inside certificate files as Base64 information.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Malwarebytes Targeted Attack against Saudi Arabia"><sup><a href="https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0154"> S0154 </a> </td> <td> <a href="/versions/v9/software/S0154"> Cobalt Strike </a> </td> <td> <p><a href="/versions/v9/software/S0154">Cobalt Strike</a> can deobfuscate shellcode using a rolling XOR.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" data-reference="Talos Cobalt Strike September 2020"><sup><a href=" https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0369"> S0369 </a> </td> <td> <a href="/versions/v9/software/S0369"> CoinTicker </a> </td> <td> <p><a href="/versions/v9/software/S0369">CoinTicker</a> decodes the initially-downloaded hidden encoded file using OpenSSL.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" data-reference="CoinTicker 2019"><sup><a href="https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0126"> S0126 </a> </td> <td> <a href="/versions/v9/software/S0126"> ComRAT </a> </td> <td> <p><a href="/versions/v9/software/S0126">ComRAT</a> has used unique per machine passwords to decrypt the orchestrator payload and a hardcoded XOR key to decrypt its communications module. <a href="/versions/v9/software/S0126">ComRAT</a> has also used a unique password to decrypt the file used for its hidden file system.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a></sup></span><span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" data-reference="CISA ComRAT Oct 2020"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0575"> S0575 </a> </td> <td> <a href="/versions/v9/software/S0575"> Conti </a> </td> <td> <p><a href="/versions/v9/software/S0575">Conti</a> has decrypted its payload using a hardcoded AES-256 key.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" data-reference="Cybereason Conti Jan 2021"><sup><a href="https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a></sup></span><span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" data-reference="CarbonBlack Conti July 2020"><sup><a href="https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0492"> S0492 </a> </td> <td> <a href="/versions/v9/software/S0492"> CookieMiner </a> </td> <td> <p><a href="/versions/v9/software/S0492">CookieMiner</a> has used Google Chrome's decryption and extraction operations.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" data-reference="Unit42 CookieMiner Jan 2019"><sup><a href="https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0012"> G0012 </a> </td> <td> <a href="/versions/v9/groups/G0012"> Darkhotel </a> </td> <td> <p><a href="/versions/v9/groups/G0012">Darkhotel</a> has decrypted strings and imports using RC4 during execution.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" data-reference="Securelist Darkhotel Aug 2015"><sup><a href="https://securelist.com/darkhotels-attacks-in-2015/71713/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a></sup></span><span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" data-reference="Microsoft DUBNIUM July 2016"><sup><a href="https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0255"> S0255 </a> </td> <td> <a href="/versions/v9/software/S0255"> DDKONG </a> </td> <td> <p><a href="/versions/v9/software/S0255">DDKONG</a> decodes an embedded configuration using XOR.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" data-reference="Rancor Unit42 June 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0354"> S0354 </a> </td> <td> <a href="/versions/v9/software/S0354"> Denis </a> </td> <td> <p><a href="/versions/v9/software/S0354">Denis</a> will decrypt important strings used for C&amp;C communication.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" data-reference="Cybereason Cobalt Kitty 2017"><sup><a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0547"> S0547 </a> </td> <td> <a href="/versions/v9/software/S0547"> DropBook </a> </td> <td> <p><a href="/versions/v9/software/S0547">DropBook</a> can unarchive data downloaded from the C2 to obtain the payload and persistence modules.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" data-reference="Cybereason Molerats Dec 2020"><sup><a href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0502"> S0502 </a> </td> <td> <a href="/versions/v9/software/S0502"> Drovorub </a> </td> <td> <p><a href="/versions/v9/software/S0502">Drovorub</a> has de-obsfuscated XOR encrypted payloads in WebSocket messages.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" data-reference="NSA/FBI Drovorub August 2020"><sup><a href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0567"> S0567 </a> </td> <td> <a href="/versions/v9/software/S0567"> Dtrack </a> </td> <td> <p><a href="/versions/v9/software/S0567">Dtrack</a> has used a decryption routine that is part of an executable physical patch.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" data-reference="Securelist Dtrack"><sup><a href="https://securelist.com/my-name-is-dtrack/93338/" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0024"> S0024 </a> </td> <td> <a href="/versions/v9/software/S0024"> Dyre </a> </td> <td> <p><a href="/versions/v9/software/S0024">Dyre</a> decrypts resources needed for targeting the victim.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" data-reference="Symantec Dyre June 2015"><sup><a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a></sup></span><span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" data-reference="Malwarebytes Dyreza November 2015"><sup><a href="https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0377"> S0377 </a> </td> <td> <a href="/versions/v9/software/S0377"> Ebury </a> </td> <td> <p><a href="/versions/v9/software/S0377">Ebury</a> has verified C2 domain ownership by decrypting the TXT record using an embedded RSA public key.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" data-reference="ESET Ebury Oct 2017"><sup><a href="https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0554"> S0554 </a> </td> <td> <a href="/versions/v9/software/S0554"> Egregor </a> </td> <td> <p><a href="/versions/v9/software/S0554">Egregor</a> has been decrypted before execution.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" data-reference="NHS Digital Egregor Nov 2020"><sup><a href="https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a></sup></span><span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" data-reference="Cybereason Egregor Nov 2020"><sup><a href="https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0401"> S0401 </a> </td> <td> <a href="/versions/v9/software/S0401"> Exaramel for Linux </a> </td> <td> <p><a href="/versions/v9/software/S0401">Exaramel for Linux</a> can decrypt its configuration file.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" data-reference="ANSSI Sandworm January 2021"><sup><a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0361"> S0361 </a> </td> <td> <a href="/versions/v9/software/S0361"> Expand </a> </td> <td> <p><a href="/versions/v9/software/S0361">Expand</a> can be used to decompress a local or remote CAB file into an executable.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" data-reference="Microsoft Expand Utility"><sup><a href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/expand" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0512"> S0512 </a> </td> <td> <a href="/versions/v9/software/S0512"> FatDuke </a> </td> <td> <p><a href="/versions/v9/software/S0512">FatDuke</a> can decrypt AES encrypted C2 communications.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" data-reference="ESET Dukes October 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0355"> S0355 </a> </td> <td> <a href="/versions/v9/software/S0355"> Final1stspy </a> </td> <td> <p><a href="/versions/v9/software/S0355">Final1stspy</a> uses Python code to deobfuscate base64-encoded strings.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" data-reference="Unit 42 Nokki Oct 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0182"> S0182 </a> </td> <td> <a href="/versions/v9/software/S0182"> FinFisher </a> </td> <td> <p><a href="/versions/v9/software/S0182">FinFisher</a> extracts and decrypts stage 3 malware, which is stored in encrypted resources.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" data-reference="FinFisher Citation"><sup><a href="http://www.finfisher.com/FinFisher/index.html" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a></sup></span><span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" data-reference="Microsoft FinFisher March 2018"><sup><a href="https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0101"> G0101 </a> </td> <td> <a href="/versions/v9/groups/G0101"> Frankenstein </a> </td> <td> <p><a href="/versions/v9/groups/G0101">Frankenstein</a> has deobfuscated base64-encoded commands following the execution of a malicious script, which revealed a small script designed to obtain an additional payload.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" data-reference="Talos Frankenstein June 2019"><sup><a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0047"> G0047 </a> </td> <td> <a href="/versions/v9/groups/G0047"> Gamaredon Group </a> </td> <td> <p><a href="/versions/v9/groups/G0047">Gamaredon Group</a> tools decrypted additional payloads from the C2. <a href="/versions/v9/groups/G0047">Gamaredon Group</a> has also decoded base64-encoded source code of a downloader.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" data-reference="TrendMicro Gamaredon April 2020"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a></sup></span><span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" data-reference="ESET Gamaredon June 2020"><sup><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0032"> S0032 </a> </td> <td> <a href="/versions/v9/software/S0032"> gh0st RAT </a> </td> <td> <p><a href="/versions/v9/software/S0032">gh0st RAT</a> has decrypted and loaded the <a href="/versions/v9/software/S0032">gh0st RAT</a> DLL into memory, once the initial dropper executable is launched.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" data-reference="Gh0stRAT ATT March 2019"><sup><a href="https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0588"> S0588 </a> </td> <td> <a href="/versions/v9/software/S0588"> GoldMax </a> </td> <td> <p><a href="/versions/v9/software/S0588">GoldMax</a> has decoded and decrypted the configuration file when executed.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" data-reference="MSTIC NOBELIUM Mar 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a></sup></span><span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" data-reference="FireEye SUNSHUTTLE Mar 2021"><sup><a href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0477"> S0477 </a> </td> <td> <a href="/versions/v9/software/S0477"> Goopy </a> </td> <td> <p><a href="/versions/v9/software/S0477">Goopy</a> has used a polymorphic decryptor to decrypt itself at runtime.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" data-reference="Cybereason Cobalt Kitty 2017"><sup><a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0078"> G0078 </a> </td> <td> <a href="/versions/v9/groups/G0078"> Gorgon Group </a> </td> <td> <p><a href="/versions/v9/groups/G0078">Gorgon Group</a> malware can decode contents from a payload that was Base64 encoded and write the contents to a file.