CINXE.COM

Obfuscated Files or Information, Technique T1027 - Enterprise | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1, shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v9/theme/favicon.ico" type='image/x-icon'> <title>Obfuscated Files or Information, Technique T1027 - Enterprise | MITRE ATT&CK&reg;</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v9/theme/style/bootstrap-tourist.css" /> <link rel="stylesheet" type="text/css" href="/versions/v9/theme/style.min.css?426cc53a"> </head> <body> <!--stopindex--> <header> <nav class='navbar navbar-expand-lg navbar-dark fixed-top'> <a class='navbar-brand' href="/versions/v9/"><img src="/versions/v9/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item"> <a href="/versions/v9/matrices/" class="nav-link" ><b>Matrices</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/tactics/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/techniques/mobile/">Mobile</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v9/mitigations/mobile/">Mobile</a> </div> </li> <li class="nav-item"> <a href="/versions/v9/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v9/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v9/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v9/resources/">General Information</a> <a class="dropdown-item" href="/versions/v9/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v9/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v9/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v9/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v9/resources/related-projects/">Related Projects</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v9/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v9/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div class="search-icon"></div></button> </li> </ul> </div> </nav> </header> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v9/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v9.0" target="_blank">ATT&CK v9.0</a> which was live between April 29, 2021 and October 20, 2021. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div id='content' class="maincontent"> <!--start-indexing-for-search--> <div class='container-fluid h-100'> <div class='row h-100'> <div class="nav flex-column col-xl-2 col-lg-3 col-md-3 sidebar nav pt-5 pb-3 pl-3 border-right" id="v-tab" role="tablist" aria-orientation="vertical"> <!--stop-indexing-for-search--> <div id="v-tab" role="tablist" aria-orientation="vertical"> <span class="heading" id="v-home-tab" aria-selected="false">TECHNIQUES</span> <div class="sidenav"> <div class="sidenav-head " id="enterprise"> <a href="/versions/v9/techniques/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043"> <a href="/versions/v9/tactics/TA0043"> Reconnaissance </a> <div class="expand-button collapsed" id="enterprise-TA0043-header" data-toggle="collapse" data-target="#enterprise-TA0043-body" aria-expanded="false" aria-controls="#enterprise-TA0043-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-body" aria-labelledby="enterprise-TA0043-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595"> <a href="/versions/v9/techniques/T1595/"> Active Scanning </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1595-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1595-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1595-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1595-body" aria-labelledby="enterprise-TA0043-T1595-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1595-T1595.001"> <a href="/versions/v9/techniques/T1595/001/"> Scanning IP Blocks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1595-T1595.002"> <a href="/versions/v9/techniques/T1595/002/"> Vulnerability Scanning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592"> <a href="/versions/v9/techniques/T1592/"> Gather Victim Host Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1592-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1592-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1592-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1592-body" aria-labelledby="enterprise-TA0043-T1592-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.001"> <a href="/versions/v9/techniques/T1592/001/"> Hardware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.002"> <a href="/versions/v9/techniques/T1592/002/"> Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.003"> <a href="/versions/v9/techniques/T1592/003/"> Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1592-T1592.004"> <a href="/versions/v9/techniques/T1592/004/"> Client Configurations </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589"> <a href="/versions/v9/techniques/T1589/"> Gather Victim Identity Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1589-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1589-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1589-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1589-body" aria-labelledby="enterprise-TA0043-T1589-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.001"> <a href="/versions/v9/techniques/T1589/001/"> Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.002"> <a href="/versions/v9/techniques/T1589/002/"> Email Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1589-T1589.003"> <a href="/versions/v9/techniques/T1589/003/"> Employee Names </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590"> <a href="/versions/v9/techniques/T1590/"> Gather Victim Network Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1590-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1590-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1590-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1590-body" aria-labelledby="enterprise-TA0043-T1590-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.001"> <a href="/versions/v9/techniques/T1590/001/"> Domain Properties </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.002"> <a href="/versions/v9/techniques/T1590/002/"> DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.003"> <a href="/versions/v9/techniques/T1590/003/"> Network Trust Dependencies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.004"> <a href="/versions/v9/techniques/T1590/004/"> Network Topology </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.005"> <a href="/versions/v9/techniques/T1590/005/"> IP Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1590-T1590.006"> <a href="/versions/v9/techniques/T1590/006/"> Network Security Appliances </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591"> <a href="/versions/v9/techniques/T1591/"> Gather Victim Org Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1591-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1591-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1591-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1591-body" aria-labelledby="enterprise-TA0043-T1591-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.001"> <a href="/versions/v9/techniques/T1591/001/"> Determine Physical Locations </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.002"> <a href="/versions/v9/techniques/T1591/002/"> Business Relationships </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.003"> <a href="/versions/v9/techniques/T1591/003/"> Identify Business Tempo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1591-T1591.004"> <a href="/versions/v9/techniques/T1591/004/"> Identify Roles </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598"> <a href="/versions/v9/techniques/T1598/"> Phishing for Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1598-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1598-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1598-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1598-body" aria-labelledby="enterprise-TA0043-T1598-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.001"> <a href="/versions/v9/techniques/T1598/001/"> Spearphishing Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.002"> <a href="/versions/v9/techniques/T1598/002/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1598-T1598.003"> <a href="/versions/v9/techniques/T1598/003/"> Spearphishing Link </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597"> <a href="/versions/v9/techniques/T1597/"> Search Closed Sources </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1597-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1597-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1597-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1597-body" aria-labelledby="enterprise-TA0043-T1597-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1597-T1597.001"> <a href="/versions/v9/techniques/T1597/001/"> Threat Intel Vendors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1597-T1597.002"> <a href="/versions/v9/techniques/T1597/002/"> Purchase Technical Data </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596"> <a href="/versions/v9/techniques/T1596/"> Search Open Technical Databases </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1596-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1596-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1596-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1596-body" aria-labelledby="enterprise-TA0043-T1596-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.001"> <a href="/versions/v9/techniques/T1596/001/"> DNS/Passive DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.002"> <a href="/versions/v9/techniques/T1596/002/"> WHOIS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.003"> <a href="/versions/v9/techniques/T1596/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.004"> <a href="/versions/v9/techniques/T1596/004/"> CDNs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1596-T1596.005"> <a href="/versions/v9/techniques/T1596/005/"> Scan Databases </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593"> <a href="/versions/v9/techniques/T1593/"> Search Open Websites/Domains </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1593-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1593-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1593-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1593-body" aria-labelledby="enterprise-TA0043-T1593-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1593-T1593.001"> <a href="/versions/v9/techniques/T1593/001/"> Social Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1593-T1593.002"> <a href="/versions/v9/techniques/T1593/002/"> Search Engines </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0043-T1594"> <a href="/versions/v9/techniques/T1594/"> Search Victim-Owned Websites </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042"> <a href="/versions/v9/tactics/TA0042"> Resource Development </a> <div class="expand-button collapsed" id="enterprise-TA0042-header" data-toggle="collapse" data-target="#enterprise-TA0042-body" aria-expanded="false" aria-controls="#enterprise-TA0042-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-body" aria-labelledby="enterprise-TA0042-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583"> <a href="/versions/v9/techniques/T1583/"> Acquire Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1583-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1583-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1583-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1583-body" aria-labelledby="enterprise-TA0042-T1583-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.001"> <a href="/versions/v9/techniques/T1583/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.002"> <a href="/versions/v9/techniques/T1583/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.003"> <a href="/versions/v9/techniques/T1583/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.004"> <a href="/versions/v9/techniques/T1583/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.005"> <a href="/versions/v9/techniques/T1583/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1583-T1583.006"> <a href="/versions/v9/techniques/T1583/006/"> Web Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586"> <a href="/versions/v9/techniques/T1586/"> Compromise Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1586-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1586-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1586-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1586-body" aria-labelledby="enterprise-TA0042-T1586-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1586-T1586.001"> <a href="/versions/v9/techniques/T1586/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1586-T1586.002"> <a href="/versions/v9/techniques/T1586/002/"> Email Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584"> <a href="/versions/v9/techniques/T1584/"> Compromise Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1584-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1584-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1584-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1584-body" aria-labelledby="enterprise-TA0042-T1584-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.001"> <a href="/versions/v9/techniques/T1584/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.002"> <a href="/versions/v9/techniques/T1584/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.003"> <a href="/versions/v9/techniques/T1584/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.004"> <a href="/versions/v9/techniques/T1584/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.005"> <a href="/versions/v9/techniques/T1584/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1584-T1584.006"> <a href="/versions/v9/techniques/T1584/006/"> Web Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587"> <a href="/versions/v9/techniques/T1587/"> Develop Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1587-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1587-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1587-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1587-body" aria-labelledby="enterprise-TA0042-T1587-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.001"> <a href="/versions/v9/techniques/T1587/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.002"> <a href="/versions/v9/techniques/T1587/002/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.003"> <a href="/versions/v9/techniques/T1587/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1587-T1587.004"> <a href="/versions/v9/techniques/T1587/004/"> Exploits </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585"> <a href="/versions/v9/techniques/T1585/"> Establish Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1585-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1585-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1585-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1585-body" aria-labelledby="enterprise-TA0042-T1585-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1585-T1585.001"> <a href="/versions/v9/techniques/T1585/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1585-T1585.002"> <a href="/versions/v9/techniques/T1585/002/"> Email Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588"> <a href="/versions/v9/techniques/T1588/"> Obtain Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1588-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1588-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1588-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1588-body" aria-labelledby="enterprise-TA0042-T1588-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.001"> <a href="/versions/v9/techniques/T1588/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.002"> <a href="/versions/v9/techniques/T1588/002/"> Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.003"> <a href="/versions/v9/techniques/T1588/003/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.004"> <a href="/versions/v9/techniques/T1588/004/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.005"> <a href="/versions/v9/techniques/T1588/005/"> Exploits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1588-T1588.006"> <a href="/versions/v9/techniques/T1588/006/"> Vulnerabilities </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608"> <a href="/versions/v9/techniques/T1608/"> Stage Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1608-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1608-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1608-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1608-body" aria-labelledby="enterprise-TA0042-T1608-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.001"> <a href="/versions/v9/techniques/T1608/001/"> Upload Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.002"> <a href="/versions/v9/techniques/T1608/002/"> Upload Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.003"> <a href="/versions/v9/techniques/T1608/003/"> Install Digital Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.004"> <a href="/versions/v9/techniques/T1608/004/"> Drive-by Target </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0042-T1608-T1608.005"> <a href="/versions/v9/techniques/T1608/005/"> Link Target </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001"> <a href="/versions/v9/tactics/TA0001"> Initial Access </a> <div class="expand-button collapsed" id="enterprise-TA0001-header" data-toggle="collapse" data-target="#enterprise-TA0001-body" aria-expanded="false" aria-controls="#enterprise-TA0001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-body" aria-labelledby="enterprise-TA0001-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1189"> <a href="/versions/v9/techniques/T1189/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1190"> <a href="/versions/v9/techniques/T1190/"> Exploit Public-Facing Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1133"> <a href="/versions/v9/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1200"> <a href="/versions/v9/techniques/T1200/"> Hardware Additions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566"> <a href="/versions/v9/techniques/T1566/"> Phishing </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1566-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1566-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1566-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1566-body" aria-labelledby="enterprise-TA0001-T1566-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.001"> <a href="/versions/v9/techniques/T1566/001/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.002"> <a href="/versions/v9/techniques/T1566/002/"> Spearphishing Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1566-T1566.003"> <a href="/versions/v9/techniques/T1566/003/"> Spearphishing via Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1091"> <a href="/versions/v9/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195"> <a href="/versions/v9/techniques/T1195/"> Supply Chain Compromise </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1195-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1195-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1195-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1195-body" aria-labelledby="enterprise-TA0001-T1195-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.001"> <a href="/versions/v9/techniques/T1195/001/"> Compromise Software Dependencies and Development Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.002"> <a href="/versions/v9/techniques/T1195/002/"> Compromise Software Supply Chain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1195-T1195.003"> <a href="/versions/v9/techniques/T1195/003/"> Compromise Hardware Supply Chain </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1199"> <a href="/versions/v9/techniques/T1199/"> Trusted Relationship </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1078-body" aria-labelledby="enterprise-TA0001-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0001-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002"> <a href="/versions/v9/tactics/TA0002"> Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-header" data-toggle="collapse" data-target="#enterprise-TA0002-body" aria-expanded="false" aria-controls="#enterprise-TA0002-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-body" aria-labelledby="enterprise-TA0002-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059"> <a href="/versions/v9/techniques/T1059/"> Command and Scripting Interpreter </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1059-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1059-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1059-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1059-body" aria-labelledby="enterprise-TA0002-T1059-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.001"> <a href="/versions/v9/techniques/T1059/001/"> PowerShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.002"> <a href="/versions/v9/techniques/T1059/002/"> AppleScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.003"> <a href="/versions/v9/techniques/T1059/003/"> Windows Command Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.004"> <a href="/versions/v9/techniques/T1059/004/"> Unix Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.005"> <a href="/versions/v9/techniques/T1059/005/"> Visual Basic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.006"> <a href="/versions/v9/techniques/T1059/006/"> Python </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.007"> <a href="/versions/v9/techniques/T1059/007/"> JavaScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1059-T1059.008"> <a href="/versions/v9/techniques/T1059/008/"> Network Device CLI </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1609"> <a href="/versions/v9/techniques/T1609/"> Container Administration Command </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1610"> <a href="/versions/v9/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1203"> <a href="/versions/v9/techniques/T1203/"> Exploitation for Client Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559"> <a href="/versions/v9/techniques/T1559/"> Inter-Process Communication </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1559-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1559-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1559-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1559-body" aria-labelledby="enterprise-TA0002-T1559-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1559-T1559.001"> <a href="/versions/v9/techniques/T1559/001/"> Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1559-T1559.002"> <a href="/versions/v9/techniques/T1559/002/"> Dynamic Data Exchange </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1106"> <a href="/versions/v9/techniques/T1106/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1053-body" aria-labelledby="enterprise-TA0002-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1129"> <a href="/versions/v9/techniques/T1129/"> Shared Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1072"> <a href="/versions/v9/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569"> <a href="/versions/v9/techniques/T1569/"> System Services </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1569-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1569-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1569-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1569-body" aria-labelledby="enterprise-TA0002-T1569-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1569-T1569.001"> <a