<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v16/theme/favicon.ico" type='image/x-icon'> <title>System Services: Service Execution, Sub-technique T1569.002 - Enterprise | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v16/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v16/"><img src="/versions/v16/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v16/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v16/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/groups">Groups</a> <a class="dropdown-item" href="/versions/v16/software">Software</a> <a class="dropdown-item" href="/versions/v16/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v16/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v16/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v16/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v16/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v16/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v16/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v16/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v16/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v16/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1" target="_blank">ATT&CK v16.1</a> which is the current version of ATT&CK. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div class="container-fluid d-none"> Reminder: the TAXII 2.0 server will be <a href='https://medium.com/mitre-attack/introducing-taxii-2-1-and-a-fond-farewell-to-taxii-2-0-d9fca6ce4c58'>retiring on December 18</a>. Please switch to the <a href='https://github.com/mitre-attack/attack-workbench-taxii-server/blob/main/docs/USAGE.md'>TAXII 2.1 server</a> to ensure uninterrupted service. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v16/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/T1569">System Services</a></li> <li class="breadcrumb-item">Service Execution</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">System Services:</span> Service Execution </h1> <div class="row"> <div class="col-md-8"> <!--stop-indexing-for-search--> <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of System Services (2)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/techniques/T1569/001/" class="subtechnique-table-item" data-subtechnique_id="T1569.001"> T1569.001 </a> </td> <td> <a href="/versions/v16/techniques/T1569/001/" class="subtechnique-table-item" data-subtechnique_id="T1569.001"> Launchctl </a> </td> </tr> <tr> <td class="active"> T1569.002 </td> <td class="active"> Service Execution </td> </tr> </tbody> </table> </div> </div> </div> <!--start-indexing-for-search--> <div class="description-body"> <p>Adversaries may abuse the Windows service control manager to execute malicious commands or payloads. The Windows service control manager (<code>services.exe</code>) is an interface to manage and manipulate services.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Microsoft. (2018, May 31). Service Control Manager. Retrieved March 28, 2020."data-reference="Microsoft Service Control Manager">^{<a href="https://docs.microsoft.com/windows/win32/services/service-control-manager" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> The service control manager is accessible to users via GUI components as well as system utilities such as <code>sc.exe</code> and <a href="/versions/v16/software/S0039">Net</a>.</p><p><a href="/versions/v16/software/S0029">PsExec</a> can also be used to execute commands or payloads via a temporary Windows service created through the service control manager API.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015."data-reference="Russinovich Sysinternals">^{<a href="https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> Tools such as <a href="/versions/v16/software/S0029">PsExec</a> and <code>sc.exe</code> can accept remote servers as arguments and may be used to conduct remote execution.</p><p>Adversaries may leverage these mechanisms to execute malicious content. This can be done by either executing a new or modified service. This technique is the execution used in conjunction with <a href="/versions/v16/techniques/T1543/003">Windows Service</a> during service persistence or privilege escalation.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1569.002 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of:&nbsp;</span> <a href="/versions/v16/techniques/T1569">T1569</a> </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/versions/v16/tactics/TA0002">Execution</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Windows </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="If the (sub-)technique can invoke an instance of itself remotely without relying on external tools/techniques">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Supports Remote:&nbsp;</span> Yes </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>1.2 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>10 March 2020 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>15 October 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1569.002" href="/versions/v16/techniques/T1569/002/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1569.002" href="/techniques/T1569/002/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/software/S0504"> S0504 </a> </td> <td> <a href="/versions/v16/software/S0504"> Anchor </a> </td> <td> <p><a href="/versions/v16/software/S0504">Anchor</a> can create and execute services to load its payload.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020."data-reference="Cyberreason Anchor December 2019">^{<a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span><span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020."data-reference="Medium Anchor DNS July 2020">^{<a href="https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0050"> G0050 </a> </td> <td> <a href="/versions/v16/groups/G0050"> APT32 </a> </td> <td> <p><a href="/versions/v16/groups/G0050">APT32</a>'s backdoor has used Windows services as a way to execute its malicious payload. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019."data-reference="ESET OceanLotus Mar 2019">^{<a href="https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0082"> G0082 </a> </td> <td> <a href="/versions/v16/groups/G0082"> APT38 </a> </td> <td> <p><a href="/versions/v16/groups/G0082">APT38</a> has created new services or modified existing ones to run executables, commands, or scripts.