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" data-reference="Unit 42 Gorgon Group Aug 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0531"> S0531 </a> </td> <td> <a href="/versions/v9/software/S0531"> Grandoreiro </a> </td> <td> <p><a href="/versions/v9/software/S0531">Grandoreiro</a> can decrypt its encrypted internal strings.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" data-reference="ESET Grandoreiro April 2020"><sup><a href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0499"> S0499 </a> </td> <td> <a href="/versions/v9/software/S0499"> Hancitor </a> </td> <td> <p><a href="/versions/v9/software/S0499">Hancitor</a> has decoded Base64 encoded URLs to insert a recipient’s name into the filename of the Word document. <a href="/versions/v9/software/S0499">Hancitor</a> has also extracted executables from ZIP files.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" data-reference="Threatpost Hancitor"><sup><a href="https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a></sup></span><span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" data-reference="FireEye Hancitor"><sup><a href="https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0394"> S0394 </a> </td> <td> <a href="/versions/v9/software/S0394"> HiddenWasp </a> </td> <td> <p><a href="/versions/v9/software/S0394">HiddenWasp</a> uses a cipher to implement a decoding function.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" data-reference="Intezer HiddenWasp Map 2019"><sup><a href="https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0126"> G0126 </a> </td> <td> <a href="/versions/v9/groups/G0126"> Higaisa </a> </td> <td> <p><a href="/versions/v9/groups/G0126">Higaisa</a> used certutil to decode Base64 binaries at runtime and a 16-byte XOR key to decrypt data.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" data-reference="Malwarebytes Higaisa 2020"><sup><a href="https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a></sup></span><span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" data-reference="Zscaler Higaisa 2020"><sup><a href="https://www.zscaler.com/blogs/security-research/return-higaisa-apt" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0601"> S0601 </a> </td> <td> <a href="/versions/v9/software/S0601"> Hildegard </a> </td> <td> <p><a href="/versions/v9/software/S0601">Hildegard</a> has decrypted ELF files with AES.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" data-reference="Unit 42 Hildegard Malware"><sup><a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0072"> G0072 </a> </td> <td> <a href="/versions/v9/groups/G0072"> Honeybee </a> </td> <td> <p><a href="/versions/v9/groups/G0072">Honeybee</a> drops a Word file containing a Base64-encoded file in it that is read, decoded, and dropped to the disk by the macro.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" data-reference="McAfee Honeybee"><sup><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0434"> S0434 </a> </td> <td> <a href="/versions/v9/software/S0434"> Imminent Monitor </a> </td> <td> <p><a href="/versions/v9/software/S0434">Imminent Monitor</a> has decoded malware components that are then dropped to the system.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" data-reference="QiAnXin APT-C-36 Feb2019"><sup><a href="https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0260"> S0260 </a> </td> <td> <a href="/versions/v9/software/S0260"> InvisiMole </a> </td> <td> <p><a href="/versions/v9/software/S0260">InvisiMole</a> can decrypt, unpack and load a DLL from its resources, or from blobs encrypted with Data Protection API, two-key triple DES, and variations of the XOR cipher.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" data-reference="ESET InvisiMole June 2018"><sup><a href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a></sup></span><span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" data-reference="ESET InvisiMole June 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0581"> S0581 </a> </td> <td> <a href="/versions/v9/software/S0581"> IronNetInjector </a> </td> <td> <p><a href="/versions/v9/software/S0581">IronNetInjector</a> has the ability to decrypt embedded .NET and PE payloads.<span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" data-reference="Unit 42 IronNetInjector February 2021 "><sup><a href=" https://unit42.paloaltonetworks.com/ironnetinjector/" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0189"> S0189 </a> </td> <td> <a href="/versions/v9/software/S0189"> ISMInjector </a> </td> <td> <p><a href="/versions/v9/software/S0189">ISMInjector</a> uses the <code>certutil</code> command to decode a payload file.<span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" data-reference="OilRig New Delivery Oct 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0487"> S0487 </a> </td> <td> <a href="/versions/v9/software/S0487"> Kessel </a> </td> <td> <p><a href="/versions/v9/software/S0487">Kessel</a> has decrypted the binary's configuration once the <code>main</code> function was launched.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" data-reference="ESET ForSSHe December 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0526"> S0526 </a> </td> <td> <a href="/versions/v9/software/S0526"> KGH_SPY </a> </td> <td> <p><a href="/versions/v9/software/S0526">KGH_SPY</a> can decrypt encrypted strings and write them to a newly created folder.<span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" data-reference="Cybereason Kimsuky November 2020"><sup><a href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0356"> S0356 </a> </td> <td> <a href="/versions/v9/software/S0356"> KONNI </a> </td> <td> <p><a href="/versions/v9/software/S0356">KONNI</a> has used certutil to download and decode base64 encoded strings.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" data-reference="Medium KONNI Jan 2020"><sup><a href="https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0236"> S0236 </a> </td> <td> <a href="/versions/v9/software/S0236"> Kwampirs </a> </td> <td> <p><a href="/versions/v9/software/S0236">Kwampirs</a> decrypts and extracts a copy of its main DLL payload when executing.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" data-reference="Symantec Orangeworm April 2018"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0065"> G0065 </a> </td> <td> <a href="/versions/v9/groups/G0065"> Leviathan </a> </td> <td> <p><a href="/versions/v9/groups/G0065">Leviathan</a> has used a DLL known as SeDll to decrypt and execute other JavaScript backdoors.<span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" data-reference="Proofpoint Leviathan Oct 2017"><sup><a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0395"> S0395 </a> </td> <td> <a href="/versions/v9/software/S0395"> LightNeuron </a> </td> <td> <p><a href="/versions/v9/software/S0395">LightNeuron</a> has used AES and XOR to decrypt configuration files and commands.<span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" data-reference="ESET LightNeuron May 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0582"> S0582 </a> </td> <td> <a href="/versions/v9/software/S0582"> LookBack </a> </td> <td> <p><a href="/versions/v9/software/S0582">LookBack</a> has a function that decrypts malicious data.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" data-reference="Proofpoint LookBack Malware Aug 2019"><sup><a href="https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0532"> S0532 </a> </td> <td> <a href="/versions/v9/software/S0532"> Lucifer </a> </td> <td> <p><a href="/versions/v9/software/S0532">Lucifer</a> can decrypt its C2 address upon execution.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" data-reference="Unit 42 Lucifer June 2020"><sup><a href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0409"> S0409 </a> </td> <td> <a href="/versions/v9/software/S0409"> Machete </a> </td> <td> <p><a href="/versions/v9/software/S0409">Machete</a>’s downloaded data is decrypted using AES.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" data-reference="ESET Machete July 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0576"> S0576 </a> </td> <td> <a href="/versions/v9/software/S0576"> MegaCortex </a> </td> <td> <p><a href="/versions/v9/software/S0576">MegaCortex</a> has used a Base64 key to decode its components.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" data-reference="IBM MegaCortex"><sup><a href="https://securityintelligence.com/posts/from-mega-to-giga-cross-version-comparison-of-top-megacortex-modifications/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0045"> G0045 </a> </td> <td> <a href="/versions/v9/groups/G0045"> menuPass </a> </td> <td> <p><a href="/versions/v9/groups/G0045">menuPass</a> has used <a href="/versions/v9/software/S0160">certutil</a> in a macro to decode base64-encoded content contained in a dropper document attached to an email. The group has also used <code>certutil -decode</code> to decode files on the victim’s machine when dropping <a href="/versions/v9/software/S0275">UPPERCUT</a>.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" data-reference="Accenture Hogfish April 2018"><sup><a href="https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a></sup></span><span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" data-reference="FireEye APT10 Sept 2018"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0443"> S0443 </a> </td> <td> <a href="/versions/v9/software/S0443"> MESSAGETAP </a> </td> <td> <p>After checking for the existence of two files, keyword_parm.txt and parm.txt, <a href="/versions/v9/software/S0443">MESSAGETAP</a> XOR decodes and read the contents of the files. <span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" data-reference="FireEye MESSAGETAP October 2019"><sup><a href="https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0455"> S0455 </a> </td> <td> <a href="/versions/v9/software/S0455"> Metamorfo </a> </td> <td> <p>Upon execution, <a href="/versions/v9/software/S0455">Metamorfo</a> has unzipped itself after being downloaded to the system.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" data-reference="Medium Metamorfo Apr 2020"><sup><a href="https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a></sup></span><span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" data-reference="FireEye Metamorfo Apr 2018"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0280"> S0280 </a> </td> <td> <a href="/versions/v9/software/S0280"> MirageFox </a> </td> <td> <p><a href="/versions/v9/software/S0280">MirageFox</a> has a function for decrypting data containing C2 configuration information.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" data-reference="APT15 Intezer June 2018"><sup><a href="https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0021"> G0021 </a> </td> <td> <a href="/versions/v9/groups/G0021"> Molerats </a> </td> <td> <p><a href="/versions/v9/groups/G0021">Molerats</a> decompresses ZIP files once on the victim machine.