href="/versions/v9/techniques/T1569/001/"> Launchctl </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1569-T1569.002"> <a href="/versions/v9/techniques/T1569/002/"> Service Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204"> <a href="/versions/v9/techniques/T1204/"> User Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1204-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1204-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1204-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1204-body" aria-labelledby="enterprise-TA0002-T1204-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.001"> <a href="/versions/v9/techniques/T1204/001/"> Malicious Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.002"> <a href="/versions/v9/techniques/T1204/002/"> Malicious File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1204-T1204.003"> <a href="/versions/v9/techniques/T1204/003/"> Malicious Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0002-T1047"> <a href="/versions/v9/techniques/T1047/"> Windows Management Instrumentation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003"> <a href="/versions/v9/tactics/TA0003"> Persistence </a> <div class="expand-button collapsed" id="enterprise-TA0003-header" data-toggle="collapse" data-target="#enterprise-TA0003-body" aria-expanded="false" aria-controls="#enterprise-TA0003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-body" aria-labelledby="enterprise-TA0003-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098"> <a href="/versions/v9/techniques/T1098/"> Account Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1098-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1098-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1098-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1098-body" aria-labelledby="enterprise-TA0003-T1098-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.001"> <a href="/versions/v9/techniques/T1098/001/"> Additional Cloud Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.002"> <a href="/versions/v9/techniques/T1098/002/"> Exchange Email Delegate Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.003"> <a href="/versions/v9/techniques/T1098/003/"> Add Office 365 Global Administrator Role </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1098-T1098.004"> <a href="/versions/v9/techniques/T1098/004/"> SSH Authorized Keys </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1197"> <a href="/versions/v9/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547"> <a href="/versions/v9/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1547-body" aria-labelledby="enterprise-TA0003-T1547-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.001"> <a href="/versions/v9/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.002"> <a href="/versions/v9/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.003"> <a href="/versions/v9/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.004"> <a href="/versions/v9/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.005"> <a href="/versions/v9/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.006"> <a href="/versions/v9/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.007"> <a href="/versions/v9/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.008"> <a href="/versions/v9/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.009"> <a href="/versions/v9/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.010"> <a href="/versions/v9/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.011"> <a href="/versions/v9/techniques/T1547/011/"> Plist Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.012"> <a href="/versions/v9/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.013"> <a href="/versions/v9/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1547-T1547.014"> <a href="/versions/v9/techniques/T1547/014/"> Active Setup </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037"> <a href="/versions/v9/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1037-body" aria-labelledby="enterprise-TA0003-T1037-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.001"> <a href="/versions/v9/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.002"> <a href="/versions/v9/techniques/T1037/002/"> Logon Script (Mac) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.003"> <a href="/versions/v9/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.004"> <a href="/versions/v9/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1037-T1037.005"> <a href="/versions/v9/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1176"> <a href="/versions/v9/techniques/T1176/"> Browser Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1554"> <a href="/versions/v9/techniques/T1554/"> Compromise Client Software Binary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136"> <a href="/versions/v9/techniques/T1136/"> Create Account </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1136-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1136-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1136-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1136-body" aria-labelledby="enterprise-TA0003-T1136-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.001"> <a href="/versions/v9/techniques/T1136/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.002"> <a href="/versions/v9/techniques/T1136/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1136-T1136.003"> <a href="/versions/v9/techniques/T1136/003/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543"> <a href="/versions/v9/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1543-body" aria-labelledby="enterprise-TA0003-T1543-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.001"> <a href="/versions/v9/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.002"> <a href="/versions/v9/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.003"> <a href="/versions/v9/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1543-T1543.004"> <a href="/versions/v9/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546"> <a href="/versions/v9/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1546-body" aria-labelledby="enterprise-TA0003-T1546-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.001"> <a href="/versions/v9/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.002"> <a href="/versions/v9/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.003"> <a href="/versions/v9/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.004"> <a href="/versions/v9/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.005"> <a href="/versions/v9/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.006"> <a href="/versions/v9/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.007"> <a href="/versions/v9/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.008"> <a href="/versions/v9/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.009"> <a href="/versions/v9/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.010"> <a href="/versions/v9/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.011"> <a href="/versions/v9/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.012"> <a href="/versions/v9/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.013"> <a href="/versions/v9/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.014"> <a href="/versions/v9/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1546-T1546.015"> <a href="/versions/v9/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1133"> <a href="/versions/v9/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1574-body" aria-labelledby="enterprise-TA0003-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1525"> <a href="/versions/v9/techniques/T1525/"> Implant Internal Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1556-body" aria-labelledby="enterprise-TA0003-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137"> <a href="/versions/v9/techniques/T1137/"> Office Application Startup </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1137-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1137-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1137-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1137-body" aria-labelledby="enterprise-TA0003-T1137-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.001"> <a href="/versions/v9/techniques/T1137/001/"> Office Template Macros </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.002"> <a href="/versions/v9/techniques/T1137/002/"> Office Test </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.003"> <a href="/versions/v9/techniques/T1137/003/"> Outlook Forms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.004"> <a href="/versions/v9/techniques/T1137/004/"> Outlook Home Page </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.005"> <a href="/versions/v9/techniques/T1137/005/"> Outlook Rules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1137-T1137.006"> <a href="/versions/v9/techniques/T1137/006/"> Add-ins </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542"> <a href="/versions/v9/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1542-body" aria-labelledby="enterprise-TA0003-T1542-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.001"> <a href="/versions/v9/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.002"> <a href="/versions/v9/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.003"> <a href="/versions/v9/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.004"> <a href="/versions/v9/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1542-T1542.005"> <a href="/versions/v9/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1053-body" aria-labelledby="enterprise-TA0003-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505"> <a href="/versions/v9/techniques/T1505/"> Server Software Component </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1505-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1505-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1505-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1505-body" aria-labelledby="enterprise-TA0003-T1505-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.001"> <a href="/versions/v9/techniques/T1505/001/"> SQL Stored Procedures </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.002"> <a href="/versions/v9/techniques/T1505/002/"> Transport Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1505-T1505.003"> <a href="/versions/v9/techniques/T1505/003/"> Web Shell </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1205-body" aria-labelledby="enterprise-TA0003-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1078-body" aria-labelledby="enterprise-TA0003-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0003-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004"> <a href="/versions/v9/tactics/TA0004"> Privilege Escalation </a> <div class="expand-button collapsed" id="enterprise-TA0004-header" data-toggle="collapse" data-target="#enterprise-TA0004-body" aria-expanded="false" aria-controls="#enterprise-TA0004-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-body" aria-labelledby="enterprise-TA0004-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548"> <a href="/versions/v9/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1548-body" aria-labelledby="enterprise-TA0004-T1548-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.001"> <a href="/versions/v9/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.002"> <a href="/versions/v9/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.003"> <a href="/versions/v9/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1548-T1548.004"> <a href="/versions/v9/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134"> <a href="/versions/v9/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1134-body" aria-labelledby="enterprise-TA0004-T1134-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.001"> <a href="/versions/v9/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.002"> <a href="/versions/v9/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.003"> <a href="/versions/v9/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.004"> <a href="/versions/v9/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1134-T1134.005"> <a href="/versions/v9/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547"> <a href="/versions/v9/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1547-body" aria-labelledby="enterprise-TA0004-T1547-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.001"> <a href="/versions/v9/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.002"> <a href="/versions/v9/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.003"> <a href="/versions/v9/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.004"> <a href="/versions/v9/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.005"> <a href="/versions/v9/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.006"> <a href="/versions/v9/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.007"> <a href="/versions/v9/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.008"> <a href="/versions/v9/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.009"> <a href="/versions/v9/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.010"> <a href="/versions/v9/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.011"> <a href="/versions/v9/techniques/T1547/011/"> Plist Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.012"> <a href="/versions/v9/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.013"> <a href="/versions/v9/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1547-T1547.014"> <a href="/versions/v9/techniques/T1547/014/"> Active Setup </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037"> <a href="/versions/v9/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1037-body" aria-labelledby="enterprise-TA0004-T1037-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.001"> <a href="/versions/v9/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.002"> <a href="/versions/v9/techniques/T1037/002/"> Logon Script (Mac) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.003"> <a href="/versions/v9/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.004"> <a href="/versions/v9/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1037-T1037.005"> <a href="/versions/v9/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543"> <a href="/versions/v9/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1543-body" aria-labelledby="enterprise-TA0004-T1543-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.001"> <a href="/versions/v9/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.002"> <a href="/versions/v9/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.003"> <a href="/versions/v9/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1543-T1543.004"> <a href="/versions/v9/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484"> <a href="/versions/v9/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1484-body" aria-labelledby="enterprise-TA0004-T1484-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1484-T1484.001"> <a href="/versions/v9/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1484-T1484.002"> <a href="/versions/v9/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1611"> <a href="/versions/v9/techniques/T1611/"> Escape to Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546"> <a href="/versions/v9/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1546-body" aria-labelledby="enterprise-TA0004-T1546-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.001"> <a href="/versions/v9/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.002"> <a href="/versions/v9/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.003"> <a href="/versions/v9/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.004"> <a href="/versions/v9/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.005"> <a href="/versions/v9/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.006"> <a href="/versions/v9/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.007"> <a href="/versions/v9/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.008"> <a href="/versions/v9/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.009"> <a href="/versions/v9/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.010"> <a href="/versions/v9/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.011"> <a href="/versions/v9/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.012"> <a href="/versions/v9/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.013"> <a href="/versions/v9/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.014"> <a href="/versions/v9/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1546-T1546.015"> <a href="/versions/v9/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1068"> <a href="/versions/v9/techniques/T1068/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1574-body" aria-labelledby="enterprise-TA0004-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055"> <a href="/versions/v9/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1055-body" aria-labelledby="enterprise-TA0004-T1055-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.001"> <a href="/versions/v9/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.002"> <a href="/versions/v9/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.003"> <a href="/versions/v9/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.004"> <a href="/versions/v9/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.005"> <a href="/versions/v9/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.008"> <a href="/versions/v9/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.009"> <a href="/versions/v9/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.011"> <a href="/versions/v9/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.012"> <a href="/versions/v9/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.013"> <a href="/versions/v9/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1055-T1055.014"> <a href="/versions/v9/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053"> <a href="/versions/v9/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1053-body" aria-labelledby="enterprise-TA0004-T1053-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.001"> <a href="/versions/v9/techniques/T1053/001/"> At (Linux) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.002"> <a href="/versions/v9/techniques/T1053/002/"> At (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.003"> <a href="/versions/v9/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.004"> <a href="/versions/v9/techniques/T1053/004/"> Launchd </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.005"> <a href="/versions/v9/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.006"> <a href="/versions/v9/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1053-T1053.007"> <a href="/versions/v9/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1078-body" aria-labelledby="enterprise-TA0004-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0004-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005"> <a href="/versions/v9/tactics/TA0005"> Defense Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-header" data-toggle="collapse" data-target="#enterprise-TA0005-body" aria-expanded="false" aria-controls="#enterprise-TA0005-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-body" aria-labelledby="enterprise-TA0005-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548"> <a href="/versions/v9/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1548-body" aria-labelledby="enterprise-TA0005-T1548-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.001"> <a href="/versions/v9/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.002"> <a href="/versions/v9/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.003"> <a href="/versions/v9/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1548-T1548.004"> <a href="/versions/v9/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134"> <a href="/versions/v9/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1134-body" aria-labelledby="enterprise-TA0005-T1134-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.001"> <a href="/versions/v9/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.002"> <a href="/versions/v9/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.003"> <a href="/versions/v9/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.004"> <a href="/versions/v9/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1134-T1134.005"> <a href="/versions/v9/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1197"> <a href="/versions/v9/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1612"> <a href="/versions/v9/techniques/T1612/"> Build Image on Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1140"> <a href="/versions/v9/techniques/T1140/"> Deobfuscate/Decode Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1610"> <a href="/versions/v9/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1006"> <a href="/versions/v9/techniques/T1006/"> Direct Volume Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484"> <a href="/versions/v9/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1484-body" aria-labelledby="enterprise-TA0005-T1484-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1484-T1484.001"> <a href="/versions/v9/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1484-T1484.002"> <a href="/versions/v9/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1480"> <a href="/versions/v9/techniques/T1480/"> Execution Guardrails </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1480-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1480-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1480-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1480-body" aria-labelledby="enterprise-TA0005-T1480-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1480-T1480.001"> <a href="/versions/v9/techniques/T1480/001/"> Environmental Keying </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1211"> <a href="/versions/v9/techniques/T1211/"> Exploitation for Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222"> <a href="/versions/v9/techniques/T1222/"> File and Directory Permissions Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1222-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1222-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1222-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1222-body" aria-labelledby="enterprise-TA0005-T1222-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1222-T1222.001"> <a href="/versions/v9/techniques/T1222/001/"> Windows File and Directory Permissions Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1222-T1222.002"> <a href="/versions/v9/techniques/T1222/002/"> Linux and Mac File and Directory Permissions Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564"> <a href="/versions/v9/techniques/T1564/"> Hide Artifacts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1564-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1564-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1564-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1564-body" aria-labelledby="enterprise-TA0005-T1564-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.001"> <a href="/versions/v9/techniques/T1564/001/"> Hidden