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021."data-reference="CISA AA20-239A BeagleBoyz August 2020">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-239a" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0087"> G0087 </a> </td> <td> <a href="/versions/v16/groups/G0087"> APT39 </a> </td> <td> <p><a href="/versions/v16/groups/G0087">APT39</a> has used post-exploitation tools including RemCom and the Non-sucking Service Manager (NSSM) to execute processes.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."data-reference="BitDefender Chafer May 2020">^{<a href="https://www.bitdefender.com/blog/labs/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020."data-reference="Symantec Chafer February 2018">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0096"> G0096 </a> </td> <td> <a href="/versions/v16/groups/G0096"> APT41 </a> </td> <td> <p><a href="/versions/v16/groups/G0096">APT41</a> used svchost.exe and <a href="/versions/v16/software/S0039">Net</a> to execute a system service installed to launch a <a href="/versions/v16/software/S0154">Cobalt Strike</a> BEACON loader.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020."data-reference="FireEye APT41 March 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021."data-reference="Group IB APT 41 June 2021">^{<a href="https://www.group-ib.com/blog/colunmtk-apt41/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0040"> C0040 </a> </td> <td> <a href="/versions/v16/campaigns/C0040"> APT41 DUST </a> </td> <td> <p><a href="https://attack.mitre.org/campaigns/C0040">APT41 DUST</a> used Windows services to execute <a href="/versions/v16/software/S1158">DUSTPAN</a>.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024."data-reference="Google Cloud APT41 2024">^{<a href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0438"> S0438 </a> </td> <td> <a href="/versions/v16/software/S0438"> Attor </a> </td> <td> <p><a href="/versions/v16/software/S0438">Attor</a>'s dispatcher can be executed as a service.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."data-reference="ESET Attor Oct 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0606"> S0606 </a> </td> <td> <a href="/versions/v16/software/S0606"> Bad Rabbit </a> </td> <td> <p><a href="/versions/v16/software/S0606">Bad Rabbit</a> drops a file named <code>infpub.dat</code>into the Windows directory and is executed through SCManager and <code>rundll.exe</code>.</p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0127"> S0127 </a> </td> <td> <a href="/versions/v16/software/S0127"> BBSRAT </a> </td> <td> <p><a href="/versions/v16/software/S0127">BBSRAT</a> can start, stop, or delete services.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016."data-reference="Palo Alto Networks BBSRAT">^{<a href="http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0108"> G0108 </a> </td> <td> <a href="/versions/v16/groups/G0108"> Blue Mockingbird </a> </td> <td> <p><a href="/versions/v16/groups/G0108">Blue Mockingbird</a> has executed custom-compiled XMRIG miner DLLs by configuring them to execute via the "wercplsupport" service.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."data-reference="RedCanary Mockingbird May 2020">^{<a href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1063"> S1063 </a> </td> <td> <a href="/versions/v16/software/S1063"> Brute Ratel C4 </a> </td> <td> <p><a href="/versions/v16/software/S1063">Brute Ratel C4</a> can create Windows system services for execution.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023."data-reference="Palo Alto Brute Ratel July 2022">^{<a href="https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0114"> G0114 </a> </td> <td> <a href="/versions/v16/groups/G0114"> Chimera </a> </td> <td> <p><a href="/versions/v16/groups/G0114">Chimera</a> has used <a href="/versions/v16/software/S0029">PsExec</a> to deploy beacons on compromised systems.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024."data-reference="NCC Group Chimera January 2021">^{<a href="https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0660"> S0660 </a> </td> <td> <a href="/versions/v16/software/S0660"> Clambling </a> </td> <td> <p><a href="/versions/v16/software/S0660">Clambling</a> can create and start services on a compromised host.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021."data-reference="Trend Micro DRBControl February 2020">^{<a href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0154"> S0154 </a> </td> <td> <a href="/versions/v16/software/S0154"> Cobalt Strike </a> </td> <td> <p><a href="/versions/v16/software/S0154">Cobalt Strike</a> can use <a href="/versions/v16/software/S0029">PsExec</a> to execute a payload on a remote host. It can also use Service Control Manager to start new services.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017."data-reference="cobaltstrike manual">^{<a href="https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017."data-reference="Cobalt Strike TTPs Dec 2017">^{<a href="https://www.cobaltstrike.com/downloads/reports/tacticstechniquesandprocedures.pdf" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021."data-reference="Cobalt Strike Manual 4.3 November 2020">^{<a href="https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1111"> S1111 </a> </td> <td> <a href="/versions/v16/software/S1111"> DarkGate </a> </td> <td> <p><a href="/versions/v16/software/S1111">DarkGate</a> tries to elevate privileges to <code>SYSTEM</code> using PsExec to locally execute as a service, such as <code>cmd /c c:\temp\PsExec.exe -accepteula -j -d -s [Target Binary]</code>.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024."data-reference="Trellix Darkgate 2023">^{<a href="https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1134"> S1134 </a> </td> <td> <a href="/versions/v16/software/S1134"> DEADWOOD </a> </td> <td> <p><a href="/versions/v16/software/S1134">DEADWOOD</a> can be executed as a service using various names, such as <code>ScDeviceEnums</code>.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024."data-reference="SentinelOne Agrius 2021">^{<a href="https://assets.sentinelone.com/sentinellabs/evol-agrius" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0363"> S0363 </a> </td> <td> <a href="/versions/v16/software/S0363"> Empire </a> </td> <td> <p><a href="/versions/v16/software/S0363">Empire</a> can use <a href="/versions/v16/software/S0029">PsExec</a> to execute a payload on a remote host.