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" data-reference="Kaspersky MoleRATs April 2019"><sup><a href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0284"> S0284 </a> </td> <td> <a href="/versions/v9/software/S0284"> More_eggs </a> </td> <td> <p><a href="/versions/v9/software/S0284">More_eggs</a> will decode malware components that are then dropped to the system.<span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" data-reference="Security Intelligence More Eggs Aug 2019"><sup><a href="https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0069"> G0069 </a> </td> <td> <a href="/versions/v9/groups/G0069"> MuddyWater </a> </td> <td> <p><a href="/versions/v9/groups/G0069">MuddyWater</a> decoded base64-encoded PowerShell commands using a VBS file.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" data-reference="FireEye MuddyWater Mar 2018"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a></sup></span><span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" data-reference="MuddyWater TrendMicro June 2018"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a></sup></span><span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" data-reference="ClearSky MuddyWater Nov 2018"><sup><a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0457"> S0457 </a> </td> <td> <a href="/versions/v9/software/S0457"> Netwalker </a> </td> <td> <p><a href="/versions/v9/software/S0457">Netwalker</a>'s PowerShell script can decode and decrypt multiple layers of obfuscation, leading to the <a href="/versions/v9/software/S0457">Netwalker</a> DLL being loaded into memory.<span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" data-reference="Sophos Netwalker May 2020"><sup><a href="https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0353"> S0353 </a> </td> <td> <a href="/versions/v9/software/S0353"> NOKKI </a> </td> <td> <p><a href="/versions/v9/software/S0353">NOKKI</a> uses a unique, custom de-obfuscation technique.<span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" data-reference="Unit 42 NOKKI Sept 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0049"> G0049 </a> </td> <td> <a href="/versions/v9/groups/G0049"> OilRig </a> </td> <td> <p>A <a href="/versions/v9/groups/G0049">OilRig</a> macro has run a PowerShell command to decode file contents. <a href="/versions/v9/groups/G0049">OilRig</a> has also used <a href="/versions/v9/software/S0160">certutil</a> to decode base64-encoded files on victims.<span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" data-reference="FireEye APT34 Dec 2017"><sup><a href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a></sup></span><span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" data-reference="OilRig New Delivery Oct 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a></sup></span><span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" data-reference="Unit 42 OopsIE! Feb 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a></sup></span><span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" data-reference="Crowdstrike GTR2020 Mar 2020"><sup><a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0439"> S0439 </a> </td> <td> <a href="/versions/v9/software/S0439"> Okrum </a> </td> <td> <p><a href="/versions/v9/software/S0439">Okrum</a>'s loader can decrypt the backdoor code, embedded within the loader or within a legitimate PNG file. A custom XOR cipher or RC4 is used for decryption.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" data-reference="ESET Okrum July 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0052"> S0052 </a> </td> <td> <a href="/versions/v9/software/S0052"> OnionDuke </a> </td> <td> <p><a href="/versions/v9/software/S0052">OnionDuke</a> can use a custom decryption algorithm to decrypt strings.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" data-reference="ESET Dukes October 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0264"> S0264 </a> </td> <td> <a href="/versions/v9/software/S0264"> OopsIE </a> </td> <td> <p><a href="/versions/v9/software/S0264">OopsIE</a> concatenates then decompresses multiple resources to load an embedded .Net Framework assembly.<span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" data-reference="Unit 42 OopsIE! Feb 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0402"> S0402 </a> </td> <td> <a href="/versions/v9/software/S0402"> OSX/Shlayer </a> </td> <td> <p><a href="/versions/v9/software/S0402">OSX/Shlayer</a> can base64-decode and AES-decrypt downloaded payloads.<span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" data-reference="Carbon Black Shlayer Feb 2019"><sup><a href="https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0598"> S0598 </a> </td> <td> <a href="/versions/v9/software/S0598"> P.A.S. Webshell </a> </td> <td> <p><a href="/versions/v9/software/S0598">P.A.S. Webshell</a> can use a decryption mechanism to process a user supplied password and allow execution.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" data-reference="ANSSI Sandworm January 2021"><sup><a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0517"> S0517 </a> </td> <td> <a href="/versions/v9/software/S0517"> Pillowmint </a> </td> <td> <p><a href="/versions/v9/software/S0517">Pillowmint</a> has been decompressed by included shellcode prior to being launched.<span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" data-reference="Trustwave Pillowmint June 2020"><sup><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0501"> S0501 </a> </td> <td> <a href="/versions/v9/software/S0501"> PipeMon </a> </td> <td> <p><a href="/versions/v9/software/S0501">PipeMon</a> can decrypt password-protected executables.<span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" data-reference="ESET PipeMon May 2020"><sup><a href="https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0013"> S0013 </a> </td> <td> <a href="/versions/v9/software/S0013"> PlugX </a> </td> <td> <p><a href="/versions/v9/software/S0013">PlugX</a> decompresses and decrypts itself using the Microsoft API call RtlDecompressBuffer.<span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" data-reference="CIRCL PlugX March 2013"><sup><a href="http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0428"> S0428 </a> </td> <td> <a href="/versions/v9/software/S0428"> PoetRAT </a> </td> <td> <p><a href="/versions/v9/software/S0428">PoetRAT</a> has used LZMA and base64 libraries to decode obfuscated scripts.<span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" data-reference="Talos PoetRAT October 2020"><sup><a href="https://blog.talosintelligence.com/2020/10/poetrat-update.html" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0518"> S0518 </a> </td> <td> <a href="/versions/v9/software/S0518"> PolyglotDuke </a> </td> <td> <p><a href="/versions/v9/software/S0518">PolyglotDuke</a> can use a custom algorithm to decrypt strings used by the malware.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" data-reference="ESET Dukes October 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0223"> S0223 </a> </td> <td> <a href="/versions/v9/software/S0223"> POWERSTATS </a> </td> <td> <p><a href="/versions/v9/software/S0223">POWERSTATS</a> can deobfuscate the main backdoor code.<span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" data-reference="ClearSky MuddyWater Nov 2018"><sup><a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0279"> S0279 </a> </td> <td> <a href="/versions/v9/software/S0279"> Proton </a> </td> <td> <p><a href="/versions/v9/software/S0279">Proton</a> uses an encrypted file to store commands and configuration values.<span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" data-reference="objsee mac malware 2017"><sup><a href="https://objective-see.com/blog/blog_0x25.html" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0196"> S0196 </a> </td> <td> <a href="/versions/v9/software/S0196"> PUNCHBUGGY </a> </td> <td> <p><a href="/versions/v9/software/S0196">PUNCHBUGGY</a> has used <a href="/versions/v9/techniques/T1059/001">PowerShell</a> to decode base64-encoded assembly.<span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" data-reference="Morphisec ShellTea June 2019"><sup><a href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0269"> S0269 </a> </td> <td> <a href="/versions/v9/software/S0269"> QUADAGENT </a> </td> <td> <p><a href="/versions/v9/software/S0269">QUADAGENT</a> uses AES and a preshared key to decrypt the custom Base64 routine used to encode strings and scripts.<span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" data-reference="Unit 42 QUADAGENT July 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0565"> S0565 </a> </td> <td> <a href="/versions/v9/software/S0565"> Raindrop </a> </td> <td> <p><a href="/versions/v9/software/S0565">Raindrop</a> decrypted its <a href="/versions/v9/software/S0154">Cobalt Strike</a> payload using an AES-256 encryption algorithm in CBC mode with a unique key per sample.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Symantec RAINDROP January 2021"><sup><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span><span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" data-reference="Microsoft Deep Dive Solorigate January 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0458"> S0458 </a> </td> <td> <a href="/versions/v9/software/S0458"> Ramsay </a> </td> <td> <p><a href="/versions/v9/software/S0458">Ramsay</a> can extract its agent from the body of a malicious document.<span onclick=scrollToRef('scite-114') id="scite-ref-114-a" class="scite-citeref-number" data-reference="Eset Ramsay May 2020"><sup><a href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0495"> S0495 </a> </td> <td> <a href="/versions/v9/software/S0495"> RDAT </a> </td> <td> <p><a href="/versions/v9/software/S0495">RDAT</a> can deobfuscate the base64-encoded and AES-encrypted files downloaded from the C2 server.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" data-reference="Unit42 RDAT July 2020"><sup><a href="https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0511"> S0511 </a> </td> <td> <a href="/versions/v9/software/S0511"> RegDuke </a> </td> <td> <p><a href="/versions/v9/software/S0511">RegDuke</a> can decrypt strings with a key either stored in the Registry or hardcoded in the code.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" data-reference="ESET Dukes October 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0375"> S0375 </a> </td> <td> <a href="/versions/v9/software/S0375"> Remexi </a> </td> <td> <p><a href="/versions/v9/software/S0375">Remexi</a> decrypts the configuration data using XOR with 25-character keys.<span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" data-reference="Securelist Remexi Jan 2019"><sup><a href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0496"> S0496 </a> </td> <td> <a href="/versions/v9/software/S0496"> REvil </a> </td> <td> <p><a href="/versions/v9/software/S0496">REvil</a> can decode encrypted strings to enable execution of commands and payloads.