Files and Directories </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.002"> <a href="/versions/v9/techniques/T1564/002/"> Hidden Users </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.003"> <a href="/versions/v9/techniques/T1564/003/"> Hidden Window </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.004"> <a href="/versions/v9/techniques/T1564/004/"> NTFS File Attributes </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.005"> <a href="/versions/v9/techniques/T1564/005/"> Hidden File System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.006"> <a href="/versions/v9/techniques/T1564/006/"> Run Virtual Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1564-T1564.007"> <a href="/versions/v9/techniques/T1564/007/"> VBA Stomping </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574"> <a href="/versions/v9/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1574-body" aria-labelledby="enterprise-TA0005-T1574-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.001"> <a href="/versions/v9/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.002"> <a href="/versions/v9/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.004"> <a href="/versions/v9/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.005"> <a href="/versions/v9/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.006"> <a href="/versions/v9/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.007"> <a href="/versions/v9/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.008"> <a href="/versions/v9/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.009"> <a href="/versions/v9/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.010"> <a href="/versions/v9/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.011"> <a href="/versions/v9/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1574-T1574.012"> <a href="/versions/v9/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562"> <a href="/versions/v9/techniques/T1562/"> Impair Defenses </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1562-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1562-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1562-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1562-body" aria-labelledby="enterprise-TA0005-T1562-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.001"> <a href="/versions/v9/techniques/T1562/001/"> Disable or Modify Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.002"> <a href="/versions/v9/techniques/T1562/002/"> Disable Windows Event Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.003"> <a href="/versions/v9/techniques/T1562/003/"> Impair Command History Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.004"> <a href="/versions/v9/techniques/T1562/004/"> Disable or Modify System Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.006"> <a href="/versions/v9/techniques/T1562/006/"> Indicator Blocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.007"> <a href="/versions/v9/techniques/T1562/007/"> Disable or Modify Cloud Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1562-T1562.008"> <a href="/versions/v9/techniques/T1562/008/"> Disable Cloud Logs </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070"> <a href="/versions/v9/techniques/T1070/"> Indicator Removal on Host </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1070-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1070-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1070-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1070-body" aria-labelledby="enterprise-TA0005-T1070-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.001"> <a href="/versions/v9/techniques/T1070/001/"> Clear Windows Event Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.002"> <a href="/versions/v9/techniques/T1070/002/"> Clear Linux or Mac System Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.003"> <a href="/versions/v9/techniques/T1070/003/"> Clear Command History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.004"> <a href="/versions/v9/techniques/T1070/004/"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.005"> <a href="/versions/v9/techniques/T1070/005/"> Network Share Connection Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1070-T1070.006"> <a href="/versions/v9/techniques/T1070/006/"> Timestomp </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1202"> <a href="/versions/v9/techniques/T1202/"> Indirect Command Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036"> <a href="/versions/v9/techniques/T1036/"> Masquerading </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1036-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1036-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1036-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1036-body" aria-labelledby="enterprise-TA0005-T1036-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.001"> <a href="/versions/v9/techniques/T1036/001/"> Invalid Code Signature </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.002"> <a href="/versions/v9/techniques/T1036/002/"> Right-to-Left Override </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.003"> <a href="/versions/v9/techniques/T1036/003/"> Rename System Utilities </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.004"> <a href="/versions/v9/techniques/T1036/004/"> Masquerade Task or Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.005"> <a href="/versions/v9/techniques/T1036/005/"> Match Legitimate Name or Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1036-T1036.006"> <a href="/versions/v9/techniques/T1036/006/"> Space after Filename </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1556-body" aria-labelledby="enterprise-TA0005-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578"> <a href="/versions/v9/techniques/T1578/"> Modify Cloud Compute Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1578-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1578-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1578-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1578-body" aria-labelledby="enterprise-TA0005-T1578-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.001"> <a href="/versions/v9/techniques/T1578/001/"> Create Snapshot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.002"> <a href="/versions/v9/techniques/T1578/002/"> Create Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.003"> <a href="/versions/v9/techniques/T1578/003/"> Delete Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1578-T1578.004"> <a href="/versions/v9/techniques/T1578/004/"> Revert Cloud Instance </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1112"> <a href="/versions/v9/techniques/T1112/"> Modify Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601"> <a href="/versions/v9/techniques/T1601/"> Modify System Image </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1601-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1601-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1601-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1601-body" aria-labelledby="enterprise-TA0005-T1601-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1601-T1601.001"> <a href="/versions/v9/techniques/T1601/001/"> Patch System Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1601-T1601.002"> <a href="/versions/v9/techniques/T1601/002/"> Downgrade System Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1599"> <a href="/versions/v9/techniques/T1599/"> Network Boundary Bridging </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1599-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1599-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1599-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1599-body" aria-labelledby="enterprise-TA0005-T1599-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1599-T1599.001"> <a href="/versions/v9/techniques/T1599/001/"> Network Address Translation Traversal </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head active" id="enterprise-TA0005-T1027"> <a href="/versions/v9/techniques/T1027/"> Obfuscated Files or Information </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1027-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1027-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1027-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1027-body" aria-labelledby="enterprise-TA0005-T1027-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.001"> <a href="/versions/v9/techniques/T1027/001/"> Binary Padding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.002"> <a href="/versions/v9/techniques/T1027/002/"> Software Packing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.003"> <a href="/versions/v9/techniques/T1027/003/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.004"> <a href="/versions/v9/techniques/T1027/004/"> Compile After Delivery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1027-T1027.005"> <a href="/versions/v9/techniques/T1027/005/"> Indicator Removal from Tools </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542"> <a href="/versions/v9/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1542-body" aria-labelledby="enterprise-TA0005-T1542-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.001"> <a href="/versions/v9/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.002"> <a href="/versions/v9/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.003"> <a href="/versions/v9/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.004"> <a href="/versions/v9/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1542-T1542.005"> <a href="/versions/v9/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055"> <a href="/versions/v9/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1055-body" aria-labelledby="enterprise-TA0005-T1055-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.001"> <a href="/versions/v9/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.002"> <a href="/versions/v9/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.003"> <a href="/versions/v9/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.004"> <a href="/versions/v9/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.005"> <a href="/versions/v9/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.008"> <a href="/versions/v9/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.009"> <a href="/versions/v9/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.011"> <a href="/versions/v9/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.012"> <a href="/versions/v9/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.013"> <a href="/versions/v9/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1055-T1055.014"> <a href="/versions/v9/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1207"> <a href="/versions/v9/techniques/T1207/"> Rogue Domain Controller </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1014"> <a href="/versions/v9/techniques/T1014/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218"> <a href="/versions/v9/techniques/T1218/"> Signed Binary Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1218-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1218-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1218-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1218-body" aria-labelledby="enterprise-TA0005-T1218-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.001"> <a href="/versions/v9/techniques/T1218/001/"> Compiled HTML File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.002"> <a href="/versions/v9/techniques/T1218/002/"> Control Panel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.003"> <a href="/versions/v9/techniques/T1218/003/"> CMSTP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.004"> <a href="/versions/v9/techniques/T1218/004/"> InstallUtil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.005"> <a href="/versions/v9/techniques/T1218/005/"> Mshta </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.007"> <a href="/versions/v9/techniques/T1218/007/"> Msiexec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.008"> <a href="/versions/v9/techniques/T1218/008/"> Odbcconf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.009"> <a href="/versions/v9/techniques/T1218/009/"> Regsvcs/Regasm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.010"> <a href="/versions/v9/techniques/T1218/010/"> Regsvr32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.011"> <a href="/versions/v9/techniques/T1218/011/"> Rundll32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1218-T1218.012"> <a href="/versions/v9/techniques/T1218/012/"> Verclsid </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1216"> <a href="/versions/v9/techniques/T1216/"> Signed Script Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1216-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1216-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1216-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1216-body" aria-labelledby="enterprise-TA0005-T1216-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1216-T1216.001"> <a href="/versions/v9/techniques/T1216/001/"> PubPrn </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553"> <a href="/versions/v9/techniques/T1553/"> Subvert Trust Controls </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1553-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1553-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1553-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1553-body" aria-labelledby="enterprise-TA0005-T1553-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.001"> <a href="/versions/v9/techniques/T1553/001/"> Gatekeeper Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.002"> <a href="/versions/v9/techniques/T1553/002/"> Code Signing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.003"> <a href="/versions/v9/techniques/T1553/003/"> SIP and Trust Provider Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.004"> <a href="/versions/v9/techniques/T1553/004/"> Install Root Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.005"> <a href="/versions/v9/techniques/T1553/005/"> Mark-of-the-Web Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1553-T1553.006"> <a href="/versions/v9/techniques/T1553/006/"> Code Signing Policy Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1221"> <a href="/versions/v9/techniques/T1221/"> Template Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1205-body" aria-labelledby="enterprise-TA0005-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1127"> <a href="/versions/v9/techniques/T1127/"> Trusted Developer Utilities Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1127-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1127-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1127-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1127-body" aria-labelledby="enterprise-TA0005-T1127-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1127-T1127.001"> <a href="/versions/v9/techniques/T1127/001/"> MSBuild </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1535"> <a href="/versions/v9/techniques/T1535/"> Unused/Unsupported Cloud Regions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550"> <a href="/versions/v9/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1550-body" aria-labelledby="enterprise-TA0005-T1550-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.001"> <a href="/versions/v9/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.002"> <a href="/versions/v9/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.003"> <a href="/versions/v9/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1550-T1550.004"> <a href="/versions/v9/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078"> <a href="/versions/v9/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1078-body" aria-labelledby="enterprise-TA0005-T1078-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.001"> <a href="/versions/v9/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.002"> <a href="/versions/v9/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.003"> <a href="/versions/v9/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1078-T1078.004"> <a href="/versions/v9/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497"> <a href="/versions/v9/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1497-body" aria-labelledby="enterprise-TA0005-T1497-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.001"> <a href="/versions/v9/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.002"> <a href="/versions/v9/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1497-T1497.003"> <a href="/versions/v9/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600"> <a href="/versions/v9/techniques/T1600/"> Weaken Encryption </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1600-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1600-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1600-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1600-body" aria-labelledby="enterprise-TA0005-T1600-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1600-T1600.001"> <a href="/versions/v9/techniques/T1600/001/"> Reduce Key Space </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1600-T1600.002"> <a href="/versions/v9/techniques/T1600/002/"> Disable Crypto Hardware </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0005-T1220"> <a href="/versions/v9/techniques/T1220/"> XSL Script Processing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006"> <a href="/versions/v9/tactics/TA0006"> Credential Access </a> <div class="expand-button collapsed" id="enterprise-TA0006-header" data-toggle="collapse" data-target="#enterprise-TA0006-body" aria-expanded="false" aria-controls="#enterprise-TA0006-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-body" aria-labelledby="enterprise-TA0006-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110"> <a href="/versions/v9/techniques/T1110/"> Brute Force </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1110-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1110-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1110-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1110-body" aria-labelledby="enterprise-TA0006-T1110-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.001"> <a href="/versions/v9/techniques/T1110/001/"> Password Guessing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.002"> <a href="/versions/v9/techniques/T1110/002/"> Password Cracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.003"> <a href="/versions/v9/techniques/T1110/003/"> Password Spraying </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1110-T1110.004"> <a href="/versions/v9/techniques/T1110/004/"> Credential Stuffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555"> <a href="/versions/v9/techniques/T1555/"> Credentials from Password Stores </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1555-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1555-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1555-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1555-body" aria-labelledby="enterprise-TA0006-T1555-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.001"> <a href="/versions/v9/techniques/T1555/001/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.002"> <a href="/versions/v9/techniques/T1555/002/"> Securityd Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.003"> <a href="/versions/v9/techniques/T1555/003/"> Credentials from Web Browsers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.004"> <a href="/versions/v9/techniques/T1555/004/"> Windows Credential Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1555-T1555.005"> <a href="/versions/v9/techniques/T1555/005/"> Password Managers </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1212"> <a href="/versions/v9/techniques/T1212/"> Exploitation for Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1187"> <a href="/versions/v9/techniques/T1187/"> Forced Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606"> <a href="/versions/v9/techniques/T1606/"> Forge Web Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1606-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1606-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1606-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1606-body" aria-labelledby="enterprise-TA0006-T1606-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1606-T1606.001"> <a href="/versions/v9/techniques/T1606/001/"> Web Cookies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1606-T1606.002"> <a href="/versions/v9/techniques/T1606/002/"> SAML Tokens </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056"> <a href="/versions/v9/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1056-body" aria-labelledby="enterprise-TA0006-T1056-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.001"> <a href="/versions/v9/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.002"> <a href="/versions/v9/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.003"> <a href="/versions/v9/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1056-T1056.004"> <a href="/versions/v9/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557"> <a href="/versions/v9/techniques/T1557/"> Man-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1557-body" aria-labelledby="enterprise-TA0006-T1557-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1557-T1557.001"> <a href="/versions/v9/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1557-T1557.002"> <a href="/versions/v9/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556"> <a href="/versions/v9/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1556-body" aria-labelledby="enterprise-TA0006-T1556-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.001"> <a href="/versions/v9/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.002"> <a href="/versions/v9/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.003"> <a href="/versions/v9/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1556-T1556.004"> <a href="/versions/v9/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1040"> <a href="/versions/v9/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003"> <a href="/versions/v9/techniques/T1003/"> OS Credential Dumping </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1003-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1003-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1003-body" aria-labelledby="enterprise-TA0006-T1003-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.001"> <a href="/versions/v9/techniques/T1003/001/"> LSASS Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.002"> <a href="/versions/v9/techniques/T1003/002/"> Security Account Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.003"> <a href="/versions/v9/techniques/T1003/003/"> NTDS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.004"> <a href="/versions/v9/techniques/T1003/004/"> LSA Secrets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.005"> <a href="/versions/v9/techniques/T1003/005/"> Cached Domain Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.006"> <a href="/versions/v9/techniques/T1003/006/"> DCSync </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.007"> <a href="/versions/v9/techniques/T1003/007/"> Proc Filesystem </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1003-T1003.008"> <a