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016."data-reference="Github PowerShell Empire">^{<a href="https://github.com/PowerShellEmpire/Empire" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0037"> G0037 </a> </td> <td> <a href="/versions/v16/groups/G0037"> FIN6 </a> </td> <td> <p><a href="/versions/v16/groups/G0037">FIN6</a> has created Windows services to execute encoded PowerShell commands.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019."data-reference="FireEye FIN6 Apr 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0032"> S0032 </a> </td> <td> <a href="/versions/v16/software/S0032"> gh0st RAT </a> </td> <td> <p><a href="/versions/v16/software/S0032">gh0st RAT</a> can execute its service if the Service key exists. If the key does not exist, <a href="/versions/v16/software/S0032">gh0st RAT</a> will create and run the service.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020."data-reference="Gh0stRAT ATT March 2019">^{<a href="https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0697"> S0697 </a> </td> <td> <a href="/versions/v16/software/S0697"> HermeticWiper </a> </td> <td> <p><a href="/versions/v16/software/S0697">HermeticWiper</a> can create system services to aid in executing the payload.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022."data-reference="SentinelOne Hermetic Wiper February 2022">^{<a href="https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022."data-reference="Crowdstrike DriveSlayer February 2022">^{<a href="https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022."data-reference="Qualys Hermetic Wiper March 2022">^{<a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0698"> S0698 </a> </td> <td> <a href="/versions/v16/software/S0698"> HermeticWizard </a> </td> <td> <p><a href="/versions/v16/software/S0698">HermeticWizard</a> can use <code>OpenRemoteServiceManager</code> to create a service.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022."data-reference="ESET Hermetic Wizard March 2022">^{<a href="https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0376"> S0376 </a> </td> <td> <a href="/versions/v16/software/S0376"> HOPLIGHT </a> </td> <td> <p><a href="/versions/v16/software/S0376">HOPLIGHT</a> has used svchost.exe to execute a malicious DLL .<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019."data-reference="US-CERT HOPLIGHT Apr 2019">^{<a href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0203"> S0203 </a> </td> <td> <a href="/versions/v16/software/S0203"> Hydraq </a> </td> <td> <p><a href="/versions/v16/software/S0203">Hydraq</a> uses svchost.exe to execute a malicious DLL included in a new service group.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Fitzgerald, P. (2010, January 26). How Trojan.Hydraq Stays On Your Computer. Retrieved February 22, 2018."data-reference="Symantec Hydraq Persistence Jan 2010">^{<a href="https://www.symantec.com/connect/blogs/how-trojanhydraq-stays-your-computer" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0398"> S0398 </a> </td> <td> <a href="/versions/v16/software/S0398"> HyperBro </a> </td> <td> <p><a href="/versions/v16/software/S0398">HyperBro</a> has the ability to start and stop a specified service.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019."data-reference="Unit42 Emissary Panda May 2019">^{<a href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0357"> S0357 </a> </td> <td> <a href="/versions/v16/software/S0357"> Impacket </a> </td> <td> <p><a href="/versions/v16/software/S0357">Impacket</a> contains various modules emulating other service execution tools such as <a href="/versions/v16/software/S0029">PsExec</a>.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="SecureAuth. (n.d.). Retrieved January 15, 2019."data-reference="Impacket Tools">^{<a href="https://www.secureauth.com/labs/open-source-tools/impacket" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1032"> G1032 </a> </td> <td> <a href="/versions/v16/groups/G1032"> INC Ransom </a> </td> <td> <p><a href="/versions/v16/groups/G1032">INC Ransom</a> has run a file encryption executable via <code>Service Control Manager/7045;winupd,%SystemRoot%\winupd.exe,user mode service,demand start,LocalSystem</code>.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024."data-reference="Huntress INC Ransom Group August 2023">^{<a href="https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0260"> S0260 </a> </td> <td> <a href="/versions/v16/software/S0260"> InvisiMole </a> </td> <td> <p><a href="/versions/v16/software/S0260">InvisiMole</a> has used Windows services as a way to execute its malicious payload.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020."data-reference="ESET InvisiMole June 2020">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1132"> S1132 </a> </td> <td> <a href="/versions/v16/software/S1132"> IPsec Helper </a> </td> <td> <p><a href="/versions/v16/software/S1132">IPsec Helper</a> is run as a Windows service in victim environments.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024."data-reference="SentinelOne Agrius 2021">^{<a href="https://assets.sentinelone.com/sentinellabs/evol-agrius" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0004"> G0004 </a> </td> <td> <a href="/versions/v16/groups/G0004"> Ke3chang </a> </td> <td> <p><a href="/versions/v16/groups/G0004">Ke3chang</a> has used a tool known as RemoteExec (similar to <a href="/versions/v16/software/S0029">PsExec</a>) to remotely execute batch scripts and binaries.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018."data-reference="NCC Group APT15 Alive and Strong">^{<a href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0250"> S0250 </a> </td> <td> <a href="/versions/v16/software/S0250"> Koadic </a> </td> <td> <p><a href="/versions/v16/software/S0250">Koadic</a> can run a command on another machine using <a href="/versions/v16/software/S0029">PsExec</a>.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024."data-reference="Github Koadic">^{<a href="https://github.com/offsecginger/koadic" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0451"> S0451 </a> </td> <td> <a href="/versions/v16/software/S0451"> LoudMiner </a> </td> <td> <p><a href="/versions/v16/software/S0451">LoudMiner</a> started the cryptomining virtual machine as a service on the infected machine.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."data-reference="ESET LoudMiner June 2019">^{<a href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1060"> S1060 </a> </td> <td> <a href="/versions/v16/software/S1060"> Mafalda </a> </td> <td> <p><a href="/versions/v16/software/S1060">Mafalda</a> can create a remote service, let it run once, and then delete it.