<span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" data-reference="G Data Sodinokibi June 2019"><sup><a href="https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a></sup></span><span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" data-reference="Kaspersky Sodin July 2019"><sup><a href="https://securelist.com/sodin-ransomware/91473/" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a></sup></span><span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" data-reference="Cylance Sodinokibi July 2019"><sup><a href="https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a></sup></span><span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" data-reference="McAfee Sodinokibi October 2019"><sup><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a></sup></span><span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" data-reference="Intel 471 REvil March 2020"><sup><a href="https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a></sup></span><span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" data-reference="Secureworks REvil September 2019"><sup><a href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0258"> S0258 </a> </td> <td> <a href="/versions/v9/software/S0258"> RGDoor </a> </td> <td> <p><a href="/versions/v9/software/S0258">RGDoor</a> decodes Base64 strings and decrypts strings using a custom XOR algorithm.<span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" data-reference="Unit 42 RGDoor Jan 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0448"> S0448 </a> </td> <td> <a href="/versions/v9/software/S0448"> Rising Sun </a> </td> <td> <p><a href="/versions/v9/software/S0448">Rising Sun</a> decrypted itself using a single-byte XOR scheme. Additionally, <a href="/versions/v9/software/S0448">Rising Sun</a> can decrypt its configuration data at runtime.<span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" data-reference="McAfee Sharpshooter December 2018"><sup><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0106"> G0106 </a> </td> <td> <a href="/versions/v9/groups/G0106"> Rocke </a> </td> <td> <p><a href="/versions/v9/groups/G0106">Rocke</a> has extracted tar.gz files after downloading them from a C2 server.<span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" data-reference="Talos Rocke August 2018"><sup><a href="https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0270"> S0270 </a> </td> <td> <a href="/versions/v9/software/S0270"> RogueRobin </a> </td> <td> <p><a href="/versions/v9/software/S0270">RogueRobin</a> decodes an embedded executable using base64 and decompresses it.<span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" data-reference="Unit42 DarkHydrus Jan 2019"><sup><a href="https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0034"> G0034 </a> </td> <td> <a href="/versions/v9/groups/G0034"> Sandworm Team </a> </td> <td> <p><a href="/versions/v9/groups/G0034">Sandworm Team</a>'s VBS backdoor can decode Base64-encoded data and save it to the %TEMP% folder. The group also decrypted received information using the Triple DES algorithm and decompresses it using GZip.<span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" data-reference="ESET Telebots Dec 2016"><sup><a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a></sup></span><span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" data-reference="ESET Telebots July 2017"><sup><a href="https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0461"> S0461 </a> </td> <td> <a href="/versions/v9/software/S0461"> SDBbot </a> </td> <td> <p><a href="/versions/v9/software/S0461">SDBbot</a> has the ability to decrypt and decompress its payload to enable code execution.<span onclick=scrollToRef('scite-129') id="scite-ref-129-a" class="scite-citeref-number" data-reference="Proofpoint TA505 October 2019"><sup><a href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank" data-hasqtip="128" aria-describedby="qtip-128">[129]</a></sup></span><span onclick=scrollToRef('scite-130') id="scite-ref-130-a" class="scite-citeref-number" data-reference="IBM TA505 April 2020"><sup><a href="https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" target="_blank" data-hasqtip="129" aria-describedby="qtip-129">[130]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0596"> S0596 </a> </td> <td> <a href="/versions/v9/software/S0596"> ShadowPad </a> </td> <td> <p><a href="/versions/v9/software/S0596">ShadowPad</a> has decrypted a binary blob to start execution.<span onclick=scrollToRef('scite-131') id="scite-ref-131-a" class="scite-citeref-number" data-reference="Kaspersky ShadowPad Aug 2017"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank" data-hasqtip="130" aria-describedby="qtip-130">[131]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0140"> S0140 </a> </td> <td> <a href="/versions/v9/software/S0140"> Shamoon </a> </td> <td> <p><a href="/versions/v9/software/S0140">Shamoon</a> decrypts ciphertext using an XOR cipher and a base64-encoded string.<span onclick=scrollToRef('scite-132') id="scite-ref-132-a" class="scite-citeref-number" data-reference="Unit 42 Shamoon3 2018"><sup><a href="https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0546"> S0546 </a> </td> <td> <a href="/versions/v9/software/S0546"> SharpStage </a> </td> <td> <p><a href="/versions/v9/software/S0546">SharpStage</a> has decompressed data received from the C2 server.<span onclick=scrollToRef('scite-133') id="scite-ref-133-a" class="scite-citeref-number" data-reference="BleepingComputer Molerats Dec 2020"><sup><a href="https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" target="_blank" data-hasqtip="132" aria-describedby="qtip-132">[133]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0444"> S0444 </a> </td> <td> <a href="/versions/v9/software/S0444"> ShimRat </a> </td> <td> <p><a href="/versions/v9/software/S0444">ShimRat</a> has decompressed its core DLL using shellcode once an impersonated antivirus component was running on a system.<span onclick=scrollToRef('scite-134') id="scite-ref-134-a" class="scite-citeref-number" data-reference="FOX-IT May 2016 Mofang"><sup><a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="133" aria-describedby="qtip-133">[134]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0589"> S0589 </a> </td> <td> <a href="/versions/v9/software/S0589"> Sibot </a> </td> <td> <p><a href="/versions/v9/software/S0589">Sibot</a> can decrypt data received from a C2 and save to a file.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" data-reference="MSTIC NOBELIUM Mar 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0468"> S0468 </a> </td> <td> <a href="/versions/v9/software/S0468"> Skidmap </a> </td> <td> <p><a href="/versions/v9/software/S0468">Skidmap</a> has the ability to download, unpack, and decrypt tar.gz files .<span onclick=scrollToRef('scite-135') id="scite-ref-135-a" class="scite-citeref-number" data-reference="Trend Micro Skidmap"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/" target="_blank" data-hasqtip="134" aria-describedby="qtip-134">[135]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0226"> S0226 </a> </td> <td> <a href="/versions/v9/software/S0226"> Smoke Loader </a> </td> <td> <p><a href="/versions/v9/software/S0226">Smoke Loader</a> deobfuscates its code.<span onclick=scrollToRef('scite-136') id="scite-ref-136-a" class="scite-citeref-number" data-reference="Talos Smoke Loader July 2018"><sup><a href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank" data-hasqtip="135" aria-describedby="qtip-135">[136]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0516"> S0516 </a> </td> <td> <a href="/versions/v9/software/S0516"> SoreFang </a> </td> <td> <p><a href="/versions/v9/software/S0516">SoreFang</a> can decode and decrypt exfiltrated data sent to C2.<span onclick=scrollToRef('scite-137') id="scite-ref-137-a" class="scite-citeref-number" data-reference="CISA SoreFang July 2016"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" data-hasqtip="136" aria-describedby="qtip-136">[137]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0543"> S0543 </a> </td> <td> <a href="/versions/v9/software/S0543"> Spark </a> </td> <td> <p><a href="/versions/v9/software/S0543">Spark</a> has used a custom XOR algorithm to decrypt the payload.<span onclick=scrollToRef('scite-138') id="scite-ref-138-a" class="scite-citeref-number" data-reference="Unit42 Molerat Mar 2020"><sup><a href="https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" target="_blank" data-hasqtip="137" aria-describedby="qtip-137">[138]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0390"> S0390 </a> </td> <td> <a href="/versions/v9/software/S0390"> SQLRat </a> </td> <td> <p><a href="/versions/v9/software/S0390">SQLRat</a> has scripts that are responsible for deobfuscating additional scripts.<span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" data-reference="Flashpoint FIN 7 March 2019"><sup><a href="https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0188"> S0188 </a> </td> <td> <a href="/versions/v9/software/S0188"> Starloader </a> </td> <td> <p><a href="/versions/v9/software/S0188">Starloader</a> decrypts and executes shellcode from a file called Stars.jps.<span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" data-reference="Symantec Sowbug Nov 2017"><sup><a href="https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0562"> S0562 </a> </td> <td> <a href="/versions/v9/software/S0562"> SUNSPOT </a> </td> <td> <p><a href="/versions/v9/software/S0562">SUNSPOT</a> decrypts <a href="/versions/v9/software/S0559">SUNBURST</a>, which was stored in AES128-CBC encrypted blobs.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" data-reference="CrowdStrike SUNSPOT Implant January 2021"><sup><a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0560"> S0560 </a> </td> <td> <a href="/versions/v9/software/S0560"> TEARDROP </a> </td> <td> <p><a href="/versions/v9/software/S0560">TEARDROP</a> was decoded using a custom rolling XOR algorithm to execute a customized <a href="/versions/v9/software/S0154">Cobalt Strike</a> payload.<span onclick=scrollToRef('scite-142') id="scite-ref-142-a" class="scite-citeref-number" data-reference="FireEye SUNBURST Backdoor December 2020"><sup><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="141" aria-describedby="qtip-141">[142]</a></sup></span><span onclick=scrollToRef('scite-143') id="scite-ref-143-a" class="scite-citeref-number" data-reference="Check Point Sunburst Teardrop December 2020"><sup><a href="https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/" target="_blank" data-hasqtip="142" aria-describedby="qtip-142">[143]</a></sup></span><span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" data-reference="Microsoft Deep Dive Solorigate January 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0027"> G0027 </a> </td> <td> <a href="/versions/v9/groups/G0027"> Threat Group-3390 </a> </td> <td> <p>During execution, <a href="/versions/v9/groups/G0027">Threat Group-3390</a> malware deobfuscates and decompresses code that was encoded with Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.<span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" data-reference="Securelist LuckyMouse June 2018"><sup><a href="https://securelist.com/luckymouse-hits-national-data-center/86083/" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0266"> S0266 </a> </td> <td> <a href="/versions/v9/software/S0266"> TrickBot </a> </td> <td> <p><a href="/versions/v9/software/S0266">TrickBot</a> decodes the configuration data and modules.