href="/versions/v9/techniques/T1003/008/"> /etc/passwd and /etc/shadow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1528"> <a href="/versions/v9/techniques/T1528/"> Steal Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558"> <a href="/versions/v9/techniques/T1558/"> Steal or Forge Kerberos Tickets </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1558-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1558-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1558-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1558-body" aria-labelledby="enterprise-TA0006-T1558-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.001"> <a href="/versions/v9/techniques/T1558/001/"> Golden Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.002"> <a href="/versions/v9/techniques/T1558/002/"> Silver Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.003"> <a href="/versions/v9/techniques/T1558/003/"> Kerberoasting </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1558-T1558.004"> <a href="/versions/v9/techniques/T1558/004/"> AS-REP Roasting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1539"> <a href="/versions/v9/techniques/T1539/"> Steal Web Session Cookie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1111"> <a href="/versions/v9/techniques/T1111/"> Two-Factor Authentication Interception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552"> <a href="/versions/v9/techniques/T1552/"> Unsecured Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1552-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1552-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1552-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1552-body" aria-labelledby="enterprise-TA0006-T1552-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.001"> <a href="/versions/v9/techniques/T1552/001/"> Credentials In Files </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.002"> <a href="/versions/v9/techniques/T1552/002/"> Credentials in Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.003"> <a href="/versions/v9/techniques/T1552/003/"> Bash History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.004"> <a href="/versions/v9/techniques/T1552/004/"> Private Keys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.005"> <a href="/versions/v9/techniques/T1552/005/"> Cloud Instance Metadata API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.006"> <a href="/versions/v9/techniques/T1552/006/"> Group Policy Preferences </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0006-T1552-T1552.007"> <a href="/versions/v9/techniques/T1552/007/"> Container API </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007"> <a href="/versions/v9/tactics/TA0007"> Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-header" data-toggle="collapse" data-target="#enterprise-TA0007-body" aria-expanded="false" aria-controls="#enterprise-TA0007-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-body" aria-labelledby="enterprise-TA0007-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087"> <a href="/versions/v9/techniques/T1087/"> Account Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1087-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1087-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1087-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1087-body" aria-labelledby="enterprise-TA0007-T1087-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.001"> <a href="/versions/v9/techniques/T1087/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.002"> <a href="/versions/v9/techniques/T1087/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.003"> <a href="/versions/v9/techniques/T1087/003/"> Email Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1087-T1087.004"> <a href="/versions/v9/techniques/T1087/004/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1010"> <a href="/versions/v9/techniques/T1010/"> Application Window Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1217"> <a href="/versions/v9/techniques/T1217/"> Browser Bookmark Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1580"> <a href="/versions/v9/techniques/T1580/"> Cloud Infrastructure Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1538"> <a href="/versions/v9/techniques/T1538/"> Cloud Service Dashboard </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1526"> <a href="/versions/v9/techniques/T1526/"> Cloud Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1613"> <a href="/versions/v9/techniques/T1613/"> Container and Resource Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1482"> <a href="/versions/v9/techniques/T1482/"> Domain Trust Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1083"> <a href="/versions/v9/techniques/T1083/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1046"> <a href="/versions/v9/techniques/T1046/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1135"> <a href="/versions/v9/techniques/T1135/"> Network Share Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1040"> <a href="/versions/v9/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1201"> <a href="/versions/v9/techniques/T1201/"> Password Policy Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1120"> <a href="/versions/v9/techniques/T1120/"> Peripheral Device Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069"> <a href="/versions/v9/techniques/T1069/"> Permission Groups Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1069-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1069-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1069-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1069-body" aria-labelledby="enterprise-TA0007-T1069-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.001"> <a href="/versions/v9/techniques/T1069/001/"> Local Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.002"> <a href="/versions/v9/techniques/T1069/002/"> Domain Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1069-T1069.003"> <a href="/versions/v9/techniques/T1069/003/"> Cloud Groups </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1057"> <a href="/versions/v9/techniques/T1057/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1012"> <a href="/versions/v9/techniques/T1012/"> Query Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1018"> <a href="/versions/v9/techniques/T1018/"> Remote System Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1518"> <a href="/versions/v9/techniques/T1518/"> Software Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1518-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1518-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1518-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1518-body" aria-labelledby="enterprise-TA0007-T1518-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1518-T1518.001"> <a href="/versions/v9/techniques/T1518/001/"> Security Software Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1082"> <a href="/versions/v9/techniques/T1082/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1614"> <a href="/versions/v9/techniques/T1614/"> System Location Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1016"> <a href="/versions/v9/techniques/T1016/"> System Network Configuration Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1016-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1016-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1016-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1016-body" aria-labelledby="enterprise-TA0007-T1016-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1016-T1016.001"> <a href="/versions/v9/techniques/T1016/001/"> Internet Connection Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1049"> <a href="/versions/v9/techniques/T1049/"> System Network Connections Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1033"> <a href="/versions/v9/techniques/T1033/"> System Owner/User Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1007"> <a href="/versions/v9/techniques/T1007/"> System Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1124"> <a href="/versions/v9/techniques/T1124/"> System Time Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497"> <a href="/versions/v9/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1497-body" aria-labelledby="enterprise-TA0007-T1497-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.001"> <a href="/versions/v9/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.002"> <a href="/versions/v9/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0007-T1497-T1497.003"> <a href="/versions/v9/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008"> <a href="/versions/v9/tactics/TA0008"> Lateral Movement </a> <div class="expand-button collapsed" id="enterprise-TA0008-header" data-toggle="collapse" data-target="#enterprise-TA0008-body" aria-expanded="false" aria-controls="#enterprise-TA0008-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-body" aria-labelledby="enterprise-TA0008-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1210"> <a href="/versions/v9/techniques/T1210/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1534"> <a href="/versions/v9/techniques/T1534/"> Internal Spearphishing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1570"> <a href="/versions/v9/techniques/T1570/"> Lateral Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563"> <a href="/versions/v9/techniques/T1563/"> Remote Service Session Hijacking </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1563-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1563-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1563-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1563-body" aria-labelledby="enterprise-TA0008-T1563-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1563-T1563.001"> <a href="/versions/v9/techniques/T1563/001/"> SSH Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1563-T1563.002"> <a href="/versions/v9/techniques/T1563/002/"> RDP Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021"> <a href="/versions/v9/techniques/T1021/"> Remote Services </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1021-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1021-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1021-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1021-body" aria-labelledby="enterprise-TA0008-T1021-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.001"> <a href="/versions/v9/techniques/T1021/001/"> Remote Desktop Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.002"> <a href="/versions/v9/techniques/T1021/002/"> SMB/Windows Admin Shares </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.003"> <a href="/versions/v9/techniques/T1021/003/"> Distributed Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.004"> <a href="/versions/v9/techniques/T1021/004/"> SSH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.005"> <a href="/versions/v9/techniques/T1021/005/"> VNC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1021-T1021.006"> <a href="/versions/v9/techniques/T1021/006/"> Windows Remote Management </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1091"> <a href="/versions/v9/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1072"> <a href="/versions/v9/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1080"> <a href="/versions/v9/techniques/T1080/"> Taint Shared Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550"> <a href="/versions/v9/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1550-body" aria-labelledby="enterprise-TA0008-T1550-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.001"> <a href="/versions/v9/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.002"> <a href="/versions/v9/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.003"> <a href="/versions/v9/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0008-T1550-T1550.004"> <a href="/versions/v9/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009"> <a href="/versions/v9/tactics/TA0009"> Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-header" data-toggle="collapse" data-target="#enterprise-TA0009-body" aria-expanded="false" aria-controls="#enterprise-TA0009-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-body" aria-labelledby="enterprise-TA0009-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560"> <a href="/versions/v9/techniques/T1560/"> Archive Collected Data </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1560-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1560-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1560-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1560-body" aria-labelledby="enterprise-TA0009-T1560-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.001"> <a href="/versions/v9/techniques/T1560/001/"> Archive via Utility </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.002"> <a href="/versions/v9/techniques/T1560/002/"> Archive via Library </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1560-T1560.003"> <a href="/versions/v9/techniques/T1560/003/"> Archive via Custom Method </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1123"> <a href="/versions/v9/techniques/T1123/"> Audio Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1119"> <a href="/versions/v9/techniques/T1119/"> Automated Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1115"> <a href="/versions/v9/techniques/T1115/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1530"> <a href="/versions/v9/techniques/T1530/"> Data from Cloud Storage Object </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602"> <a href="/versions/v9/techniques/T1602/"> Data from Configuration Repository </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1602-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1602-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1602-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1602-body" aria-labelledby="enterprise-TA0009-T1602-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1602-T1602.001"> <a href="/versions/v9/techniques/T1602/001/"> SNMP (MIB Dump) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1602-T1602.002"> <a href="/versions/v9/techniques/T1602/002/"> Network Device Configuration Dump </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213"> <a href="/versions/v9/techniques/T1213/"> Data from Information Repositories </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1213-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1213-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1213-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1213-body" aria-labelledby="enterprise-TA0009-T1213-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1213-T1213.001"> <a href="/versions/v9/techniques/T1213/001/"> Confluence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1213-T1213.002"> <a href="/versions/v9/techniques/T1213/002/"> Sharepoint </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1005"> <a href="/versions/v9/techniques/T1005/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1039"> <a href="/versions/v9/techniques/T1039/"> Data from Network Shared Drive </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1025"> <a href="/versions/v9/techniques/T1025/"> Data from Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074"> <a href="/versions/v9/techniques/T1074/"> Data Staged </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1074-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1074-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1074-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1074-body" aria-labelledby="enterprise-TA0009-T1074-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1074-T1074.001"> <a href="/versions/v9/techniques/T1074/001/"> Local Data Staging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1074-T1074.002"> <a href="/versions/v9/techniques/T1074/002/"> Remote Data Staging </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114"> <a href="/versions/v9/techniques/T1114/"> Email Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1114-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1114-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1114-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1114-body" aria-labelledby="enterprise-TA0009-T1114-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.001"> <a href="/versions/v9/techniques/T1114/001/"> Local Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.002"> <a href="/versions/v9/techniques/T1114/002/"> Remote Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1114-T1114.003"> <a href="/versions/v9/techniques/T1114/003/"> Email Forwarding Rule </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056"> <a href="/versions/v9/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1056-body" aria-labelledby="enterprise-TA0009-T1056-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.001"> <a href="/versions/v9/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.002"> <a href="/versions/v9/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.003"> <a href="/versions/v9/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1056-T1056.004"> <a href="/versions/v9/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1185"> <a href="/versions/v9/techniques/T1185/"> Man in the Browser </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557"> <a href="/versions/v9/techniques/T1557/"> Man-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1557-body" aria-labelledby="enterprise-TA0009-T1557-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1557-T1557.001"> <a href="/versions/v9/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1557-T1557.002"> <a href="/versions/v9/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1113"> <a href="/versions/v9/techniques/T1113/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0009-T1125"> <a href="/versions/v9/techniques/T1125/"> Video Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011"> <a href="/versions/v9/tactics/TA0011"> Command and Control </a> <div class="expand-button collapsed" id="enterprise-TA0011-header" data-toggle="collapse" data-target="#enterprise-TA0011-body" aria-expanded="false" aria-controls="#enterprise-TA0011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-body" aria-labelledby="enterprise-TA0011-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071"> <a href="/versions/v9/techniques/T1071/"> Application Layer Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1071-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1071-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1071-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1071-body" aria-labelledby="enterprise-TA0011-T1071-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.001"> <a href="/versions/v9/techniques/T1071/001/"> Web Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.002"> <a href="/versions/v9/techniques/T1071/002/"> File Transfer Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.003"> <a href="/versions/v9/techniques/T1071/003/"> Mail Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1071-T1071.004"> <a href="/versions/v9/techniques/T1071/004/"> DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1092"> <a href="/versions/v9/techniques/T1092/"> Communication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132"> <a href="/versions/v9/techniques/T1132/"> Data Encoding </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1132-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1132-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1132-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1132-body" aria-labelledby="enterprise-TA0011-T1132-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1132-T1132.001"> <a href="/versions/v9/techniques/T1132/001/"> Standard Encoding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1132-T1132.002"> <a href="/versions/v9/techniques/T1132/002/"> Non-Standard Encoding </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001"> <a href="/versions/v9/techniques/T1001/"> Data Obfuscation </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1001-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1001-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1001-body" aria-labelledby="enterprise-TA0011-T1001-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.001"> <a href="/versions/v9/techniques/T1001/001/"> Junk Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.002"> <a href="/versions/v9/techniques/T1001/002/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1001-T1001.003"> <a href="/versions/v9/techniques/T1001/003/"> Protocol Impersonation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568"> <a href="/versions/v9/techniques/T1568/"> Dynamic Resolution </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1568-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1568-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1568-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1568-body" aria-labelledby="enterprise-TA0011-T1568-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.001"> <a href="/versions/v9/techniques/T1568/001/"> Fast Flux DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.002"> <a href="/versions/v9/techniques/T1568/002/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1568-T1568.003"> <a href="/versions/v9/techniques/T1568/003/"> DNS Calculation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573"> <a href="/versions/v9/techniques/T1573/"> Encrypted Channel </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1573-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1573-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1573-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1573-body" aria-labelledby="enterprise-TA0011-T1573-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1573-T1573.001"> <a href="/versions/v9/techniques/T1573/001/"> Symmetric Cryptography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1573-T1573.002"> <a href="/versions/v9/techniques/T1573/002/"> Asymmetric Cryptography </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1008"> <a href="/versions/v9/techniques/T1008/"> Fallback Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1105"> <a href="/versions/v9/techniques/T1105/"> Ingress Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1104"> <a href="/versions/v9/techniques/T1104/"> Multi-Stage Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1095"> <a href="/versions/v9/techniques/T1095/"> Non-Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1571"> <a href="/versions/v9/techniques/T1571/"> Non-Standard Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1572"> <a href="/versions/v9/techniques/T1572/"> Protocol Tunneling </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090"> <a href="/versions/v9/techniques/T1090/"> Proxy </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1090-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1090-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1090-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1090-body" aria-labelledby="enterprise-TA0011-T1090-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.001"> <a href="/versions/v9/techniques/T1090/001/"> Internal Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.002"> <a href="/versions/v9/techniques/T1090/002/"> External Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.003"> <a