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023."data-reference="SentinelLabs Metador Technical Appendix Sept 2022">^{<a href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1036"> G1036 </a> </td> <td> <a href="/versions/v16/groups/G1036"> Moonstone Sleet </a> </td> <td> <p><a href="/versions/v16/groups/G1036">Moonstone Sleet</a> used intermediate loader malware such as YouieLoader and SplitLoader that create malicious services.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024."data-reference="Microsoft Moonstone Sleet 2024">^{<a href="https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0039"> S0039 </a> </td> <td> <a href="/versions/v16/software/S0039"> Net </a> </td> <td> <p>The <code>net start</code> and <code>net stop</code> commands can be used in <a href="/versions/v16/software/S0039">Net</a> to execute or stop Windows services.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999">^{<a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0056"> S0056 </a> </td> <td> <a href="/versions/v16/software/S0056"> Net Crawler </a> </td> <td> <p><a href="/versions/v16/software/S0056">Net Crawler</a> uses <a href="/versions/v16/software/S0029">PsExec</a> to perform remote service manipulation to execute a copy of itself as part of lateral movement.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017."data-reference="Cylance Cleaver">^{<a href="https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0457"> S0457 </a> </td> <td> <a href="/versions/v16/software/S0457"> Netwalker </a> </td> <td> <p>Operators deploying <a href="/versions/v16/software/S0457">Netwalker</a> have used psexec and certutil to retrieve the <a href="/versions/v16/software/S0457">Netwalker</a> payload.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020."data-reference="Sophos Netwalker May 2020">^{<a href="https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0368"> S0368 </a> </td> <td> <a href="/versions/v16/software/S0368"> NotPetya </a> </td> <td> <p><a href="/versions/v16/software/S0368">NotPetya</a> can use <a href="/versions/v16/software/S0029">PsExec</a> to help propagate itself across a network.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019."data-reference="Talos Nyetya June 2017">^{<a href="https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span><span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019."data-reference="US-CERT NotPetya 2017">^{<a href="https://www.us-cert.gov/ncas/alerts/TA17-181A" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0439"> S0439 </a> </td> <td> <a href="/versions/v16/software/S0439"> Okrum </a> </td> <td> <p><a href="/versions/v16/software/S0439">Okrum</a>'s loader can create a new service named NtmsSvc to execute the payload.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."data-reference="ESET Okrum July 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0365"> S0365 </a> </td> <td> <a href="/versions/v16/software/S0365"> Olympic Destroyer </a> </td> <td> <p><a href="/versions/v16/software/S0365">Olympic Destroyer</a> utilizes <a href="/versions/v16/software/S0029">PsExec</a> to help propagate itself across a network.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019."data-reference="Talos Olympic Destroyer 2018">^{<a href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0006"> C0006 </a> </td> <td> <a href="/versions/v16/campaigns/C0006"> Operation Honeybee </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0006">Operation Honeybee</a>, threat actors ran <code>sc start</code> to start the COMSysApp as part of the service hijacking and <code>sc stop</code> to stop and reconfigure the COMSysApp.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018."data-reference="McAfee Honeybee">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0014"> C0014 </a> </td> <td> <a href="/versions/v16/campaigns/C0014"> Operation Wocao </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a>, threat actors created services on remote systems for execution purposes.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020."data-reference="FoxIT Wocao December 2019">^{<a href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0664"> S0664 </a> </td> <td> <a href="/versions/v16/software/S0664"> Pandora </a> </td> <td> <p><a href="/versions/v16/software/S0664">Pandora</a> has the ability to install itself as a Windows service.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021."data-reference="Trend Micro Iron Tiger April 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0378"> S0378 </a> </td> <td> <a href="/versions/v16/software/S0378"> PoshC2 </a> </td> <td> <p><a href="/versions/v16/software/S0378">PoshC2</a> contains an implementation of <a href="/versions/v16/software/S0029">PsExec</a> for remote execution.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019."data-reference="GitHub PoshC2">^{<a href="https://github.com/nettitude/PoshC2_Python" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0238"> S0238 </a> </td> <td> <a href="/versions/v16/software/S0238"> Proxysvc </a> </td> <td> <p><a href="/versions/v16/software/S0238">Proxysvc</a> registers itself as a service on the victim’s machine to run as a standalone process.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018."data-reference="McAfee GhostSecret">^{<a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0029"> S0029 </a> </td> <td> <a href="/versions/v16/software/S0029"> PsExec </a> </td> <td> <p>Microsoft Sysinternals <a href="/versions/v16/software/S0029">PsExec</a> is a popular administration tool that can be used to execute binaries on remote systems using a temporary Windows service.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015."data-reference="Russinovich Sysinternals">^{<a href="https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0192"> S0192 </a> </td> <td> <a href="/versions/v16/software/S0192"> Pupy </a> </td> <td> <p><a href="/versions/v16/software/S0192">Pupy</a> uses <a href="/versions/v16/software/S0029">PsExec</a> to execute a payload or commands on a remote host.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="Nicolas Verdier. (n.d.). Retrieved January 29, 2018."data-reference="GitHub Pupy">^{<a href="https://github.com/n1nj4sec/pupy" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0583"> S0583 </a> </td> <td> <a href="/versions/v16/software/S0583"> Pysa </a> </td> <td> <p><a href="/versions/v16/software/S0583">Pysa</a> has used <a href="/versions/v16/software/S0029">PsExec</a> to copy and execute the ransomware.