<span onclick=scrollToRef('scite-145') id="scite-ref-145-a" class="scite-citeref-number" data-reference="Fidelis TrickBot Oct 2016"><sup><a href="https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre" target="_blank" data-hasqtip="144" aria-describedby="qtip-144">[145]</a></sup></span><span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" data-reference="Cyberreason Anchor December 2019"><sup><a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0081"> G0081 </a> </td> <td> <a href="/versions/v9/groups/G0081"> Tropic Trooper </a> </td> <td> <p><a href="/versions/v9/groups/G0081">Tropic Trooper</a> used shellcode with an XOR algorithm to decrypt a payload. <a href="/versions/v9/groups/G0081">Tropic Trooper</a> also decrypted image files which contained a payload.<span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" data-reference="Unit 42 Tropic Trooper Nov 2016"><sup><a href="https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a></sup></span><span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" data-reference="TrendMicro Tropic Trooper May 2020"><sup><a href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0436"> S0436 </a> </td> <td> <a href="/versions/v9/software/S0436"> TSCookie </a> </td> <td> <p><a href="/versions/v9/software/S0436">TSCookie</a> has the ability to decrypt, load, and execute a DLL and its resources.<span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" data-reference="JPCert TSCookie March 2018"><sup><a href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0010"> G0010 </a> </td> <td> <a href="/versions/v9/groups/G0010"> Turla </a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used a custom decryption routine, which pulls key and salt values from other artifacts such as a WMI filter or <a href="/versions/v9/techniques/T1546/013">PowerShell Profile</a>, to decode encrypted PowerShell payloads.<span onclick=scrollToRef('scite-150') id="scite-ref-150-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="149" aria-describedby="qtip-149">[150]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0263"> S0263 </a> </td> <td> <a href="/versions/v9/software/S0263"> TYPEFRAME </a> </td> <td> <p>One <a href="/versions/v9/software/S0263">TYPEFRAME</a> variant decrypts an archive using an RC4 key, then decompresses and installs the decrypted malicious DLL module. Another variant decodes the embedded file by XORing it with the value "0x35".<span onclick=scrollToRef('scite-151') id="scite-ref-151-a" class="scite-citeref-number" data-reference="US-CERT TYPEFRAME June 2018"><sup><a href="https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" target="_blank" data-hasqtip="150" aria-describedby="qtip-150">[151]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0386"> S0386 </a> </td> <td> <a href="/versions/v9/software/S0386"> Ursnif </a> </td> <td> <p><a href="/versions/v9/software/S0386">Ursnif</a> has used crypto key information stored in the Registry to decrypt Tor clients dropped to disk.<span onclick=scrollToRef('scite-152') id="scite-ref-152-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016"><sup><a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="151" aria-describedby="qtip-151">[152]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0476"> S0476 </a> </td> <td> <a href="/versions/v9/software/S0476"> Valak </a> </td> <td> <p><a href="/versions/v9/software/S0476">Valak</a> has the ability to decode and decrypt downloaded files.<span onclick=scrollToRef('scite-153') id="scite-ref-153-a" class="scite-citeref-number" data-reference="Cybereason Valak May 2020"><sup><a href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank" data-hasqtip="152" aria-describedby="qtip-152">[153]</a></sup></span><span onclick=scrollToRef('scite-154') id="scite-ref-154-a" class="scite-citeref-number" data-reference="Unit 42 Valak July 2020"><sup><a href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank" data-hasqtip="153" aria-describedby="qtip-153">[154]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0257"> S0257 </a> </td> <td> <a href="/versions/v9/software/S0257"> VERMIN </a> </td> <td> <p><a href="/versions/v9/software/S0257">VERMIN</a> decrypts code, strings, and commands to use once it's on the victim's machine.<span onclick=scrollToRef('scite-155') id="scite-ref-155-a" class="scite-citeref-number" data-reference="Unit 42 VERMIN Jan 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" target="_blank" data-hasqtip="154" aria-describedby="qtip-154">[155]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0180"> S0180 </a> </td> <td> <a href="/versions/v9/software/S0180"> Volgmer </a> </td> <td> <p><a href="/versions/v9/software/S0180">Volgmer</a> deobfuscates its strings and APIs once its executed.<span onclick=scrollToRef('scite-156') id="scite-ref-156-a" class="scite-citeref-number" data-reference="US-CERT Volgmer 2 Nov 2017"><sup><a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0579"> S0579 </a> </td> <td> <a href="/versions/v9/software/S0579"> Waterbear </a> </td> <td> <p><a href="/versions/v9/software/S0579">Waterbear</a> has the ability to decrypt its RC4 encrypted payload for execution.<span onclick=scrollToRef('scite-157') id="scite-ref-157-a" class="scite-citeref-number" data-reference="Trend Micro Waterbear December 2019"><sup><a href="https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html" target="_blank" data-hasqtip="156" aria-describedby="qtip-156">[157]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0515"> S0515 </a> </td> <td> <a href="/versions/v9/software/S0515"> WellMail </a> </td> <td> <p><a href="/versions/v9/software/S0515">WellMail</a> can decompress scripts received from C2.<span onclick=scrollToRef('scite-158') id="scite-ref-158-a" class="scite-citeref-number" data-reference="CISA WellMail July 2020"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c" target="_blank" data-hasqtip="157" aria-describedby="qtip-157">[158]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0514"> S0514 </a> </td> <td> <a href="/versions/v9/software/S0514"> WellMess </a> </td> <td> <p><a href="/versions/v9/software/S0514">WellMess</a> can decode and decrypt data received from C2.<span onclick=scrollToRef('scite-159') id="scite-ref-159-a" class="scite-citeref-number" data-reference="PWC WellMess July 2020"><sup><a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank" data-hasqtip="158" aria-describedby="qtip-158">[159]</a></sup></span><span onclick=scrollToRef('scite-160') id="scite-ref-160-a" class="scite-citeref-number" data-reference="PWC WellMess C2 August 2020"><sup><a href="https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html" target="_blank" data-hasqtip="159" aria-describedby="qtip-159">[160]</a></sup></span><span onclick=scrollToRef('scite-161') id="scite-ref-161-a" class="scite-citeref-number" data-reference="CISA WellMess July 2020"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" target="_blank" data-hasqtip="160" aria-describedby="qtip-160">[161]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0466"> S0466 </a> </td> <td> <a href="/versions/v9/software/S0466"> WindTail </a> </td> <td> <p><a href="/versions/v9/software/S0466">WindTail</a> has the ability to decrypt strings using hard-coded AES keys.<span onclick=scrollToRef('scite-162') id="scite-ref-162-a" class="scite-citeref-number" data-reference="objective-see windtail1 dec 2018"><sup><a href="https://objective-see.com/blog/blog_0x3B.html" target="_blank" data-hasqtip="161" aria-describedby="qtip-161">[162]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0430"> S0430 </a> </td> <td> <a href="/versions/v9/software/S0430"> Winnti for Linux </a> </td> <td> <p><a href="/versions/v9/software/S0430">Winnti for Linux</a> has decoded XOR encoded strings holding its configuration upon execution.<span onclick=scrollToRef('scite-163') id="scite-ref-163-a" class="scite-citeref-number" data-reference="Chronicle Winnti for Linux May 2019"><sup><a href="https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a" target="_blank" data-hasqtip="162" aria-describedby="qtip-162">[163]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0090"> G0090 </a> </td> <td> <a href="/versions/v9/groups/G0090"> WIRTE </a> </td> <td> <p><a href="/versions/v9/groups/G0090">WIRTE</a> has decoded a base64 encoded document which was embedded in a VBS script.<span onclick=scrollToRef('scite-164') id="scite-ref-164-a" class="scite-citeref-number" data-reference="Lab52 WIRTE Apr 2019"><sup><a href="https://lab52.io/blog/wirte-group-attacking-the-middle-east/" target="_blank" data-hasqtip="163" aria-describedby="qtip-163">[164]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0388"> S0388 </a> </td> <td> <a href="/versions/v9/software/S0388"> YAHOYAH </a> </td> <td> <p><a href="/versions/v9/software/S0388">YAHOYAH</a> decrypts downloaded files before execution.<span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" data-reference="TrendMicro TropicTrooper 2015"><sup><a href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0251"> S0251 </a> </td> <td> <a href="/versions/v9/software/S0251"> Zebrocy </a> </td> <td> <p><a href="/versions/v9/software/S0251">Zebrocy</a> decodes its secondary payload and writes it to the victim’s machine. <a href="/versions/v9/software/S0251">Zebrocy</a> also uses AES and XOR to decrypt strings and payloads.<span onclick=scrollToRef('scite-166') id="scite-ref-166-a" class="scite-citeref-number" data-reference="Unit42 Cannon Nov 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank" data-hasqtip="165" aria-describedby="qtip-165">[166]</a></sup></span><span onclick=scrollToRef('scite-167') id="scite-ref-167-a" class="scite-citeref-number" data-reference="ESET Zebrocy Nov 2018"><sup><a href="https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/" target="_blank" data-hasqtip="166" aria-describedby="qtip-166">[167]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0230"> S0230 </a> </td> <td> <a href="/versions/v9/software/S0230"> ZeroT </a> </td> <td> <p><a href="/versions/v9/software/S0230">ZeroT</a> shellcode decrypts and decompresses its RC4-encrypted payload.<span onclick=scrollToRef('scite-168') id="scite-ref-168-a" class="scite-citeref-number" data-reference="Proofpoint ZeroT Feb 2017"><sup><a href="https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" target="_blank" data-hasqtip="167" aria-describedby="qtip-167">[168]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0330"> S0330 </a> </td> <td> <a href="/versions/v9/software/S0330"> Zeus Panda </a> </td> <td> <p><a href="/versions/v9/software/S0330">Zeus Panda</a> decrypts strings in the code during the execution process.<span onclick=scrollToRef('scite-169') id="scite-ref-169-a" class="scite-citeref-number" data-reference="Talos Zeus Panda Nov 2017"><sup><a href="https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More" target="_blank" data-hasqtip="168" aria-describedby="qtip-168">[169]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0128"> G0128 </a> </td> <td> <a href="/versions/v9/groups/G0128"> ZIRCONIUM </a> </td> <td> <p><a href="/versions/v9/groups/G0128">ZIRCONIUM</a> has used the AES256 algorithm with a SHA1 derived key to decrypt exploit code.