href="/versions/v9/techniques/T1090/003/"> Multi-hop Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1090-T1090.004"> <a href="/versions/v9/techniques/T1090/004/"> Domain Fronting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1219"> <a href="/versions/v9/techniques/T1219/"> Remote Access Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205"> <a href="/versions/v9/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1205-body" aria-labelledby="enterprise-TA0011-T1205-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1205-T1205.001"> <a href="/versions/v9/techniques/T1205/001/"> Port Knocking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102"> <a href="/versions/v9/techniques/T1102/"> Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1102-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1102-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1102-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1102-body" aria-labelledby="enterprise-TA0011-T1102-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.001"> <a href="/versions/v9/techniques/T1102/001/"> Dead Drop Resolver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.002"> <a href="/versions/v9/techniques/T1102/002/"> Bidirectional Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0011-T1102-T1102.003"> <a href="/versions/v9/techniques/T1102/003/"> One-Way Communication </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010"> <a href="/versions/v9/tactics/TA0010"> Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-header" data-toggle="collapse" data-target="#enterprise-TA0010-body" aria-expanded="false" aria-controls="#enterprise-TA0010-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-body" aria-labelledby="enterprise-TA0010-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1020"> <a href="/versions/v9/techniques/T1020/"> Automated Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1020-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1020-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1020-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1020-body" aria-labelledby="enterprise-TA0010-T1020-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1020-T1020.001"> <a href="/versions/v9/techniques/T1020/001/"> Traffic Duplication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1030"> <a href="/versions/v9/techniques/T1030/"> Data Transfer Size Limits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048"> <a href="/versions/v9/techniques/T1048/"> Exfiltration Over Alternative Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1048-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1048-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1048-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1048-body" aria-labelledby="enterprise-TA0010-T1048-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.001"> <a href="/versions/v9/techniques/T1048/001/"> Exfiltration Over Symmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.002"> <a href="/versions/v9/techniques/T1048/002/"> Exfiltration Over Asymmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1048-T1048.003"> <a href="/versions/v9/techniques/T1048/003/"> Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1041"> <a href="/versions/v9/techniques/T1041/"> Exfiltration Over C2 Channel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1011"> <a href="/versions/v9/techniques/T1011/"> Exfiltration Over Other Network Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1011-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1011-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1011-body" aria-labelledby="enterprise-TA0010-T1011-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1011-T1011.001"> <a href="/versions/v9/techniques/T1011/001/"> Exfiltration Over Bluetooth </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1052"> <a href="/versions/v9/techniques/T1052/"> Exfiltration Over Physical Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1052-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1052-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1052-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1052-body" aria-labelledby="enterprise-TA0010-T1052-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1052-T1052.001"> <a href="/versions/v9/techniques/T1052/001/"> Exfiltration over USB </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567"> <a href="/versions/v9/techniques/T1567/"> Exfiltration Over Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1567-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1567-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1567-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1567-body" aria-labelledby="enterprise-TA0010-T1567-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1567-T1567.001"> <a href="/versions/v9/techniques/T1567/001/"> Exfiltration to Code Repository </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1567-T1567.002"> <a href="/versions/v9/techniques/T1567/002/"> Exfiltration to Cloud Storage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1029"> <a href="/versions/v9/techniques/T1029/"> Scheduled Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0010-T1537"> <a href="/versions/v9/techniques/T1537/"> Transfer Data to Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040"> <a href="/versions/v9/tactics/TA0040"> Impact </a> <div class="expand-button collapsed" id="enterprise-TA0040-header" data-toggle="collapse" data-target="#enterprise-TA0040-body" aria-expanded="false" aria-controls="#enterprise-TA0040-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-body" aria-labelledby="enterprise-TA0040-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1531"> <a href="/versions/v9/techniques/T1531/"> Account Access Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1485"> <a href="/versions/v9/techniques/T1485/"> Data Destruction </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1486"> <a href="/versions/v9/techniques/T1486/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565"> <a href="/versions/v9/techniques/T1565/"> Data Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1565-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1565-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1565-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1565-body" aria-labelledby="enterprise-TA0040-T1565-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.001"> <a href="/versions/v9/techniques/T1565/001/"> Stored Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.002"> <a href="/versions/v9/techniques/T1565/002/"> Transmitted Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1565-T1565.003"> <a href="/versions/v9/techniques/T1565/003/"> Runtime Data Manipulation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491"> <a href="/versions/v9/techniques/T1491/"> Defacement </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1491-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1491-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1491-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1491-body" aria-labelledby="enterprise-TA0040-T1491-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1491-T1491.001"> <a href="/versions/v9/techniques/T1491/001/"> Internal Defacement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1491-T1491.002"> <a href="/versions/v9/techniques/T1491/002/"> External Defacement </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561"> <a href="/versions/v9/techniques/T1561/"> Disk Wipe </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1561-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1561-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1561-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1561-body" aria-labelledby="enterprise-TA0040-T1561-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1561-T1561.001"> <a href="/versions/v9/techniques/T1561/001/"> Disk Content Wipe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1561-T1561.002"> <a href="/versions/v9/techniques/T1561/002/"> Disk Structure Wipe </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499"> <a href="/versions/v9/techniques/T1499/"> Endpoint Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1499-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1499-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1499-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1499-body" aria-labelledby="enterprise-TA0040-T1499-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.001"> <a href="/versions/v9/techniques/T1499/001/"> OS Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.002"> <a href="/versions/v9/techniques/T1499/002/"> Service Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.003"> <a href="/versions/v9/techniques/T1499/003/"> Application Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1499-T1499.004"> <a href="/versions/v9/techniques/T1499/004/"> Application or System Exploitation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1495"> <a href="/versions/v9/techniques/T1495/"> Firmware Corruption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1490"> <a href="/versions/v9/techniques/T1490/"> Inhibit System Recovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498"> <a href="/versions/v9/techniques/T1498/"> Network Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1498-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1498-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1498-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1498-body" aria-labelledby="enterprise-TA0040-T1498-header"> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1498-T1498.001"> <a href="/versions/v9/techniques/T1498/001/"> Direct Network Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1498-T1498.002"> <a href="/versions/v9/techniques/T1498/002/"> Reflection Amplification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1496"> <a href="/versions/v9/techniques/T1496/"> Resource Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1489"> <a href="/versions/v9/techniques/T1489/"> Service Stop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="enterprise-TA0040-T1529"> <a href="/versions/v9/techniques/T1529/"> System Shutdown/Reboot </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v9/techniques/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027"> <a href="/versions/v9/tactics/TA0027"> Initial Access </a> <div class="expand-button collapsed" id="mobile-TA0027-header" data-toggle="collapse" data-target="#mobile-TA0027-body" aria-expanded="false" aria-controls="#mobile-TA0027-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0027-body" aria-labelledby="mobile-TA0027-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1475"> <a href="/versions/v9/techniques/T1475/"> Deliver Malicious App via Authorized App Store </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1476"> <a href="/versions/v9/techniques/T1476/"> Deliver Malicious App via Other Means </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1456"> <a href="/versions/v9/techniques/T1456/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1458"> <a href="/versions/v9/techniques/T1458/"> Exploit via Charging Station or PC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1477"> <a href="/versions/v9/techniques/T1477/"> Exploit via Radio Interfaces </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1478"> <a href="/versions/v9/techniques/T1478/"> Install Insecure or Malicious Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1461"> <a href="/versions/v9/techniques/T1461/"> Lockscreen Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1444"> <a href="/versions/v9/techniques/T1444/"> Masquerade as Legitimate Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0027-T1474"> <a href="/versions/v9/techniques/T1474/"> Supply Chain Compromise </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041"> <a href="/versions/v9/tactics/TA0041"> Execution </a> <div class="expand-button collapsed" id="mobile-TA0041-header" data-toggle="collapse" data-target="#mobile-TA0041-body" aria-expanded="false" aria-controls="#mobile-TA0041-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0041-body" aria-labelledby="mobile-TA0041-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1402"> <a href="/versions/v9/techniques/T1402/"> Broadcast Receivers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1605"> <a href="/versions/v9/techniques/T1605/"> Command-Line Interface </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1575"> <a href="/versions/v9/techniques/T1575/"> Native Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0041-T1603"> <a href="/versions/v9/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028"> <a href="/versions/v9/tactics/TA0028"> Persistence </a> <div class="expand-button collapsed" id="mobile-TA0028-header" data-toggle="collapse" data-target="#mobile-TA0028-body" aria-expanded="false" aria-controls="#mobile-TA0028-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-body" aria-labelledby="mobile-TA0028-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1402"> <a href="/versions/v9/techniques/T1402/"> Broadcast Receivers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1577"> <a href="/versions/v9/techniques/T1577/"> Compromise Application Executable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1541"> <a href="/versions/v9/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1403"> <a href="/versions/v9/techniques/T1403/"> Modify Cached Executable Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1398"> <a href="/versions/v9/techniques/T1398/"> Modify OS Kernel or Boot Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1399"> <a href="/versions/v9/techniques/T1399/"> Modify Trusted Execution Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0028-T1603"> <a href="/versions/v9/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029"> <a href="/versions/v9/tactics/TA0029"> Privilege Escalation </a> <div class="expand-button collapsed" id="mobile-TA0029-header" data-toggle="collapse" data-target="#mobile-TA0029-body" aria-expanded="false" aria-controls="#mobile-TA0029-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-body" aria-labelledby="mobile-TA0029-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1401"> <a href="/versions/v9/techniques/T1401/"> Device Administrator Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1404"> <a href="/versions/v9/techniques/T1404/"> Exploit OS Vulnerability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0029-T1405"> <a href="/versions/v9/techniques/T1405/"> Exploit TEE Vulnerability </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030"> <a href="/versions/v9/tactics/TA0030"> Defense Evasion </a> <div class="expand-button collapsed" id="mobile-TA0030-header" data-toggle="collapse" data-target="#mobile-TA0030-body" aria-expanded="false" aria-controls="#mobile-TA0030-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-body" aria-labelledby="mobile-TA0030-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1418"> <a href="/versions/v9/techniques/T1418/"> Application Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1540"> <a href="/versions/v9/techniques/T1540/"> Code Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1447"> <a href="/versions/v9/techniques/T1447/"> Delete Device Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1446"> <a href="/versions/v9/techniques/T1446/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1408"> <a href="/versions/v9/techniques/T1408/"> Disguise Root/Jailbreak Indicators </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1407"> <a href="/versions/v9/techniques/T1407/"> Download New Code at Runtime </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1523"> <a href="/versions/v9/techniques/T1523/"> Evade Analysis Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1581"> <a href="/versions/v9/techniques/T1581/"> Geofencing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1516"> <a href="/versions/v9/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1478"> <a href="/versions/v9/techniques/T1478/"> Install Insecure or Malicious Configuration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1444"> <a href="/versions/v9/techniques/T1444/"> Masquerade as Legitimate Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1398"> <a href="/versions/v9/techniques/T1398/"> Modify OS Kernel or Boot Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1399"> <a href="/versions/v9/techniques/T1399/"> Modify Trusted Execution Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1575"> <a href="/versions/v9/techniques/T1575/"> Native Code </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1406"> <a href="/versions/v9/techniques/T1406/"> Obfuscated Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1604"> <a href="/versions/v9/techniques/T1604/"> Proxy Through Victim </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1508"> <a href="/versions/v9/techniques/T1508/"> Suppress Application Icon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0030-T1576"> <a href="/versions/v9/techniques/T1576/"> Uninstall Malicious Application </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031"> <a href="/versions/v9/tactics/TA0031"> Credential Access </a> <div class="expand-button collapsed" id="mobile-TA0031-header" data-toggle="collapse" data-target="#mobile-TA0031-body" aria-expanded="false" aria-controls="#mobile-TA0031-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-body" aria-labelledby="mobile-TA0031-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1517"> <a href="/versions/v9/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1413"> <a href="/versions/v9/techniques/T1413/"> Access Sensitive Data in Device Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1409"> <a href="/versions/v9/techniques/T1409/"> Access Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1414"> <a href="/versions/v9/techniques/T1414/"> Capture Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1412"> <a href="/versions/v9/techniques/T1412/"> Capture SMS Messages </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1405"> <a href="/versions/v9/techniques/T1405/"> Exploit TEE Vulnerability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1417"> <a href="/versions/v9/techniques/T1417/"> Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1411"> <a href="/versions/v9/techniques/T1411/"> Input Prompt </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1579"> <a href="/versions/v9/techniques/T1579/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1410"> <a href="/versions/v9/techniques/T1410/"> Network Traffic Capture or Redirection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0031-T1416"> <a href="/versions/v9/techniques/T1416/"> URI Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032"> <a href="/versions/v9/tactics/TA0032"> Discovery </a> <div class="expand-button collapsed" id="mobile-TA0032-header" data-toggle="collapse" data-target="#mobile-TA0032-body" aria-expanded="false" aria-controls="#mobile-TA0032-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-body" aria-labelledby="mobile-TA0032-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1418"> <a href="/versions/v9/techniques/T1418/"> Application Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1523"> <a href="/versions/v9/techniques/T1523/"> Evade Analysis Environment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1420"> <a href="/versions/v9/techniques/T1420/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1430"> <a href="/versions/v9/techniques/T1430/"> Location Tracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1423"> <a href="/versions/v9/techniques/T1423/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1424"> <a href="/versions/v9/techniques/T1424/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1426"> <a href="/versions/v9/techniques/T1426/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1422"> <a href="/versions/v9/techniques/T1422/"> System Network Configuration Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0032-T1421"> <a href="/versions/v9/techniques/T1421/"> System Network Connections Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033"> <a href="/versions/v9/tactics/TA0033"> Lateral Movement </a> <div class="expand-button collapsed" id="mobile-TA0033-header" data-toggle="collapse" data-target="#mobile-TA0033-body" aria-expanded="false" aria-controls="#mobile-TA0033-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0033-body" aria-labelledby="mobile-TA0033-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0033-T1427"> <a href="/versions/v9/techniques/T1427/"> Attack PC via USB Connection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0033-T1428"> <a href="/versions/v9/techniques/T1428/"> Exploit Enterprise Resources </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035"> <a href="/versions/v9/tactics/TA0035"> Collection </a> <div class="expand-button collapsed" id="mobile-TA0035-header" data-toggle="collapse" data-target="#mobile-TA0035-body" aria-expanded="false" aria-controls="#mobile-TA0035-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-body" aria-labelledby="mobile-TA0035-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1435"> <a href="/versions/v9/techniques/T1435/"> Access Calendar Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1433"> <a href="/versions/v9/techniques/T1433/"> Access Call Log </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1432"> <a href="/versions/v9/techniques/T1432/"> Access Contact List </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1517"> <a href="/versions/v9/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1413"> <a href="/versions/v9/techniques/T1413/"> Access Sensitive Data in Device Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1409"> <a href="/versions/v9/techniques/T1409/"> Access Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1429"> <a href="/versions/v9/techniques/T1429/"> Capture Audio </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1512"> <a href="/versions/v9/techniques/T1512/"> Capture Camera </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1414"> <a href="/versions/v9/techniques/T1414/"> Capture Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1412"> <a href="/versions/v9/techniques/T1412/"> Capture SMS Messages </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1533"> <a href="/versions/v9/techniques/T1533/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1541"> <a href="/versions/v9/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1417"> <a href="/versions/v9/techniques/T1417/"> Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1430"> <a href="/versions/v9/techniques/T1430/"> Location Tracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1507"> <a href="/versions/v9/techniques/T1507/"> Network Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1410"> <a href="/versions/v9/techniques/T1410/"> Network Traffic Capture or Redirection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0035-T1513"> <a href="/versions/v9/techniques/T1513/"> Screen Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037"> <a href="/versions/v9/tactics/TA0037"> Command and Control </a> <div class="expand-button