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021."data-reference="CERT-FR PYSA April 2020">^{<a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0481"> S0481 </a> </td> <td> <a href="/versions/v16/software/S0481"> Ragnar Locker </a> </td> <td> <p><a href="/versions/v16/software/S0481">Ragnar Locker</a> has used sc.exe to execute a service that it creates.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020."data-reference="Sophos Ragnar May 2020">^{<a href="https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0166"> S0166 </a> </td> <td> <a href="/versions/v16/software/S0166"> RemoteCMD </a> </td> <td> <p><a href="/versions/v16/software/S0166">RemoteCMD</a> can execute commands remotely by creating a new service on the remote system.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016."data-reference="Symantec Buckeye">^{<a href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0140"> S0140 </a> </td> <td> <a href="/versions/v16/software/S0140"> Shamoon </a> </td> <td> <p><a href="/versions/v16/software/S0140">Shamoon</a> creates a new service named "ntssrv" to execute the payload. <a href="/versions/v16/software/S0140">Shamoon</a> can also spread via <a href="/versions/v16/software/S0029">PsExec</a>.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017."data-reference="Palo Alto Shamoon Nov 2016">^{<a href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span><span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 19). Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems. Retrieved May 29, 2020."data-reference="McAfee Shamoon December19 2018">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0091"> G0091 </a> </td> <td> <a href="/versions/v16/groups/G0091"> Silence </a> </td> <td> <p><a href="/versions/v16/groups/G0091">Silence</a> has used <a href="/versions/v16/software/S0191">Winexe</a> to install a service on the remote system.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019."data-reference="SecureList Silence Nov 2017">^{<a href="https://securelist.com/the-silence/83009/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span><span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020."data-reference="Group IB Silence Sept 2018">^{<a href="https://go.group-ib.com/report-silence-en?_gl=1*d1bh3a*_ga*MTIwMzM5Mzc5MS4xNjk4OTI5NzY4*_ga_QMES53K3Y2*MTcwNDcyMjU2OS40LjEuMTcwNDcyMzU1Mi41My4wLjA." target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0533"> S0533 </a> </td> <td> <a href="/versions/v16/software/S0533"> SLOTHFULMEDIA </a> </td> <td> <p><a href="/versions/v16/software/S0533">SLOTHFULMEDIA</a> has the capability to start services.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020."data-reference="CISA MAR SLOTHFULMEDIA October 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0491"> S0491 </a> </td> <td> <a href="/versions/v16/software/S0491"> StrongPity </a> </td> <td> <p><a href="/versions/v16/software/S0491">StrongPity</a> can install a service to execute itself as a service.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020."data-reference="Talos Promethium June 2020">^{<a href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span><span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020."data-reference="Bitdefender StrongPity June 2020">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0663"> S0663 </a> </td> <td> <a href="/versions/v16/software/S0663"> SysUpdate </a> </td> <td> <p><a href="/versions/v16/software/S0663">SysUpdate</a> can manage services and processes.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021."data-reference="Trend Micro Iron Tiger April 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0668"> S0668 </a> </td> <td> <a href="/versions/v16/software/S0668"> TinyTurla </a> </td> <td> <p><a href="/versions/v16/software/S0668">TinyTurla</a> can install itself as a service on compromised machines.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021."data-reference="Talos TinyTurla September 2021">^{<a href="https://blog.talosintelligence.com/2021/09/tinyturla.html" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0612"> S0612 </a> </td> <td> <a href="/versions/v16/software/S0612"> WastedLocker </a> </td> <td> <p><a href="/versions/v16/software/S0612">WastedLocker</a> can execute itself as a service.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021."data-reference="NCC Group WastedLocker June 2020">^{<a href="https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0689"> S0689 </a> </td> <td> <a href="/versions/v16/software/S0689"> WhisperGate </a> </td> <td> <p><a href="/versions/v16/software/S0689">WhisperGate</a> can download and execute AdvancedRun.exe via <code>sc.exe</code>.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022."data-reference="Medium S2W WhisperGate January 2022">^{<a href="https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span><span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022."data-reference="Unit 42 WhisperGate January 2022">^{<a href="https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/#whispergate-malware-family" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0191"> S0191 </a> </td> <td> <a href="/versions/v16/software/S0191"> Winexe </a> </td> <td> <p><a href="/versions/v16/software/S0191">Winexe</a> installs a service on the remote system, executes the command, then uninstalls the service.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="Prakash, T. (2017, June 21). Run commands on Windows system remotely using Winexe. Retrieved September 12, 2024."data-reference="Secpod Winexe June 2017">^{<a href="https://web.archive.org/web/20211019012628/https://www.secpod.com/blog/winexe/" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0176"> S0176 </a> </td> <td> <a href="/versions/v16/software/S0176"> Wingbird </a> </td> <td> <p><a href="/versions/v16/software/S0176">Wingbird</a> uses services.exe to register a new autostart service named "Audit Service" using a copy of the local lsass.exe file.