<span onclick=scrollToRef('scite-170') id="scite-ref-170-a" class="scite-citeref-number" data-reference="Check Point APT31 February 2021"><sup><a href="https://research.checkpoint.com/2021/the-story-of-jian/" target="_blank" data-hasqtip="169" aria-describedby="qtip-169">[170]</a></sup></span></p> </td> </tr> </tbody> </table> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <p> This type of attack technique cannot be easily mitigated with preventive controls since it is based on the abuse of system features. </p> <h2 class="pt-3" id="detection">Detection</h2> <div> <p>Detecting the action of deobfuscating or decoding files or information may be difficult depending on the implementation. If the functionality is contained within malware and uses the Windows API, then attempting to detect malicious behavior before or after the action may yield better results than attempting to perform analysis on loaded libraries or API calls. If scripts are used, then collecting the scripts for analysis may be necessary. Perform process and command-line monitoring to detect potentially malicious behavior related to scripts and system utilities such as <a href="/versions/v9/software/S0160">certutil</a>.</p><p>Monitor the execution file paths and command-line arguments for common archive file applications and extensions, such as those for Zip and RAR archive tools, and correlate with other suspicious behavior to reduce false positives from normal user and administrator behavior.</p> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://blog.malwarebytes.com/cybercrime/social-engineering-cybercrime/2017/03/new-targeted-attack-saudi-arabia-government/" target="_blank"> Malwarebytes Labs. (2017, March 27). New targeted attack against Saudi Arabia Government. Retrieved July 3, 2017. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/" target="_blank"> Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank"> Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank"> Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/" target="_blank"> Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank"> Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://researchcenter.paloaltonetworks.com/2016/01/new-attacks-linked-to-c0d0s0-group/" target="_blank"> Grunzweig, J., Lee, B. (2016, January 22). New Attacks Linked to C0d0so0 Group. Retrieved August 2, 2018. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank"> Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank"> Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank"> Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank"> FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank"> CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank"> Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank"> GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/" target="_blank"> Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-new-wine-old-bottle-new-azorult-variant-found-findmyname-campaign-using-fallout-exploit-kit/" target="_blank"> Yan, T., et al. (2018, November 21). New Wine in Old Bottle: New Azorult Variant Found in FindMyName Campaign using Fallout Exploit Kit. Retrieved November 29, 2018. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.proofpoint.com/us/threat-insight/post/new-version-azorult-stealer-improves-loading-features-spreads-alongside" target="_blank"> Proofpoint. (2018, July 30). New version of AZORult stealer improves loading features, spreads alongside ransomware in new campaign. Retrieved November 29, 2018. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://us-cert.cisa.gov/ncas/alerts/aa20-301a" target="_blank"> CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank"> Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-B_WHITE.PDF" target="_blank"> US-CERT. (2017, December 13). Malware Analysis Report (MAR) - 10135536-B. Retrieved July 17, 2018. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank"> Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/" target="_blank"> Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" target="_blank"> Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/" target="_blank"> Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" target="_blank"> Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank"> US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html" target="_blank"> Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank"> Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/" target="_blank"> Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" target="_blank"> ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" target="_blank"> Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank"> Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href=" https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf" target="_blank"> Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/" target="_blank"> Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank"> Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a" target="_blank"> CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware" target="_blank"> Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" target="_blank"> Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" target="_blank"> Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://securelist.com/darkhotels-attacks-in-2015/71713/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" target="_blank"> Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank"> Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank"> Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank"> NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://securelist.com/my-name-is-dtrack/93338/" target="_blank"> Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/dyre-emerging-threat.pdf" target="_blank"> Symantec Security Response. (2015, June 23). Dyre: Emerging threat on financial fraud landscape. Retrieved August 23, 2018. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" target="_blank"> hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.welivesecurity.com/2017/10/30/windigo-ebury-update-2/" target="_blank"> Vachon, F. (2017, October 30). Windigo Still not Windigone: An Ebury Update . Retrieved February 10, 2021. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://digital.nhs.uk/cyber-alerts/2020/cc-3681#summary" target="_blank"> NHS Digital. (2020, November 26). Egregor Ransomware The RaaS successor to Maze. Retrieved December 29, 2020. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://www.cybereason.com/blog/cybereason-vs-egregor-ransomware" target="_blank"> Rochberger, L. (2020, November 26). Cybereason vs. Egregor Ransomware. Retrieved December 30, 2020. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank"> ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://docs.microsoft.com/en-us/windows-server/administration/windows-commands/expand" target="_blank"> Microsoft. (2017, October 15). Expand. Retrieved February 19, 2019. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank"> Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" target="_blank"> Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="http://www.finfisher.com/FinFisher/index.html" target="_blank"> FinFisher. (n.d.). Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" target="_blank"> Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank"> Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/" target="_blank"> Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank"> Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant" target="_blank"> Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank"> Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank"> Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://researchcenter.paloaltonetworks.com/2018/08/unit42-gorgon-group-slithering-nation-state-cybercrime/" target="_blank"> Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank"> ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/" target="_blank"> Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html" target="_blank"> Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" target="_blank"> Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" target="_blank"> Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://www.zscaler.com/blogs/security-research/return-higaisa-apt" target="_blank"> Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank"> Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank"> Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" target="_blank"> QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank"> Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank"> Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. </a> </span> </span> </li> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href=" https://unit42.paloaltonetworks.com/ironnetinjector/" target="_blank"> Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/" target="_blank"> Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018. </a> </span> </span> </li> <li> <span id="scite-78" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-78" href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank"> Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. </a> </span> </span> </li> <li> <span id="scite-79" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-79" href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank"> Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. </a> </span> </span> </li> <li> <span id="scite-80" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-80" href="https://medium.com/d-hunter/a-look-into-konni-2019-campaign-b45a0f321e9b" target="_blank"> Karmi, D. (2020, January 4). A Look Into Konni 2019 Campaign. Retrieved April 28, 2020. </a> </span> </span> </li> <li> <span id="scite-81" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-81" href="https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" target="_blank"> Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. </a> </span> </span> </li> <li> <span id="scite-82" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-82" href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank"> Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-83" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-83" href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank"> Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. </a> </span> </span> </li> <li> <span id="scite-84" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-84" href="https://www.proofpoint.com/us/threat-insight/post/lookback-malware-targets-united-states-utilities-sector-phishing-attacks" target="_blank"> Raggi, M. Schwarz, D.. (2019, August 1). LookBack Malware Targets the United States Utilities Sector with Phishing Attacks Impersonating Engineering Licensing Boards. Retrieved February 25, 2021. </a> </span> </span> </li> <li> <span