collapsed" id="mobile-TA0037-header" data-toggle="collapse" data-target="#mobile-TA0037-body" aria-expanded="false" aria-controls="#mobile-TA0037-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-body" aria-labelledby="mobile-TA0037-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1438"> <a href="/versions/v9/techniques/T1438/"> Alternate Network Mediums </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1436"> <a href="/versions/v9/techniques/T1436/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1520"> <a href="/versions/v9/techniques/T1520/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1544"> <a href="/versions/v9/techniques/T1544/"> Remote File Copy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1437"> <a href="/versions/v9/techniques/T1437/"> Standard Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1521"> <a href="/versions/v9/techniques/T1521/"> Standard Cryptographic Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1509"> <a href="/versions/v9/techniques/T1509/"> Uncommonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0037-T1481"> <a href="/versions/v9/techniques/T1481/"> Web Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036"> <a href="/versions/v9/tactics/TA0036"> Exfiltration </a> <div class="expand-button collapsed" id="mobile-TA0036-header" data-toggle="collapse" data-target="#mobile-TA0036-body" aria-expanded="false" aria-controls="#mobile-TA0036-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0036-body" aria-labelledby="mobile-TA0036-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1438"> <a href="/versions/v9/techniques/T1438/"> Alternate Network Mediums </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1436"> <a href="/versions/v9/techniques/T1436/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1532"> <a href="/versions/v9/techniques/T1532/"> Data Encrypted </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0036-T1437"> <a href="/versions/v9/techniques/T1437/"> Standard Application Layer Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034"> <a href="/versions/v9/tactics/TA0034"> Impact </a> <div class="expand-button collapsed" id="mobile-TA0034-header" data-toggle="collapse" data-target="#mobile-TA0034-body" aria-expanded="false" aria-controls="#mobile-TA0034-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0034-body" aria-labelledby="mobile-TA0034-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1448"> <a href="/versions/v9/techniques/T1448/"> Carrier Billing Fraud </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1510"> <a href="/versions/v9/techniques/T1510/"> Clipboard Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1471"> <a href="/versions/v9/techniques/T1471/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1447"> <a href="/versions/v9/techniques/T1447/"> Delete Device Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1446"> <a href="/versions/v9/techniques/T1446/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1472"> <a href="/versions/v9/techniques/T1472/"> Generate Fraudulent Advertising Revenue </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1516"> <a href="/versions/v9/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1452"> <a href="/versions/v9/techniques/T1452/"> Manipulate App Store Rankings or Ratings </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1400"> <a href="/versions/v9/techniques/T1400/"> Modify System Partition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0034-T1582"> <a href="/versions/v9/techniques/T1582/"> SMS Control </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0038"> <a href="/versions/v9/tactics/TA0038"> Network Effects </a> <div class="expand-button collapsed" id="mobile-TA0038-header" data-toggle="collapse" data-target="#mobile-TA0038-body" aria-expanded="false" aria-controls="#mobile-TA0038-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0038-body" aria-labelledby="mobile-TA0038-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1466"> <a href="/versions/v9/techniques/T1466/"> Downgrade to Insecure Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1439"> <a href="/versions/v9/techniques/T1439/"> Eavesdrop on Insecure Network Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1449"> <a href="/versions/v9/techniques/T1449/"> Exploit SS7 to Redirect Phone Calls/SMS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1450"> <a href="/versions/v9/techniques/T1450/"> Exploit SS7 to Track Device Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1464"> <a href="/versions/v9/techniques/T1464/"> Jamming or Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1463"> <a href="/versions/v9/techniques/T1463/"> Manipulate Device Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1467"> <a href="/versions/v9/techniques/T1467/"> Rogue Cellular Base Station </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1465"> <a href="/versions/v9/techniques/T1465/"> Rogue Wi-Fi Access Points </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0038-T1451"> <a href="/versions/v9/techniques/T1451/"> SIM Card Swap </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0039"> <a href="/versions/v9/tactics/TA0039"> Remote Service Effects </a> <div class="expand-button collapsed" id="mobile-TA0039-header" data-toggle="collapse" data-target="#mobile-TA0039-body" aria-expanded="false" aria-controls="#mobile-TA0039-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0039-body" aria-labelledby="mobile-TA0039-header"> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1470"> <a href="/versions/v9/techniques/T1470/"> Obtain Device Cloud Backups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1468"> <a href="/versions/v9/techniques/T1468/"> Remotely Track Device Without Authorization </a> </div> </div> <div class="sidenav"> <div class="sidenav-head" id="mobile-TA0039-T1469"> <a href="/versions/v9/techniques/T1469/"> Remotely Wipe Data Without Authorization </a> </div> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-10 col-lg-9 col-md-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v9/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v9/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v9/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Obfuscated Files or Information</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Obfuscated Files or Information </h1> <div class="row"> <div class="col-md-8"> <!--stop-indexing-for-search--> <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Sub-techniques (5)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/techniques/T1027/001/" class="subtechnique-table-item" data-subtechnique_id="T1027.001"> T1027.001 </a> </td> <td> <a href="/versions/v9/techniques/T1027/001/" class="subtechnique-table-item" data-subtechnique_id="T1027.001"> Binary Padding </a> </td> </tr> <tr> <td> <a href="/versions/v9/techniques/T1027/002/" class="subtechnique-table-item" data-subtechnique_id="T1027.002"> T1027.002 </a> </td> <td> <a href="/versions/v9/techniques/T1027/002/" class="subtechnique-table-item" data-subtechnique_id="T1027.002"> Software Packing </a> </td> </tr> <tr> <td> <a href="/versions/v9/techniques/T1027/003/" class="subtechnique-table-item" data-subtechnique_id="T1027.003"> T1027.003 </a> </td> <td> <a href="/versions/v9/techniques/T1027/003/" class="subtechnique-table-item" data-subtechnique_id="T1027.003"> Steganography </a> </td> </tr> <tr> <td> <a href="/versions/v9/techniques/T1027/004/" class="subtechnique-table-item" data-subtechnique_id="T1027.004"> T1027.004 </a> </td> <td> <a href="/versions/v9/techniques/T1027/004/" class="subtechnique-table-item" data-subtechnique_id="T1027.004"> Compile After Delivery </a> </td> </tr> <tr> <td> <a href="/versions/v9/techniques/T1027/005/" class="subtechnique-table-item" data-subtechnique_id="T1027.005"> T1027.005 </a> </td> <td> <a href="/versions/v9/techniques/T1027/005/" class="subtechnique-table-item" data-subtechnique_id="T1027.005"> Indicator Removal from Tools </a> </td> </tr> </tbody> </table> </div> </div> </div> <!--start-indexing-for-search--> <div class="description-body"> <p>Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses. </p><p>Payloads may be compressed, archived, or encrypted in order to avoid detection. These payloads may be used during Initial Access or later to mitigate detection. Sometimes a user's action may be required to open and <a href="/versions/v9/techniques/T1140">Deobfuscate/Decode Files or Information</a> for <a href="/versions/v9/techniques/T1204">User Execution</a>. The user may also be required to input a password to open a password protected compressed/encrypted file that was provided by the adversary. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="Volexity PowerDuke November 2016"><sup><a href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span> Adversaries may also used compressed or archived scripts, such as JavaScript. </p><p>Portions of files can also be encoded to hide the plain-text strings that would otherwise help defenders with discovery. <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="Linux/Cdorked.A We Live Security Analysis"><sup><a href="https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> Payloads may also be split into separate, seemingly benign files that only reveal malicious functionality when reassembled. <span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="Carbon Black Obfuscation Sept 2016"><sup><a href="https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p><p>Adversaries may also obfuscate commands executed from payloads or directly via a <a href="/versions/v9/techniques/T1059">Command and Scripting Interpreter</a>. Environment variables, aliases, characters, and other platform/language specific semantics can be used to evade signature based detections and application control mechanisms. <span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="FireEye Obfuscation June 2017"><sup><a href="https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye Revoke-Obfuscation July 2017"><sup><a href="https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="PaloAlto EncodedCommand March 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span> </p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1027 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-techniques:&nbsp;</span> <a href="/versions/v9/techniques/T1027/001">T1027.001</a>, <a href="/versions/v9/techniques/T1027/002">T1027.002</a>, <a href="/versions/v9/techniques/T1027/003">T1027.003</a>, <a href="/versions/v9/techniques/T1027/004">T1027.004</a>, <a href="/versions/v9/techniques/T1027/005">T1027.005</a> </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/versions/v9/tactics/TA0005">Defense Evasion</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Linux, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Source of information collected by a sensor or logging system that may be used to collect information relevant to identifying the action being performed, sequence of actions, or the results of those actions by an adversary">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Data Sources:&nbsp;</span><a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/command.yml'>Command</a>: Command Execution, <a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/command.yml'>Command</a>: Command Execution, <a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/file.yml'>File</a>: File Content, <a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/file.yml'>File</a>: File Creation, <a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/file.yml'>File</a>: File Metadata, <a target='_blank' href='https://github.com/mitre-attack/attack-datasources/blob/main/contribution/process.yml'>Process</a>: Process Creation </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="If the (sub-)technique can be used to bypass or evade a particular defensive tool, methodology, or process">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Defense Bypassed:&nbsp;</span>Application control, Application control by file name or path, Host forensic analysis, Host intrusion prevention systems, Log analysis, Signature-based detection </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="CAPEC IDs associated with the (sub-)technique">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">CAPEC ID:</span> <a href="https://capec.mitre.org/data/definitions/267.html" target="_blank">CAPEC-267</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors:&nbsp;</span>Christiaan Beek, @ChristiaanBeek; Red Canary </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>1.1 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>24 April 2021 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1027" href="/versions/v9/techniques/T1027/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1027" href="/techniques/T1027/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/software/S0045"> S0045 </a> </td> <td> <a href="/versions/v9/software/S0045"> ADVSTORESHELL </a> </td> <td> <p>Most of the strings in <a href="/versions/v9/software/S0045">ADVSTORESHELL</a> are encrypted with an XOR-based algorithm; some strings are also encrypted with 3DES and reversed. API function names are also reversed, presumably to avoid detection in memory.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="Kaspersky Sofacy"><sup><a href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="Bitdefender APT28 Dec 2015"><sup><a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0331"> S0331 </a> </td> <td> <a href="/versions/v9/software/S0331"> Agent Tesla </a> </td> <td> <p><a href="/versions/v9/software/S0331">Agent Tesla</a> has had its code obfuscated in an apparent attempt to make analysis difficult.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="Fortinet Agent Tesla April 2018"><sup><a href="https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span> <a href="/versions/v9/software/S0331">Agent Tesla</a> has used the Rijndael symmetric encryption algorithm to encrypt strings.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="Malwarebytes Agent Tesla April 2020"><sup><a href="https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0504"> S0504 </a> </td> <td> <a href="/versions/v9/software/S0504"> Anchor </a> </td> <td> <p><a href="/versions/v9/software/S0504">Anchor</a> has obsuscated code with stack strings and string encryption.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="Cyberreason Anchor December 2019"><sup><a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0584"> S0584 </a> </td> <td> <a href="/versions/v9/software/S0584"> AppleJeus </a> </td> <td> <p><a href="/versions/v9/software/S0584">AppleJeus</a> has XOR-encrypted collected system information prior to sending to a C2. <a href="/versions/v9/software/S0584">AppleJeus</a> has also used the open source ADVObfuscation library for its components.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="CISA AppleJeus Feb 2021"><sup><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0099"> G0099 </a> </td> <td> <a href="/versions/v9/groups/G0099"> APT-C-36 </a> </td> <td> <p><a href="/versions/v9/groups/G0099">APT-C-36</a> has used ConfuserEx to obfuscate its variant of <a href="/versions/v9/software/S0434">Imminent Monitor</a>, compressed payload and RAT packages, and password protected encrypted email attachments to avoid detection.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="QiAnXin APT-C-36 Feb2019"><sup><a href="https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0026"> G0026 </a> </td> <td> <a href="/versions/v9/groups/G0026"> APT18 </a> </td> <td> <p><a href="/versions/v9/groups/G0026">APT18</a> obfuscates strings in the payload.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="PaloAlto DNS Requests May 2016"><sup><a href="https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0073"> G0073 </a> </td> <td> <a href="/versions/v9/groups/G0073"> APT19 </a> </td> <td> <p><a href="/versions/v9/groups/G0073">APT19</a> used Base64 to obfuscate commands and the payload.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="FireEye APT19"><sup><a href="https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0007"> G0007 </a> </td> <td> <a href="/versions/v9/groups/G0007"> APT28 </a> </td> <td> <p><a href="/versions/v9/groups/G0007">APT28</a> encrypted a .dll payload using RTL and a custom encryption algorithm. <a href="/versions/v9/groups/G0007">APT28</a> has also obfuscated payloads with base64, XOR, and RC4.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="Bitdefender APT28 Dec 2015"><sup><a href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="Unit 42 Sofacy Feb 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="Palo Alto Sofacy 06-2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="Talos Seduploader Oct 2017"><sup><a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Accenture SNAKEMACKEREL Nov 2018"><sup><a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0016"> G0016 </a> </td> <td> <a href="/versions/v9/groups/G0016"> APT29 </a> </td> <td> <p><a href="/versions/v9/groups/G0016">APT29</a> has used encoded PowerShell commands.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" data-reference="FireEye APT29 Nov 2018"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0022"> G0022 </a> </td> <td> <a href="/versions/v9/groups/G0022"> APT3 </a> </td> <td> <p><a href="/versions/v9/groups/G0022">APT3</a> obfuscates files or information to help evade defensive measures.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" data-reference="Symantec Buckeye"><sup><a href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0050"> G0050 </a> </td> <td> <a href="/versions/v9/groups/G0050"> APT32 </a> </td> <td> <p><a href="/versions/v9/groups/G0050">APT32</a> uses the Invoke-Obfuscation framework to obfuscate their PowerShell and also performs other code obfuscation. <a href="/versions/v9/groups/G0050">APT32</a> has also encoded payloads using Base64 and a framework called "Dont-Kill-My-Cat (DKMC). <a href="/versions/v9/groups/G0050">APT32</a> also encrypts the library used for network exfiltration with AES-256 in CBC mode in their macOS backdoor.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" data-reference="FireEye APT32 May 2017"><sup><a href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a></sup></span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" data-reference="GitHub Invoke-Obfuscation"><sup><a href="https://github.com/danielbohannon/Invoke-Obfuscation" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" data-reference="ESET OceanLotus"><sup><a href="https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" data-reference="Cybereason Oceanlotus May 2017"><sup><a href="https://www.cybereason.com/blog/operation-cobalt-kitty-apt" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a></sup></span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" data-reference="Cybereason Cobalt Kitty 2017"><sup><a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="ESET OceanLotus Mar 2019"><sup><a href="https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a></sup></span><span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" data-reference="ESET OceanLotus macOS April 2019"><sup><a href="https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0064"> G0064 </a> </td> <td> <a href="/versions/v9/groups/G0064"> APT33 </a> </td> <td> <p><a href="/versions/v9/groups/G0064">APT33</a> has used base64 to encode payloads.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" data-reference="FireEye APT33 Guardrail"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0067"> G0067 </a> </td> <td> <a href="/versions/v9/groups/G0067"> APT37 </a> </td> <td> <p><a href="/versions/v9/groups/G0067">APT37</a> obfuscates strings and payloads.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" data-reference="Talos Group123"><sup><a href="https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a></sup></span><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" data-reference="Securelist ScarCruft May 2019"><sup><a href="https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0087"> G0087 </a> </td> <td> <a href="/versions/v9/groups/G0087"> APT39 </a> </td> <td> <p><a href="/versions/v9/groups/G0087">APT39</a> has used malware to drop encrypted CAB files.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" data-reference="FBI FLASH APT39 September 2020"><sup><a href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0096"> G0096 </a> </td> <td> <a href="/versions/v9/groups/G0096"> APT41 </a> </td> <td> <p><a href="/versions/v9/groups/G0096">APT41</a> used VMProtected binaries in multiple intrusions.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" data-reference="FireEye APT41 March 2020"><sup><a href="https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0456"> S0456 </a> </td> <td> <a href="/versions/v9/software/S0456"> Aria-body </a> </td> <td> <p><a href="/versions/v9/software/S0456">Aria-body</a> has used an encrypted configuration file for its loader.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" data-reference="CheckPoint Naikon May 2020"><sup><a href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0373"> S0373 </a> </td> <td> <a href="/versions/v9/software/S0373"> Astaroth </a> </td> <td> <p><a href="/versions/v9/software/S0373">Astaroth</a> obfuscates its JScript code, and has used an XOR-based algorithm to encrypt payloads twice with different keys.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" data-reference="Cybereason Astaroth Feb 2019"><sup><a href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a></sup></span><span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" data-reference="Securelist Brazilian Banking Malware July 2020"><sup><a href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0438"> S0438 </a> </td> <td> <a href="/versions/v9/software/S0438"> Attor </a> </td> <td> <p>Strings in <a href="/versions/v9/software/S0438">Attor</a>'s components are encrypted with a XOR cipher, using a hardcoded key and the configuration data, log files and plugins are encrypted using a hybrid encryption scheme of Blowfish-OFB combined with RSA.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" data-reference="ESET Attor Oct 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0347"> S0347 </a> </td> <td> <a href="/versions/v9/software/S0347"> AuditCred </a> </td> <td> <p><a href="/versions/v9/software/S0347">AuditCred</a> encrypts the configuration.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" data-reference="TrendMicro Lazarus Nov 2018"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0473"> S0473 </a> </td> <td> <a href="/versions/v9/software/S0473"> Avenger </a> </td> <td> <p><a href="/versions/v9/software/S0473">Avenger</a> has the ability to XOR encrypt files to be sent to C2.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" data-reference="Trend Micro Tick November 2019"><sup><a href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0475"> S0475 </a> </td> <td> <a href="/versions/v9/software/S0475"> BackConfig </a> </td> <td> <p><a href="/versions/v9/software/S0475">BackConfig</a> has used compressed and decimal encoded VBS scripts.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" data-reference="Unit 42 BackConfig May 2020"><sup><a href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0534"> S0534 </a> </td> <td> <a href="/versions/v9/software/S0534"> Bazar </a> </td> <td> <p><a href="/versions/v9/software/S0534">Bazar</a> has used XOR, RSA2, and RC4 encrypted files.