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017."data-reference="Microsoft SIR Vol 21">^{<a href="http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a>}</span><span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="Microsoft. (2017, November 9). Backdoor:Win32/Wingbird.A!dha. Retrieved November 27, 2017."data-reference="Microsoft Wingbird Nov 2017">^{<a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Wingbird.A!dha" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0141"> S0141 </a> </td> <td> <a href="/versions/v16/software/S0141"> Winnti for Windows </a> </td> <td> <p><a href="/versions/v16/software/S0141">Winnti for Windows</a> can run as a service using svchost.exe.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017."data-reference="Novetta Winnti April 2015">^{<a href="https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0102"> G0102 </a> </td> <td> <a href="/versions/v16/groups/G0102"> Wizard Spider </a> </td> <td> <p><a href="/versions/v16/groups/G0102">Wizard Spider</a> has used <code>services.exe</code> to execute scripts and executables during lateral movement within a victim's network. <a href="/versions/v16/groups/G0102">Wizard Spider</a> has also used batch scripts that leverage <a href="/versions/v16/software/S0029">PsExec</a> to execute a previously transferred ransomware payload on a victim's network.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020."data-reference="DFIR Ryuk's Return October 2020">^{<a href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a>}</span><span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020."data-reference="DFIR Ryuk in 5 Hours October 2020">^{<a href="https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a>}</span><span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023."data-reference="Mandiant FIN12 Oct 2021">^{<a href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0123"> S0123 </a> </td> <td> <a href="/versions/v16/software/S0123"> xCmd </a> </td> <td> <p><a href="/versions/v16/software/S0123">xCmd</a> can be used to execute binaries on remote systems by creating and starting a service.<span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="Rayaprolu, A.. (2011, April 12). xCmd an Alternative to PsExec. Retrieved August 10, 2016."data-reference="xCmd">^{<a href="https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0412"> S0412 </a> </td> <td> <a href="/versions/v16/software/S0412"> ZxShell </a> </td> <td> <p><a href="/versions/v16/software/S0412">ZxShell</a> can create a new service for execution.<span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019."data-reference="Talos ZxShell Oct 2014">^{<a href="https://blogs.cisco.com/security/talos/opening-zxshell" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/mitigations/M1040"> M1040 </a> </td> <td> <a href="/versions/v16/mitigations/M1040"> Behavior Prevention on Endpoint </a> </td> <td> <p>On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by <a href="/versions/v16/software/S0029">PsExec</a> from running. <span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021."data-reference="win10_asr">^{<a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M1026"> M1026 </a> </td> <td> <a href="/versions/v16/mitigations/M1026"> Privileged Account Management </a> </td> <td> <p>Ensure that permissions disallow services that run at a higher permissions level from being created or interacted with by a user with a lower permission level.</p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M1022"> M1022 </a> </td> <td> <a href="/versions/v16/mitigations/M1022"> Restrict File and Directory Permissions </a> </td> <td> <p>Ensure that high permission level service binaries cannot be replaced or modified by users with a lower permission level.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/versions/v16/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0017">Command</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments that may abuse the Windows service control manager to execute malicious commands or payloads.</p><p>Analytic 1- Commands abusing Windows service control manager.</p><p><code>sourcetype=WinEventLog:Security OR sourcetype=Powershell OR sourcetype=Sysmon EventCode IN (1,4688,4104) | search command_line IN ("sc.exe<em>", "net start</em>", "net stop<em>", "psexec.exe</em>")| where user!="SYSTEM" // Exclude common system-level activities</code></p> </td> </tr> <tr class="datasource" id="uses-DS0029"> <td> <a href="/versions/v16/datasources/DS0029">DS0029</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0029">Network Traffic</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0029/#Network%20Traffic%20Flow">Network Traffic Flow</a> </td> <td> <p>Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.</p> </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/versions/v16/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0009">Process</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0009/#Process%20Creation">Process Creation</a> </td> <td> <p>Monitor for newly executed processes that may abuse the Windows service control manager to execute malicious commands or payloads.</p><p>Events 4688 (Microsoft Windows Security Auditing) and 1 (Microsoft Windows Sysmon) provide context of Windows processes creation that can be used to implement this detection.</p><p>This detection is based on uncommon process and parent process relationships. Service Control Manager spawning command shell is a good starting point. Add more suspicious relationships based on the reality of your network environment.</p><p>In order to reduce false positives, you can also filter the CommandLine event field using parameters such as /c which carries out the command specified by the parent process.</p><p>Analytic 1 - Service Execution</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") | WHERE Image LIKE "<em>services.exe" AND Image LIKE "</em>cmd.exe"</code></p> </td> </tr> <tr class="datasource" id="uses-DS0019"> <td> <a href="/versions/v16/datasources/DS0019">DS0019</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0019">Service</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0019/#Service%20Creation">Service Creation</a> </td> <td> <p>Monitor newly constructed services that abuse control manager to execute malicious commands or payloads.</p><p>Analytic 1 - Suspicious Service Creation</p><p><code>sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:System EventCode=4697 OR EventCode=7045| table _time, user, service_name, service_file_name, process_id| where service_file_name != "<em>legitimate_software_path</em>" // Exclude legitimate services </code></p> </td> </tr> <tr class="datasource" id="uses-DS0024"> <td> <a href="/versions/v16/datasources/DS0024">DS0024</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0024">Windows Registry</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Modification">Windows Registry Key Modification</a> </td> <td> <p>Monitor for changes made to windows registry keys and/or values that may abuse the Windows service control manager to execute malicious commands or payloads.