id="scite-85" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-85" href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank"> Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="86.0"> <li> <span id="scite-86" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-86" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-87" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-87" href="https://securityintelligence.com/posts/from-mega-to-giga-cross-version-comparison-of-top-megacortex-modifications/" target="_blank"> Del Fierro, C. Kessem, L.. (2020, January 8). From Mega to Giga: Cross-Version Comparison of Top MegaCortex Modifications. Retrieved February 15, 2021. </a> </span> </span> </li> <li> <span id="scite-88" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-88" href="https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" target="_blank"> Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. </a> </span> </span> </li> <li> <span id="scite-89" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-89" href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank"> Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. </a> </span> </span> </li> <li> <span id="scite-90" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-90" href="https://www.fireeye.com/blog/threat-research/2019/10/messagetap-who-is-reading-your-text-messages.html" target="_blank"> Leong, R., Perez, D., Dean, T. (2019, October 31). MESSAGETAP: Who’s Reading Your Text Messages?. Retrieved May 11, 2020. </a> </span> </span> </li> <li> <span id="scite-91" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-91" href="https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" target="_blank"> Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-92" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-92" href="https://www.fireeye.com/blog/threat-research/2018/04/metamorfo-campaign-targeting-brazilian-users.html" target="_blank"> Sierra, E., Iglesias, G.. (2018, April 24). Metamorfo Campaigns Targeting Brazilian Users. Retrieved July 30, 2020. </a> </span> </span> </li> <li> <span id="scite-93" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-93" href="https://www.intezer.com/miragefox-apt15-resurfaces-with-new-tools-based-on-old-ones/" target="_blank"> Rosenberg, J. (2018, June 14). MirageFox: APT15 Resurfaces With New Tools Based On Old Ones. Retrieved September 21, 2018. </a> </span> </span> </li> <li> <span id="scite-94" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-94" href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank"> GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. </a> </span> </span> </li> <li> <span id="scite-95" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-95" href="https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" target="_blank"> Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. </a> </span> </span> </li> <li> <span id="scite-96" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-96" href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank"> Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. </a> </span> </span> </li> <li> <span id="scite-97" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-97" href="https://blog.trendmicro.com/trendlabs-security-intelligence/another-potential-muddywater-campaign-uses-powershell-based-prb-backdoor/" target="_blank"> Villanueva, M., Co, M. (2018, June 14). Another Potential MuddyWater Campaign uses Powershell-based PRB-Backdoor. Retrieved July 3, 2018. </a> </span> </span> </li> <li> <span id="scite-98" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-98" href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank"> ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. </a> </span> </span> </li> <li> <span id="scite-99" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-99" href="https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/" target="_blank"> Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020. </a> </span> </span> </li> <li> <span id="scite-100" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-100" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank"> Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-101" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-101" href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank"> Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-102" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-102" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank"> Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-103" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-103" href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank"> Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. </a> </span> </span> </li> <li> <span id="scite-104" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-104" href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank"> Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-105" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-105" href="https://www.carbonblack.com/2019/02/12/tau-threat-intelligence-notification-new-macos-malware-variant-of-shlayer-osx-discovered/" target="_blank"> Carbon Black Threat Analysis Unit. (2019, February 12). New macOS Malware Variant of Shlayer (OSX) Discovered. Retrieved August 8, 2019. </a> </span> </span> </li> <li> <span id="scite-106" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-106" href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/" target="_blank"> Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. </a> </span> </span> </li> <li> <span id="scite-107" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-107" href="https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" target="_blank"> Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. </a> </span> </span> </li> <li> <span id="scite-108" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-108" href="http://circl.lu/assets/files/tr-12/tr-12-circl-plugx-analysis-v1.pdf" target="_blank"> Computer Incident Response Center Luxembourg. (2013, March 29). Analysis of a PlugX variant. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-109" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-109" href="https://blog.talosintelligence.com/2020/10/poetrat-update.html" target="_blank"> Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. </a> </span> </span> </li> <li> <span id="scite-110" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-110" href="https://objective-see.com/blog/blog_0x25.html" target="_blank"> Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. </a> </span> </span> </li> <li> <span id="scite-111" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-111" href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank"> Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. </a> </span> </span> </li> <li> <span id="scite-112" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-112" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank"> Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. </a> </span> </span> </li> <li> <span id="scite-113" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-113" href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank"> MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. </a> </span> </span> </li> <li> <span id="scite-114" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-114" href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank"> Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. </a> </span> </span> </li> <li> <span id="scite-115" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-115" href="https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" target="_blank"> Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. </a> </span> </span> </li> <li> <span id="scite-116" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-116" href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank"> Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-117" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-117" href="https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data" target="_blank"> Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-118" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-118" href="https://securelist.com/sodin-ransomware/91473/" target="_blank"> Mamedov, O, et al. (2019, July 3). Sodin ransomware exploits Windows vulnerability and processor architecture. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-119" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-119" href="https://threatvector.cylance.com/en_us/home/threat-spotlight-sodinokibi-ransomware.html" target="_blank"> Cylance. (2019, July 3). hreat Spotlight: Sodinokibi Ransomware. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-120" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-120" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" target="_blank"> McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-121" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-121" href="https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/" target="_blank"> Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-122" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-122" href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank"> Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-123" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-123" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-oilrig-uses-rgdoor-iis-backdoor-targets-middle-east/" target="_blank"> Falcone, R. (2018, January 25). OilRig uses RGDoor IIS Backdoor on Targets in the Middle East. Retrieved July 6, 2018. </a> </span> </span> </li> <li> <span id="scite-124" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-124" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank"> Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. </a> </span> </span> </li> <li> <span id="scite-125" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-125" href="https://blog.talosintelligence.com/2018/08/rocke-champion-of-monero-miners.html" target="_blank"> Liebenberg, D.. (2018, August 30). Rocke: The Champion of Monero Miners. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-126" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-126" href="https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/" target="_blank"> Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-127" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-127" href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank"> Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-128" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-128" href="https://www.welivesecurity.com/2017/07/04/analysis-of-telebots-cunning-backdoor/" target="_blank"> Cherepanov, A.. (2017, July 4). Analysis of TeleBots’ cunning backdoor . Retrieved June 11, 2020. </a> </span> </span> </li> <li> <span id="scite-129" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-129" href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank"> Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. </a> </span> </span> </li> <li> <span id="scite-130" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-130" href="https://securityintelligence.com/posts/ta505-continues-to-infect-networks-with-sdbbot-rat/" target="_blank"> Frydrych, M. (2020, April 14). TA505 Continues to Infect Networks With SDBbot RAT. Retrieved May 29, 2020. </a> </span> </span> </li> <li> <span id="scite-131" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-131" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2017/08/07172148/ShadowPad_technical_description_PDF.pdf" target="_blank"> Kaspersky Lab. (2017, August). ShadowPad: popular server management software hit in supply chain attack. Retrieved March 22, 2021. </a> </span> </span> </li> <li> <span id="scite-132" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-132" href="https://unit42.paloaltonetworks.com/shamoon-3-targets-oil-gas-organization/" target="_blank"> Falcone, R. (2018, December 13). Shamoon 3 Targets Oil and Gas Organization. Retrieved March 14, 2019. </a> </span> </span> </li> <li> <span id="scite-133" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-133" href="https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" target="_blank"> Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. </a> </span> </span> </li> <li> <span id="scite-134" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-134" href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank"> Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-135" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-135" href="https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/" target="_blank"> Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. </a> </span> </span> </li> <li> <span id="scite-136" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-136" href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank"> Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018. </a> </span> </span> </li> <li> <span id="scite-137" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-137" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank"> CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. </a> </span> </span> </li> <li> <span id="scite-138" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-138" href="https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" target="_blank"> Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. </a> </span> </span> </li> <li> <span id="scite-139" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-139" href="https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" target="_blank"> Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. </a> </span> </span> </li> <li> <span id="scite-140" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-140" href="https://www.symantec.com/connect/blogs/sowbug-cyber-espionage-group-targets-south-american-and-southeast-asian-governments" target="_blank"> Symantec Security Response. (2017, November 7). Sowbug: Cyber espionage group targets South American and Southeast Asian governments. Retrieved November 16, 2017. </a> </span> </span> </li> <li> <span id="scite-141" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-141" href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank"> CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. </a> </span> </span> </li> <li> <span id="scite-142" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-142" href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank"> FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. </a> </span> </span> </li> <li> <span id="scite-143" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-143" href="https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/" target="_blank"> Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021. </a> </span> </span> </li> <li> <span id="scite-144" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-144" href="https://securelist.com/luckymouse-hits-national-data-center/86083/" target="_blank"> Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. </a> </span> </span> </li> <li> <span id="scite-145" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-145" href="https://www.fidelissecurity.com/threatgeek/2016/10/trickbot-we-missed-you-dyre" target="_blank"> Reaves, J. (2016, October 15). TrickBot: We Missed you, Dyre. Retrieved August 2, 2018. </a> </span> </span> </li> <li> <span id="scite-146" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-146" href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank"> Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. </a> </span> </span> </li> <li> <span id="scite-147" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-147" href="https://researchcenter.paloaltonetworks.com/2016/11/unit42-tropic-trooper-targets-taiwanese-government-and-fossil-fuel-provider-with-poison-ivy/" target="_blank"> Ray, V. (2016, November 22). Tropic Trooper Targets Taiwanese Government and Fossil Fuel Provider With Poison Ivy. Retrieved November 9, 2018. </a> </span> </span> </li> <li> <span id="scite-148" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-148" href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank"> Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. </a> </span> </span> </li> <li> <span id="scite-149" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-149" href="https://blogs.jpcert.or.jp/en/2018/03/malware-tscooki-7aa0.html" target="_blank"> Tomonaga, S.. (2018, March 6). Malware “TSCookie”. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-150" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-150" href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank"> Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. </a> </span> </span> </li> <li> <span id="scite-151" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-151" href="https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" target="_blank"> US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. </a> </span> </span> </li> <li> <span id="scite-152" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-152" href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank"> Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-153" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-153" href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank"> Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. </a> </span> </span> </li> <li> <span id="scite-154" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-154" href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank"> Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. </a> </span> </span> </li> <li> <span id="scite-155" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-155" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" target="_blank"> Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. </a> </span> </span> </li> <li> <span id="scite-156" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-156" href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF" target="_blank"> US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-157" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-157" href="https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html" target="_blank"> Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021. </a> </span> </span> </li> <li> <span id="scite-158" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-158" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198c" target="_blank"> CISA. (2020, July 16). MAR-10296782-3.v1 – WELLMAIL. Retrieved September 29, 2020. </a> </span> </span> </li> <li> <span id="scite-159" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-159" href="https://www.pwc.co.uk/issues/cyber-security-services/insights/cleaning-up-after-wellmess.html" target="_blank"> PWC. (2020, July 16). How WellMess malware has been used to target COVID-19 vaccines. Retrieved September 24, 2020. </a> </span> </span> </li> <li> <span id="scite-160" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-160" href="https://www.pwc.co.uk/issues/cyber-security-services/insights/wellmess-analysis-command-control.html" target="_blank"> PWC. (2020, August 17). WellMess malware: analysis of its Command and Control (C2) server. Retrieved September 29, 2020. </a> </span> </span> </li> <li> <span id="scite-161" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-161" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198b" target="_blank"> CISA. (2020, July 16). MAR-10296782-2.v1 – WELLMESS. Retrieved September 24, 2020. </a> </span> </span> </li> <li> <span id="scite-162" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-162" href="https://objective-see.com/blog/blog_0x3B.html" target="_blank"> Wardle, Patrick. (2018, December 20). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 1). Retrieved October 3, 2019. </a> </span> </span> </li> <li> <span id="scite-163" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-163" href="https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a" target="_blank"> Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020. </a> </span> </span> </li> <li> <span id="scite-164" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-164" href="https://lab52.io/blog/wirte-group-attacking-the-middle-east/" target="_blank"> S2 Grupo. (2019, April 2). WIRTE Group attacking the Middle East. Retrieved May 24, 2019. </a> </span> </span> </li> <li> <span id="scite-165" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-165" href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" target="_blank"> Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019. </a> </span> </span> </li> <li> <span id="scite-166" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-166" href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank"> Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. </a> </span> </span> </li> <li> <span id="scite-167" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-167" href="https://www.welivesecurity.com/2018/11/20/sednit-whats-going-zebrocy/" target="_blank"> ESET. (2018, November 20). Sednit: What’s going on with Zebrocy?. Retrieved February 12, 2019. </a> </span> </span> </li> <li> <span id="scite-168" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-168" href="https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" target="_blank"> Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. </a> </span> </span> </li> <li> <span id="scite-169" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-169" href="https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More" target="_blank"> Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-170" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-170" href="https://research.checkpoint.com/2021/the-story-of-jian/" target="_blank"> Itkin, E. and Cohen, I. (2021, February 22). The Story of Jian – How APT31 Stole and Used an Unknown Equation Group 0-Day. Retrieved March 24, 2021. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> © 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&amp;CK content version 9.0&#013;Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?3053"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/navigation.js"></script> <script src="/versions/v9/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v9/theme/scripts/settings.js"></script> <script src="/versions/v9/theme/scripts/tour/tour-techniques.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10