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" data-reference="Cybereason Bazar July 2020"><sup><a href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a></sup></span><span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" data-reference="NCC Group Team9 June 2020"><sup><a href="https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0574"> S0574 </a> </td> <td> <a href="/versions/v9/software/S0574"> BendyBear </a> </td> <td> <p><a href="/versions/v9/software/S0574">BendyBear</a> has encrypted payloads using RC4 and XOR.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" data-reference="Unit42 BendyBear Feb 2021"><sup><a href="https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0268"> S0268 </a> </td> <td> <a href="/versions/v9/software/S0268"> Bisonal </a> </td> <td> <p><a href="/versions/v9/software/S0268">Bisonal</a>'s DLL file and non-malicious decoy file are encrypted with RC4.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" data-reference="Unit 42 Bisonal July 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0570"> S0570 </a> </td> <td> <a href="/versions/v9/software/S0570"> BitPaymer </a> </td> <td> <p><a href="/versions/v9/software/S0570">BitPaymer</a> has used RC4-encrypted strings and string hashes to avoid identifiable strings within the binary.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" data-reference="Crowdstrike Indrik November 2018"><sup><a href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0063"> G0063 </a> </td> <td> <a href="/versions/v9/groups/G0063"> BlackOasis </a> </td> <td> <p><a href="/versions/v9/groups/G0063">BlackOasis</a>'s first stage shellcode contains a NOP sled with alternative instructions that was likely designed to bypass antivirus tools.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" data-reference="Securelist BlackOasis Oct 2017"><sup><a href="https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0520"> S0520 </a> </td> <td> <a href="/versions/v9/software/S0520"> BLINDINGCAN </a> </td> <td> <p><a href="/versions/v9/software/S0520">BLINDINGCAN</a> has obfuscated code using Base64 encoding.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" data-reference="US-CERT BLINDINGCAN Aug 2020"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0108"> G0108 </a> </td> <td> <a href="/versions/v9/groups/G0108"> Blue Mockingbird </a> </td> <td> <p><a href="/versions/v9/groups/G0108">Blue Mockingbird</a> has obfuscated the wallet address in the payload binary.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" data-reference="RedCanary Mockingbird May 2020"><sup><a href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0415"> S0415 </a> </td> <td> <a href="/versions/v9/software/S0415"> BOOSTWRITE </a> </td> <td> <p><a href="/versions/v9/software/S0415">BOOSTWRITE</a> has encoded its payloads using a ChaCha stream cipher with a 256-bit key and 64-bit Initialization vector (IV) to evade detection.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" data-reference="FireEye FIN7 Oct 2019"><sup><a href="https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0482"> S0482 </a> </td> <td> <a href="/versions/v9/software/S0482"> Bundlore </a> </td> <td> <p><a href="/versions/v9/software/S0482">Bundlore</a> has obfuscated data with base64, AES, RC4, and bz2.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" data-reference="MacKeeper Bundlore Apr 2019"><sup><a href="https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0030"> S0030 </a> </td> <td> <a href="/versions/v9/software/S0030"> Carbanak </a> </td> <td> <p><a href="/versions/v9/software/S0030">Carbanak</a> encrypts strings to make analysis more difficult.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" data-reference="FireEye CARBANAK June 2017"><sup><a href="https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0484"> S0484 </a> </td> <td> <a href="/versions/v9/software/S0484"> Carberp </a> </td> <td> <p><a href="/versions/v9/software/S0484">Carberp</a> has used XOR-based encryption to mask C2 server locations within the trojan.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" data-reference="Prevx Carberp March 2011"><sup><a href="http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0335"> S0335 </a> </td> <td> <a href="/versions/v9/software/S0335"> Carbon </a> </td> <td> <p><a href="/versions/v9/software/S0335">Carbon</a> encrypts configuration files and tasks for the malware to complete using CAST-128 algorithm.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" data-reference="ESET Carbon Mar 2017"><sup><a href="https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a></sup></span><span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" data-reference="Accenture HyperStack October 2020"><sup><a href="https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0348"> S0348 </a> </td> <td> <a href="/versions/v9/software/S0348"> Cardinal RAT </a> </td> <td> <p><a href="/versions/v9/software/S0348">Cardinal RAT</a> encodes many of its artifacts and is encrypted (AES-128) when downloaded.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" data-reference="PaloAlto CardinalRat Apr 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0465"> S0465 </a> </td> <td> <a href="/versions/v9/software/S0465"> CARROTBALL </a> </td> <td> <p><a href="/versions/v9/software/S0465">CARROTBALL</a> has used a custom base64 alphabet to decode files.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" data-reference="Unit 42 CARROTBAT January 2020"><sup><a href="https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0462"> S0462 </a> </td> <td> <a href="/versions/v9/software/S0462"> CARROTBAT </a> </td> <td> <p><a href="/versions/v9/software/S0462">CARROTBAT</a> has the ability to download a base64 encoded payload and execute obfuscated commands on the infected host.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" data-reference="Unit 42 CARROTBAT November 2018"><sup><a href="https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0114"> G0114 </a> </td> <td> <a href="/versions/v9/groups/G0114"> Chimera </a> </td> <td> <p><a href="/versions/v9/groups/G0114">Chimera</a> has encoded PowerShell commands.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" data-reference="Cycraft Chimera April 2020"><sup><a href="https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0080"> G0080 </a> </td> <td> <a href="/versions/v9/groups/G0080"> Cobalt Group </a> </td> <td> <p><a href="/versions/v9/groups/G0080">Cobalt Group</a> obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" data-reference="Talos Cobalt Group July 2018"><sup><a href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a></sup></span><span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" data-reference="Morphisec Cobalt Gang Oct 2018"><sup><a href="https://blog.morphisec.com/cobalt-gang-2.0" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0154"> S0154 </a> </td> <td> <a href="/versions/v9/software/S0154"> Cobalt Strike </a> </td> <td> <p><a href="/versions/v9/software/S0154">Cobalt Strike</a> can hash functions to obfuscate calls to the Windows API.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" data-reference="Talos Cobalt Strike September 2020"><sup><a href=" https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0369"> S0369 </a> </td> <td> <a href="/versions/v9/software/S0369"> CoinTicker </a> </td> <td> <p><a href="/versions/v9/software/S0369">CoinTicker</a> initially downloads a hidden encoded file.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" data-reference="CoinTicker 2019"><sup><a href="https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0244"> S0244 </a> </td> <td> <a href="/versions/v9/software/S0244"> Comnie </a> </td> <td> <p><a href="/versions/v9/software/S0244">Comnie</a> uses RC4 and Base64 to obfuscate strings.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" data-reference="Palo Alto Comnie"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0126"> S0126 </a> </td> <td> <a href="/versions/v9/software/S0126"> ComRAT </a> </td> <td> <p><a href="/versions/v9/software/S0126">ComRAT</a> has used encryption and base64 to obfuscate its orchestrator code in the Registry. <a href="/versions/v9/software/S0126">ComRAT</a> has also embedded an XOR encrypted communications module inside the orchestrator module. <a href="/versions/v9/software/S0126">ComRAT</a> has encrypted its virtual file system using AES-256 in XTS mode and has encoded PowerShell scripts.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" data-reference="ESET ComRAT May 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a></sup></span><span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" data-reference="CISA ComRAT Oct 2020"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0575"> S0575 </a> </td> <td> <a href="/versions/v9/software/S0575"> Conti </a> </td> <td> <p><a href="/versions/v9/software/S0575">Conti</a> has encrypted DLLs and used obfuscation to hide Windows API calls.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" data-reference="CarbonBlack Conti July 2020"><sup><a href="https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a></sup></span><span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" data-reference="Cybereason Conti Jan 2021"><sup><a href="https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0492"> S0492 </a> </td> <td> <a href="/versions/v9/software/S0492"> CookieMiner </a> </td> <td> <p><a href="/versions/v9/software/S0492">CookieMiner</a> has used base64 encoding to obfuscate scripts on the system.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" data-reference="Unit42 CookieMiner Jan 2019"><sup><a href="https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0137"> S0137 </a> </td> <td> <a href="/versions/v9/software/S0137"> CORESHELL </a> </td> <td> <p><a href="/versions/v9/software/S0137">CORESHELL</a> obfuscates strings using a custom stream cipher.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" data-reference="FireEye APT28"><sup><a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0046"> S0046 </a> </td> <td> <a href="/versions/v9/software/S0046"> CozyCar </a> </td> <td> <p>The payload of <a href="/versions/v9/software/S0046">CozyCar</a> is encrypted with simple XOR with a rotating key. The <a href="/versions/v9/software/S0046">CozyCar</a> configuration file has been encrypted with RC4 keys.<span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" data-reference="F-Secure CozyDuke"><sup><a href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163418/CozyDuke.pdf" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0497"> S0497 </a> </td> <td> <a href="/versions/v9/software/S0497"> Dacls </a> </td> <td> <p><a href="/versions/v9/software/S0497">Dacls</a> can encrypt its configuration file with AES CBC.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" data-reference="TrendMicro macOS Dacls May 2020"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0070"> G0070 </a> </td> <td> <a href="/versions/v9/groups/G0070"> Dark Caracal </a> </td> <td> <p><a href="/versions/v9/groups/G0070">Dark Caracal</a> has obfuscated strings in <a href="/versions/v9/software/S0234">Bandook</a> by base64 encoding, and then encrypting them.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" data-reference="Lookout Dark Caracal Jan 2018"><sup><a href="https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0012"> G0012 </a> </td> <td> <a href="/versions/v9/groups/G0012"> Darkhotel </a> </td> <td> <p><a href="/versions/v9/groups/G0012">Darkhotel</a> has obfuscated code using RC4, XOR, and RSA.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" data-reference="Securelist Darkhotel Aug 2015"><sup><a href="https://securelist.com/darkhotels-attacks-in-2015/71713/" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a></sup></span><span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" data-reference="Microsoft DUBNIUM July 2016"><sup><a href="https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0187"> S0187 </a> </td> <td> <a href="/versions/v9/software/S0187"> Daserf </a> </td> <td> <p><a href="/versions/v9/software/S0187">Daserf</a> uses encrypted Windows APIs and also encrypts data using the alternative base64+RC4 or the Caesar cipher.<span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" data-reference="Trend Micro Daserf Nov 2017"><sup><a href="http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0354"> S0354 </a> </td> <td> <a href="/versions/v9/software/S0354"> Denis </a> </td> <td> <p><a href="/versions/v9/software/S0354">Denis</a> obfuscates its code and encrypts the API names. <a href="/versions/v9/software/S0354">Denis</a> also encodes its payload in Base64.<span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" data-reference="Securelist Denis April 2017"><sup><a href="https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a></sup></span><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" data-reference="Cybereason Cobalt Kitty 2017"><sup><a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0213"> S0213 </a> </td> <td> <a href="/versions/v9/software/S0213"> DOGCALL </a> </td> <td> <p><a href="/versions/v9/software/S0213">DOGCALL</a> is encrypted using single-byte XOR.<span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" data-reference="Unit 42 Nokki Oct 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0502"> S0502 </a> </td> <td> <a href="/versions/v9/software/S0502"> Drovorub </a> </td> <td> <p><a href="/versions/v9/software/S0502">Drovorub</a> has used XOR encrypted payloads in WebSocket client to server messages.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" data-reference="NSA/FBI Drovorub August 2020"><sup><a href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0567"> S0567 </a> </td> <td> <a href="/versions/v9/software/S0567"> Dtrack </a> </td> <td> <p><a href="/versions/v9/software/S0567">Dtrack</a> has used a dropper that embeds an encrypted payload as extra data.<span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" data-reference="Securelist Dtrack"><sup><a href="https://securelist.com/my-name-is-dtrack/93338/" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0031"> G0031 </a> </td> <td> <a href="/versions/v9/groups/G0031"> Dust Storm </a> </td> <td> <p><a href="/versions/v9/groups/G0031">Dust Storm</a> has encoded payloads with a single-byte XOR, both skipping the key itself and zeroing in an attempt to avoid exposing the key.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" data-reference="Cylance Dust Storm"><sup><a href="https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0062"> S0062 </a> </td> <td> <a href="/versions/v9/software/S0062"> DustySky </a> </td> <td> <p>The <a href="/versions/v9/software/S0062">DustySky</a> dropper uses a function to obfuscate the name of functions and other parts of the malware.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" data-reference="DustySky"><sup><a href="https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0377"> S0377 </a> </td> <td> <a href="/versions/v9/software/S0377"> Ebury </a> </td> <td> <p><a href="/versions/v9/software/S0377">Ebury</a> has obfuscated its strings with a simple XOR encryption with a static key.<span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" data-reference="ESET Ebury Feb 2014"><sup><a href="https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0593"> S0593 </a> </td> <td> <a href="/versions/v9/software/S0593"> ECCENTRICBANDWAGON </a> </td> <td> <p><a href="/versions/v9/software/S0593">ECCENTRICBANDWAGON</a> has encrypted strings with RC4.<span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" data-reference="CISA EB Aug 2020"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0066"> G0066 </a> </td> <td> <a href="/versions/v9/groups/G0066"> Elderwood </a> </td> <td> <p><a href="/versions/v9/groups/G0066">Elderwood</a> has encrypted documents and malicious executables.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" data-reference="Symantec Elderwood Sept 2012"><sup><a href="https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0081"> S0081 </a> </td> <td> <a href="/versions/v9/software/S0081"> Elise </a> </td> <td> <p><a href="/versions/v9/software/S0081">Elise</a> encrypts several of its files, including configuration files.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" data-reference="Lotus Blossom Jun 2015"><sup><a href="https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0082"> S0082 </a> </td> <td> <a href="/versions/v9/software/S0082"> Emissary </a> </td> <td> <p>Variants of <a href="/versions/v9/software/S0082">Emissary</a> encrypt payloads using various XOR ciphers, as well as a custom algorithm that uses the "srand" and "rand" functions.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" data-reference="Lotus Blossom Dec 2015"><sup><a href="http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a></sup></span><span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" data-reference="Emissary Trojan Feb 2016"><sup><a href="http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0367"> S0367 </a> </td> <td> <a href="/versions/v9/software/S0367"> Emotet </a> </td> <td> <p><a href="/versions/v9/software/S0367">Emotet</a> has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. <span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" data-reference="Talos Emotet Jan 2019"><sup><a href="https://blog.talosintelligence.com/2019/01/return-of-emotet.html" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a></sup></span><span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" data-reference="Trend Micro Emotet Jan 2019"><sup><a href="https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a></sup></span><span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" data-reference="Picus Emotet Dec 2018"><sup><a href="https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a></sup></span><span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" data-reference="ESET Emotet Dec 2018"><sup><a href="https://www.welivesecurity.com/2018/12/28/analysis-latest-emotet-propagation-campaign/" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0363"> S0363 </a> </td> <td> <a href="/versions/v9/software/S0363"> Empire </a> </td> <td> <p><a href="/versions/v9/software/S0363">Empire</a> has the ability to obfuscate commands using <code>Invoke-Obfuscation</code>.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" data-reference="Github PowerShell Empire"><sup><a href="https://github.com/EmpireProject/Empire" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0091"> S0091 </a> </td> <td> <a href="/versions/v9/software/S0091"> Epic </a> </td> <td> <p><a href="/versions/v9/software/S0091">Epic</a> heavily obfuscates its code to make analysis more difficult.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0401"> S0401 </a> </td> <td> <a href="/versions/v9/software/S0401"> Exaramel for Linux </a> </td> <td> <p><a href="/versions/v9/software/S0401">Exaramel for Linux</a> uses RC4 for encrypting the configuration.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" data-reference="ESET TeleBots Oct 2018"><sup><a href="https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a></sup></span><span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" data-reference="ANSSI Sandworm January 2021"><sup><a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0512"> S0512 </a> </td> <td> <a href="/versions/v9/software/S0512"> FatDuke </a> </td> <td> <p><a href="/versions/v9/software/S0512">FatDuke</a> can use base64 encoding, string stacking, and opaque predicates for obfuscation.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" data-reference="ESET Dukes October 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0267"> S0267 </a> </td> <td> <a href="/versions/v9/software/S0267"> FELIXROOT </a> </td> <td> <p><a href="/versions/v9/software/S0267">FELIXROOT</a> encrypts strings in the backdoor using a custom XOR algorithm.<span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" data-reference="FireEye FELIXROOT July 2018"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a></sup></span><span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" data-reference="ESET GreyEnergy Oct 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0037"> G0037 </a> </td> <td> <a href="/versions/v9/groups/G0037"> FIN6 </a> </td> <td> <p><a href="/versions/v9/groups/G0037">FIN6</a> has used encoded PowerShell commands.<span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" data-reference="Visa FIN6 Feb 2019"><sup><a href="https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0046"> G0046 </a> </td> <td> <a href="/versions/v9/groups/G0046"> FIN7 </a> </td> <td> <p><a href="/versions/v9/groups/G0046">FIN7</a> has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="FireEye Obfuscation June 2017"><sup><a href="https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span><span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" data-reference="FireEye FIN7 Aug 2018"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0061"> G0061 </a> </td> <td> <a href="/versions/v9/groups/G0061"> FIN8 </a> </td> <td> <p><a href="/versions/v9/groups/G0061">FIN8</a> has used environment variables and standard input (stdin) to obfuscate command-line arguments. <a href="/versions/v9/groups/G0061">FIN8</a> also obfuscates malicious macros delivered as payloads.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="FireEye Obfuscation June 2017"><sup><a href="https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span><span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" data-reference="FireEye Know Your Enemy FIN8 Aug 2016"><sup><a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0355"> S0355 </a> </td> <td> <a href="/versions/v9/software/S0355"> Final1stspy </a> </td> <td> <p><a href="/versions/v9/software/S0355">Final1stspy</a> obfuscates strings with base64 encoding.<span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" data-reference="Unit 42 Nokki Oct 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0182"> S0182 </a> </td> <td> <a href="/versions/v9/software/S0182"> FinFisher </a> </td> <td> <p><a href="/versions/v9/software/S0182">FinFisher</a> is heavily obfuscated in many ways, including through the use of spaghetti code in its functions in an effort to confuse disassembly programs. It also uses a custom XOR algorithm to obfuscate code.<span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" data-reference="FinFisher Citation"><sup><a href="http://www.finfisher.com/FinFisher/index.html" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a></sup></span><span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" data-reference="Microsoft FinFisher March 2018"><sup><a href="https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0383"> S0383 </a> </td> <td> <a href="/versions/v9/software/S0383"> FlawedGrace </a> </td> <td> <p><a href="/versions/v9/software/S0383">FlawedGrace</a> encrypts its C2 configuration files with AES in CBC mode.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" data-reference="Proofpoint TA505 Jan 2019"><sup><a href="https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0117"> G0117 </a> </td> <td> <a href="/versions/v9/groups/G0117"> Fox Kitten </a> </td> <td> <p><a href="/versions/v9/groups/G0117">Fox Kitten</a> has base64 encoded scripts and payloads to avoid detection.