</p><p>Analytic 1 - Registry changes related to service execution.</p><p><code> sourcetype=WinEventLog:Security OR sourcetype=Sysmon EventCode=13 OR EventCode=4657| search registry_path IN ("HKLM\SYSTEM\CurrentControlSet\Services<em>")| where registry_value != "</em>legitimate_software_registry*" // Filter out common services</code></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://docs.microsoft.com/windows/win32/services/service-control-manager" target="_blank"> Microsoft. (2018, May 31). Service Control Manager. Retrieved March 28, 2020. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://technet.microsoft.com/en-us/sysinternals/bb897553.aspx" target="_blank"> Russinovich, M. (2014, May 2). Windows Sysinternals PsExec v2.11. Retrieved May 13, 2015. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank"> Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://medium.com/stage-2-security/anchor-dns-malware-family-goes-cross-platform-d807ba13ca30" target="_blank"> Grange, W. (2020, July 13). Anchor_dns malware goes cross platform. Retrieved September 10, 2020. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" target="_blank"> Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://us-cert.cisa.gov/ncas/alerts/aa20-239a" target="_blank"> DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.bitdefender.com/blog/labs/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/" target="_blank"> Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/chafer-latest-attacks-reveal-heightened-ambitions" target="_blank"> Symantec. (2018, February 28). Chafer: Latest Attacks Reveal Heightened Ambitions. Retrieved May 22, 2020. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html" target="_blank"> Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.group-ib.com/blog/colunmtk-apt41/" target="_blank"> Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://cloud.google.com/blog/topics/threat-intelligence/apt41-arisen-from-dust" target="_blank"> Mike Stokkel et al. (2024, July 18). APT41 Has Arisen From the DUST. Retrieved September 16, 2024. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank"> Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="http://researchcenter.paloaltonetworks.com/2015/12/bbsrat-attacks-targeting-russian-organizations-linked-to-roaming-tiger/" target="_blank"> Lee, B. Grunzweig, J. (2015, December 22). BBSRAT Attacks Targeting Russian Organizations Linked to Roaming Tiger. Retrieved August 19, 2016. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank"> Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" target="_blank"> Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank"> Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://documents.trendmicro.com/assets/white_papers/wp-uncovering-DRBcontrol.pdf" target="_blank"> Lunghi, D. et al. (2020, February). Uncovering DRBControl. Retrieved November 12, 2021. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" target="_blank"> Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.cobaltstrike.com/downloads/reports/tacticstechniquesandprocedures.pdf" target="_blank"> Cobalt Strike. (2017, December 8). Tactics, Techniques, and Procedures. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" target="_blank"> Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.trellix.com/blogs/research/the-continued-evolution-of-the-darkgate-malware-as-a-service/" target="_blank"> Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://assets.sentinelone.com/sentinellabs/evol-agrius" target="_blank"> Amitai Ben & Shushan Ehrlich. (2021, May). From Wiper to Ransomware: The Evolution of Agrius. Retrieved May 21, 2024. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://github.com/PowerShellEmpire/Empire" target="_blank"> Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.fireeye.com/blog/threat-research/2019/04/pick-six-intercepting-a-fin6-intrusion.html" target="_blank"> McKeague, B. et al. (2019, April 5). Pick-Six: Intercepting a FIN6 Intrusion, an Actor Recently Tied to Ryuk and LockerGoga Ransomware. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://cybersecurity.att.com/blogs/labs-research/the-odd-case-of-a-gh0strat-variant" target="_blank"> Quinn, J. (2019, March 25). The odd case of a Gh0stRAT variant. Retrieved July 15, 2020. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www.sentinelone.com/labs/hermetic-wiper-ukraine-under-attack" target="_blank"> Guerrero-Saade, J. (2022, February 23). HermeticWiper | New Destructive Malware Used In Cyber Attacks on Ukraine. Retrieved March 25, 2022. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://www.crowdstrike.com/blog/how-crowdstrike-falcon-protects-against-wiper-malware-used-in-ukraine-attacks/" target="_blank"> Thomas, W. et al. (2022, February 25). CrowdStrike Falcon Protects from New Wiper Malware Used in Ukraine Cyberattacks. Retrieved March 25, 2022. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/03/01/ukrainian-targets-hit-by-hermeticwiper-new-datawiper-malware" target="_blank"> Dani, M. (2022, March 1). Ukrainian Targets Hit by HermeticWiper, New Datawiper Malware. Retrieved March 25, 2022. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine" target="_blank"> ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank"> US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://www.symantec.com/connect/blogs/how-trojanhydraq-stays-your-computer" target="_blank"> Fitzgerald, P. (2010, January 26). How Trojan.Hydraq Stays On Your Computer. Retrieved February 22, 2018. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" target="_blank"> Falcone, R. and Lancaster, T. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www.secureauth.com/labs/open-source-tools/impacket" target="_blank"> SecureAuth. (n.d.). Retrieved January 15, 2019. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity" target="_blank"> Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank"> Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank"> Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://github.com/offsecginger/koadic" target="_blank"> Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank"> Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank"> SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="40.0"> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://www.microsoft.com/en-us/security/blog/2024/05/28/moonstone-sleet-emerges-as-new-north-korean-threat-actor-with-new-bag-of-tricks/" target="_blank"> Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank"> Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://web.archive.org/web/20200302085133/https://www.cylance.com/content/dam/cylance/pages/operation-cleaver/Cylance_Operation_Cleaver_Report.pdf" target="_blank"> Cylance. (2014, December). Operation Cleaver. Retrieved September 14, 2017. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/" target="_blank"> Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" target="_blank"> Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.us-cert.gov/ncas/alerts/TA17-181A" target="_blank"> US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank"> Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank"> Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank"> Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank"> Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://github.com/nettitude/PoshC2_Python" target="_blank"> Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank"> Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://github.com/n1nj4sec/pupy" target="_blank"> Nicolas Verdier. (n.d.). Retrieved January 29, 2018. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2020-CTI-003.pdf" target="_blank"> CERT-FR. (2020, April 1). ATTACKS INVOLVING THE MESPINOZA/PYSA RANSOMWARE. Retrieved March 1, 2021. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://news.sophos.com/en-us/2020/05/21/ragnar-locker-ransomware-deploys-virtual-machine-to-dodge-security/" target="_blank"> SophosLabs. (2020, May 21). Ragnar Locker ransomware deploys virtual machine to dodge security. Retrieved June 29, 2020. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank"> Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" target="_blank"> Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/shamoon-attackers-employ-new-tool-kit-to-wipe-infected-systems/" target="_blank"> Roccia, T., Saavedra-Morales, J., Beek, C.. (2018, December 19). Shamoon Attackers Employ New Tool Kit to Wipe Infected Systems. Retrieved May 29, 2020. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://securelist.com/the-silence/83009/" target="_blank"> GReAT. (2017, November 1). Silence – a new Trojan attacking financial organizations. Retrieved May 24, 2019. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://go.group-ib.com/report-silence-en?_gl=1*d1bh3a*_ga*MTIwMzM5Mzc5MS4xNjk4OTI5NzY4*_ga_QMES53K3Y2*MTcwNDcyMjU2OS40LjEuMTcwNDcyMzU1Mi41My4wLjA." target="_blank"> Group-IB. (2018, September). Silence: Moving Into the Darkside. Retrieved May 5, 2020. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank"> DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank"> Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" target="_blank"> Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://blog.talosintelligence.com/2021/09/tinyturla.html" target="_blank"> Cisco Talos. (2021, September 21). TinyTurla - Turla deploys new malware to keep a secret backdoor on victim machines. Retrieved December 2, 2021. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://research.nccgroup.com/2020/06/23/wastedlocker-a-new-ransomware-variant-developed-by-the-evil-corp-group/" target="_blank"> Antenucci, S., Pantazopoulos, N., Sandee, M. (2020, June 23). WastedLocker: A New Ransomware Variant Developed By The Evil Corp Group. Retrieved September 14, 2021. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://medium.com/s2wblog/analysis-of-destructive-malware-whispergate-targeting-ukraine-9d5d158f19f3" target="_blank"> S2W. (2022, January 18). Analysis of Destructive Malware (WhisperGate) targeting Ukraine. Retrieved March 14, 2022. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://unit42.paloaltonetworks.com/ukraine-cyber-conflict-cve-2021-32648-whispergate/#whispergate-malware-family" target="_blank"> Falcone, R. et al.. (2022, January 20). Threat Brief: Ongoing Russia and Ukraine Cyber Conflict. Retrieved March 10, 2022. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://web.archive.org/web/20211019012628/https://www.secpod.com/blog/winexe/" target="_blank"> Prakash, T. (2017, June 21). Run commands on Windows system remotely using Winexe. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="http://download.microsoft.com/download/E/B/0/EB0F50CC-989C-4B66-B7F6-68CD3DC90DE3/Microsoft_Security_Intelligence_Report_Volume_21_English.pdf" target="_blank"> Anthe, C. et al. (2016, December 14). Microsoft Security Intelligence Report Volume 21. Retrieved November 27, 2017. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Backdoor:Win32/Wingbird.A!dha" target="_blank"> Microsoft. (2017, November 9). Backdoor:Win32/Wingbird.A!dha. Retrieved November 27, 2017. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://web.archive.org/web/20150412223949/http://www.novetta.com/wp-content/uploads/2015/04/novetta_winntianalysis.pdf" target="_blank"> Novetta Threat Research Group. (2015, April 7). Winnti Analysis. Retrieved February 8, 2017. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank"> The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" target="_blank"> The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank"> Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="https://ashwinrayaprolu.wordpress.com/2011/04/12/xcmd-an-alternative-to-psexec/" target="_blank"> Rayaprolu, A.. (2011, April 12). xCmd an Alternative to PsExec. Retrieved August 10, 2016. </a> </span> </span> </li> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href="https://blogs.cisco.com/security/talos/opening-zxshell" target="_blank"> Allievi, A., et al. (2014, October 28). Threat Spotlight: Group 72, Opening the ZxShell. Retrieved September 24, 2019. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction" target="_blank"> Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v16/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v16/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v16/theme/scripts/popper.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v16/theme/scripts/site.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/versions/v16/theme/scripts/sidebar-load-all.js"></script> </body> </html>