<span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" data-reference="CISA AA20-259A Iran-Based Actor September 2020"><sup><a href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0101"> G0101 </a> </td> <td> <a href="/versions/v9/groups/G0101"> Frankenstein </a> </td> <td> <p><a href="/versions/v9/groups/G0101">Frankenstein</a> has run encoded commands from the command line.<span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" data-reference="Talos Frankenstein June 2019"><sup><a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0277"> S0277 </a> </td> <td> <a href="/versions/v9/software/S0277"> FruitFly </a> </td> <td> <p><a href="/versions/v9/software/S0277">FruitFly</a> executes and stores obfuscated Perl scripts.<span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" data-reference="objsee mac malware 2017"><sup><a href="https://objective-see.com/blog/blog_0x25.html" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0410"> S0410 </a> </td> <td> <a href="/versions/v9/software/S0410"> Fysbis </a> </td> <td> <p><a href="/versions/v9/software/S0410">Fysbis</a> has been encrypted using XOR and RC4.<span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" data-reference="Fysbis Dr Web Analysis"><sup><a href="https://vms.drweb.com/virus/?i=4276269" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0093"> G0093 </a> </td> <td> <a href="/versions/v9/groups/G0093"> GALLIUM </a> </td> <td> <p><a href="/versions/v9/groups/G0093">GALLIUM</a> used a modified version of <a href="/versions/v9/software/S0040">HTRAN</a> in which they obfuscated strings such as debug messages in an apparent attempt to evade detection.<span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" data-reference="Cybereason Soft Cell June 2019"><sup><a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0084"> G0084 </a> </td> <td> <a href="/versions/v9/groups/G0084"> Gallmaker </a> </td> <td> <p><a href="/versions/v9/groups/G0084">Gallmaker</a> obfuscated shellcode used during execution.<span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" data-reference="Symantec Gallmaker Oct 2018"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0047"> G0047 </a> </td> <td> <a href="/versions/v9/groups/G0047"> Gamaredon Group </a> </td> <td> <p><a href="/versions/v9/groups/G0047">Gamaredon Group</a> has delivered self-extracting 7z archive files within malicious document attachments, and used obfuscated or encrypted scripts.<span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" data-reference="ESET Gamaredon June 2020"><sup><a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0168"> S0168 </a> </td> <td> <a href="/versions/v9/software/S0168"> Gazer </a> </td> <td> <p><a href="/versions/v9/software/S0168">Gazer</a> logs its actions into files that are encrypted with 3DES. It also uses RSA to encrypt resources.<span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" data-reference="Securelist WhiteBear Aug 2017"><sup><a href="https://securelist.com/introducing-whitebear/81638/" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0115"> G0115 </a> </td> <td> <a href="/versions/v9/groups/G0115"> GOLD SOUTHFIELD </a> </td> <td> <p><a href="/versions/v9/groups/G0115">GOLD SOUTHFIELD</a> has executed base64 encoded PowerShell scripts on compromised hosts.<span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" data-reference="Tetra Defense Sodinokibi March 2020"><sup><a href="https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0493"> S0493 </a> </td> <td> <a href="/versions/v9/software/S0493"> GoldenSpy </a> </td> <td> <p><a href="/versions/v9/software/S0493">GoldenSpy</a>'s uninstaller has base64-encoded its variables. <span onclick=scrollToRef('scite-114') id="scite-ref-114-a" class="scite-citeref-number" data-reference="Trustwave GoldenSpy2 June 2020"><sup><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0588"> S0588 </a> </td> <td> <a href="/versions/v9/software/S0588"> GoldMax </a> </td> <td> <p><a href="/versions/v9/software/S0588">GoldMax</a> has written AES-encrypted and Base64-encoded configuration files to disk.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" data-reference="MSTIC NOBELIUM Mar 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a></sup></span><span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" data-reference="FireEye SUNSHUTTLE Mar 2021"><sup><a href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0477"> S0477 </a> </td> <td> <a href="/versions/v9/software/S0477"> Goopy </a> </td> <td> <p><a href="/versions/v9/software/S0477">Goopy</a>'s decrypter have been inflated with junk code in between legitimate API functions, and also included infinite loops to avoid analysis.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" data-reference="Cybereason Cobalt Kitty 2017"><sup><a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0531"> S0531 </a> </td> <td> <a href="/versions/v9/software/S0531"> Grandoreiro </a> </td> <td> <p>The <a href="/versions/v9/software/S0531">Grandoreiro</a> payload has been delivered encrypted with a custom XOR-based algorithm and also as a base64-encoded ZIP file.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" data-reference="Securelist Brazilian Banking Malware July 2020"><sup><a href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a></sup></span><span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" data-reference="ESET Grandoreiro April 2020"><sup><a href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a></sup></span><span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" data-reference="ESET Grandoreiro April 2020"><sup><a href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0237"> S0237 </a> </td> <td> <a href="/versions/v9/software/S0237"> GravityRAT </a> </td> <td> <p><a href="/versions/v9/software/S0237">GravityRAT</a> supports file encryption (AES with the key "lolomycin2017").<span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" data-reference="Talos GravityRAT"><sup><a href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0342"> S0342 </a> </td> <td> <a href="/versions/v9/software/S0342"> GreyEnergy </a> </td> <td> <p><a href="/versions/v9/software/S0342">GreyEnergy</a> encrypts its configuration files with AES-256 and also encrypts its strings.<span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" data-reference="ESET GreyEnergy Oct 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0043"> G0043 </a> </td> <td> <a href="/versions/v9/groups/G0043"> Group5 </a> </td> <td> <p><a href="/versions/v9/groups/G0043">Group5</a> disguised its malicious binaries with several layers of obfuscation, including encrypting the files.<span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" data-reference="Citizen Lab Group5"><sup><a href="https://citizenlab.ca/2016/08/group5-syria/" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0132"> S0132 </a> </td> <td> <a href="/versions/v9/software/S0132"> H1N1 </a> </td> <td> <p><a href="/versions/v9/software/S0132">H1N1</a> uses multiple techniques to obfuscate strings, including XOR.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" data-reference="Cisco H1N1 Part 1"><sup><a href="http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0499"> S0499 </a> </td> <td> <a href="/versions/v9/software/S0499"> Hancitor </a> </td> <td> <p><a href="/versions/v9/software/S0499">Hancitor</a> has used Base64 to encode malicious links. <a href="/versions/v9/software/S0499">Hancitor</a> has also delivered compressed payloads in ZIP files to victims.<span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" data-reference="Threatpost Hancitor"><sup><a href="https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a></sup></span><span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" data-reference="FireEye Hancitor"><sup><a href="https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0391"> S0391 </a> </td> <td> <a href="/versions/v9/software/S0391"> HAWKBALL </a> </td> <td> <p><a href="/versions/v9/software/S0391">HAWKBALL</a> has encrypted the payload with an XOR-based algorithm.<span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" data-reference="FireEye HAWKBALL Jun 2019"><sup><a href="https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0170"> S0170 </a> </td> <td> <a href="/versions/v9/software/S0170"> Helminth </a> </td> <td> <p>The <a href="/versions/v9/software/S0170">Helminth</a> config file is encrypted with RC4.<span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" data-reference="Palo Alto OilRig May 2016"><sup><a href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0087"> S0087 </a> </td> <td> <a href="/versions/v9/software/S0087"> Hi-Zor </a> </td> <td> <p><a href="/versions/v9/software/S0087">Hi-Zor</a> uses various XOR techniques to obfuscate its components.<span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" data-reference="Fidelis INOCNATION"><sup><a href="https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL_0.pdf" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0394"> S0394 </a> </td> <td> <a href="/versions/v9/software/S0394"> HiddenWasp </a> </td> <td> <p><a href="/versions/v9/software/S0394">HiddenWasp</a> encrypts its configuration and payload.<span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" data-reference="Intezer HiddenWasp Map 2019"><sup><a href="https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0126"> G0126 </a> </td> <td> <a href="/versions/v9/groups/G0126"> Higaisa </a> </td> <td> <p><a href="/versions/v9/groups/G0126">Higaisa</a> used Base64 encoded compressed payloads.<span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" data-reference="Malwarebytes Higaisa 2020"><sup><a href="https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a></sup></span><span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" data-reference="Zscaler Higaisa 2020"><sup><a href="https://www.zscaler.com/blogs/security-research/return-higaisa-apt" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0601"> S0601 </a> </td> <td> <a href="/versions/v9/software/S0601"> Hildegard </a> </td> <td> <p><a href="/versions/v9/software/S0601">Hildegard</a> has encrypted an ELF file.<span onclick=scrollToRef('scite-129') id="scite-ref-129-a" class="scite-citeref-number" data-reference="Unit 42 Hildegard Malware"><sup><a href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank" data-hasqtip="128" aria-describedby="qtip-128">[129]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0232"> S0232 </a> </td> <td> <a href="/versions/v9/software/S0232"> HOMEFRY </a> </td> <td> <p>Some strings in <a href="/versions/v9/software/S0232">HOMEFRY</a> are obfuscated with XOR x56.<span onclick=scrollToRef('scite-130') id="scite-ref-130-a" class="scite-citeref-number" data-reference="FireEye Periscope March 2018"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank" data-hasqtip="129" aria-describedby="qtip-129">[130]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0072"> G0072 </a> </td> <td> <a href="/versions/v9/groups/G0072"> Honeybee </a> </td> <td> <p><a href="/versions/v9/groups/G0072">Honeybee</a> drops files with base64-encoded data.<span onclick=scrollToRef('scite-131') id="scite-ref-131-a" class="scite-citeref-number" data-reference="McAfee Honeybee"><sup><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank" data-hasqtip="130" aria-describedby="qtip-130">[131]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0431"> S0431 </a> </td> <td> <a href="/versions/v9/software/S0431"> HotCroissant </a> </td> <td> <p><a href="/versions/v9/software/S0431">HotCroissant</a> has encrypted strings with single-byte XOR and base64 encoded RC4.<span onclick=scrollToRef('scite-132') id="scite-ref-132-a" class="scite-citeref-number" data-reference="Carbon Black HotCroissant April 2020"><sup><a href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0070"> S0070 </a> </td> <td> <a href="/versions/v9/software/S0070"> HTTPBrowser </a> </td> <td> <p><a href="/versions/v9/software/S0070">HTTPBrowser</a>'s code may be obfuscated through structured exception handling and return-oriented programming.<span onclick=scrollToRef('scite-133') id="scite-ref-133-a" class="scite-citeref-number" data-reference="Dell TG-3390"><sup><a href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank" data-hasqtip="132" aria-describedby="qtip-132">[133]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0203"> S0203 </a> </td> <td> <a href="/versions/v9/software/S0203"> Hydraq </a> </td> <td> <p><a href="/versions/v9/software/S0203">Hydraq</a> uses basic obfuscation in the form of spaghetti code.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" data-reference="Symantec Elderwood Sept 2012"><sup><a href="https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a></sup></span><span onclick=scrollToRef('scite-134') id="scite-ref-134-a" class="scite-citeref-number" data-reference="Symantec Trojan.Hydraq Jan 2010"><sup><a href="https://www.symantec.com/connect/blogs/trojanhydraq-incident" target="_blank" data-hasqtip="133" aria-describedby="qtip-133">[134]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0483"> S0483 </a> </td> <td> <a href="/versions/v9/software/S0483"> IcedID </a> </td> <td> <p><a href="/versions/v9/software/S0483">IcedID</a> has utilzed encrypted binaries and base64 encoded strings.<span onclick=scrollToRef('scite-135') id="scite-ref-135-a" class="scite-citeref-number" data-reference="Juniper IcedID June 2020"><sup><a href="https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware" target="_blank" data-hasqtip="134" aria-describedby="qtip-134">[135]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0434"> S0434 </a> </td> <td> <a href="/versions/v9/software/S0434"> Imminent Monitor </a> </td> <td> <p><a href="/versions/v9/software/S0434">Imminent Monitor</a> has encrypted the spearphish attachments to avoid detection from email gateways; the debugger also encrypts information before sending to the C2.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="QiAnXin APT-C-36 Feb2019"><sup><a href="https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0100"> G0100 </a> </td> <td> <a href="/versions/v9/groups/G0100"> Inception </a> </td> <td> <p><a href="/versions/v9/groups/G0100">Inception</a> has encrypted malware payloads dropped on victim machines with AES and RC4 encryption.<span onclick=scrollToRef('scite-136') id="scite-ref-136-a" class="scite-citeref-number" data-reference="Kaspersky Cloud Atlas December 2014"><sup><a href="https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/" target="_blank" data-hasqtip="135" aria-describedby="qtip-135">[136]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0259"> S0259 </a> </td> <td> <a href="/versions/v9/software/S0259"> InnaputRAT </a> </td> <td> <p><a href="/versions/v9/software/S0259">InnaputRAT</a> uses an 8-byte XOR key to obfuscate API names and other strings contained in the payload.<span onclick=scrollToRef('scite-137') id="scite-ref-137-a" class="scite-citeref-number" data-reference="ASERT InnaputRAT April 2018"><sup><a href="https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" target="_blank" data-hasqtip="136" aria-describedby="qtip-136">[137]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0260"> S0260 </a> </td> <td> <a href="/versions/v9/software/S0260"> InvisiMole </a> </td> <td> <p><a href="/versions/v9/software/S0260">InvisiMole</a> avoids analysis by encrypting all strings, internal files, configuration data and by using a custom executable format.<span onclick=scrollToRef('scite-138') id="scite-ref-138-a" class="scite-citeref-number" data-reference="ESET InvisiMole June 2018"><sup><a href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank" data-hasqtip="137" aria-describedby="qtip-137">[138]</a></sup></span><span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" data-reference="ESET InvisiMole June 2020"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0231"> S0231 </a> </td> <td> <a href="/versions/v9/software/S0231"> Invoke-PSImage </a> </td> <td> <p><a href="/versions/v9/software/S0231">Invoke-PSImage</a> can be used to embed a PowerShell script within the pixels of a PNG file.<span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" data-reference="GitHub Invoke-PSImage"><sup><a href="https://github.com/peewpw/Invoke-PSImage" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0581"> S0581 </a> </td> <td> <a href="/versions/v9/software/S0581"> IronNetInjector </a> </td> <td> <p><a href="/versions/v9/software/S0581">IronNetInjector</a> can obfuscate variable names, encrypt strings, as well as base64 encode and Rijndael encrypt payloads.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" data-reference="Unit 42 IronNetInjector February 2021 "><sup><a href=" https://unit42.paloaltonetworks.com/ironnetinjector/" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0189"> S0189 </a> </td> <td> <a href="/versions/v9/software/S0189"> ISMInjector </a> </td> <td> <p><a href="/versions/v9/software/S0189">ISMInjector</a> is obfuscated with the off-the-shelf SmartAssembly .NET obfuscator created by red-gate.com.<span onclick=scrollToRef('scite-142') id="scite-ref-142-a" class="scite-citeref-number" data-reference="OilRig New Delivery Oct 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/" target="_blank" data-hasqtip="141" aria-describedby="qtip-141">[142]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0044"> S0044 </a> </td> <td> <a href="/versions/v9/software/S0044"> JHUHUGIT </a> </td> <td> <p>Many strings in <a href="/versions/v9/software/S0044">JHUHUGIT</a> are obfuscated with a XOR algorithm.<span onclick=scrollToRef('scite-143') id="scite-ref-143-a" class="scite-citeref-number" data-reference="F-Secure Sofacy 2015"><sup><a href="https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/" target="_blank" data-hasqtip="142" aria-describedby="qtip-142">[143]</a></sup></span><span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" data-reference="ESET Sednit Part 1"><sup><a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a></sup></span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="Talos Seduploader Oct 2017"><sup><a href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0201"> S0201 </a> </td> <td> <a href="/versions/v9/software/S0201"> JPIN </a> </td> <td> <p>A <a href="/versions/v9/software/S0201">JPIN</a> uses a encrypted and compressed payload that is disguised as a bitmap within the resource section of the installer.<span onclick=scrollToRef('scite-145') id="scite-ref-145-a" class="scite-citeref-number" data-reference="Microsoft PLATINUM April 2016"><sup><a href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank" data-hasqtip="144" aria-describedby="qtip-144">[145]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0283"> S0283 </a> </td> <td> <a href="/versions/v9/software/S0283"> jRAT </a> </td> <td> <p><a href="/versions/v9/software/S0283">jRAT</a>’s Java payload is encrypted with AES.<span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" data-reference="jRAT Symantec Aug 2018"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a></sup></span> Additionally, backdoor files are encrypted using DES as a stream cipher. Later variants of <a href="/versions/v9/software/S0283">jRAT</a> also incorporated AV evasion methods such as Java bytecode obfuscation via the commercial Allatori obfuscation tool.<span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" data-reference="Symantec Frutas Feb 2013"><sup><a href="https://www.symantec.com/connect/blogs/cross-platform-frutas-rat-builder-and-back-door" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0265"> S0265 </a> </td> <td> <a href="/versions/v9/software/S0265"> Kazuar </a> </td> <td> <p><a href="/versions/v9/software/S0265">Kazuar</a> is obfuscated using the open source ConfuserEx protector. <a href="/versions/v9/software/S0265">Kazuar</a> also obfuscates the name of created files/folders/mutexes and encrypts debug messages written to log files using the Rijndael cipher.<span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" data-reference="Unit 42 Kazuar May 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0487"> S0487 </a> </td> <td> <a href="/versions/v9/software/S0487"> Kessel </a> </td> <td> <p><a href="/versions/v9/software/S0487">Kessel</a>'s configuration is hardcoded and RC4 encrypted within the binary.<span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" data-reference="ESET ForSSHe December 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0387"> S0387 </a> </td> <td> <a href="/versions/v9/software/S0387"> KeyBoy </a> </td> <td> <p>In one version of <a href="/versions/v9/software/S0387">KeyBoy</a>, string obfuscation routines were used to hide many of the critical values referenced in the malware.<span onclick=scrollToRef('scite-150') id="scite-ref-150-a" class="scite-citeref-number" data-reference="CitizenLab KeyBoy Nov 2016"><sup><a href="https://citizenlab.ca/2016/11/parliament-keyboy/" target="_blank" data-hasqtip="149" aria-describedby="qtip-149">[150]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0526"> S0526 </a> </td> <td> <a href="/versions/v9/software/S0526"> KGH_SPY </a> </td> <td> <p><a href="/versions/v9/software/S0526">KGH_SPY</a> has used encrypted strings in its installer.<span onclick=scrollToRef('scite-151') id="scite-ref-151-a" class="scite-citeref-number" data-reference="Cybereason Kimsuky November 2020"><sup><a href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank" data-hasqtip="150" aria-describedby="qtip-150">[151]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0094"> G0094 </a> </td> <td> <a href="/versions/v9/groups/G0094"> Kimsuky </a> </td> <td> <p><a href="/versions/v9/groups/G0094">Kimsuky</a> has obfuscated binary strings including the use of XOR encryption and Base64 encoding.<span onclick=scrollToRef('scite-152') id="scite-ref-152-a" class="scite-citeref-number" data-reference="ThreatConnect Kimsuky September 2020"><sup><a href="https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/" target="_blank" data-hasqtip="151" aria-describedby="qtip-151">[152]</a></sup></span><span onclick=scrollToRef('scite-153') id="scite-ref-153-a" class="scite-citeref-number" data-reference="VirusBulletin Kimsuky October 2019"><sup><a href="https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/" target="_blank" data-hasqtip="152" aria-describedby="qtip-152">[153]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0236"> S0236 </a> </td> <td> <a href="/versions/v9/software/S0236"> Kwampirs </a> </td> <td> <p><a href="/versions/v9/software/S0236">Kwampirs</a> downloads additional files that are base64-encoded and encrypted with another cipher.<span onclick=scrollToRef('scite-154') id="scite-ref-154-a" class="scite-citeref-number" data-reference="Symantec Security Center Trojan.Kwampirs"><sup><a href="https://www.symantec.com/security-center/writeup/2016-081923-2700-99" target="_blank" data-hasqtip="153" aria-describedby="qtip-153">[154]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0032"> G0032 </a> </td> <td> <a href="/versions/v9/groups/G0032"> Lazarus Group </a> </td> <td> <p><a href="/versions/v9/groups/G0032">Lazarus Group</a> malware uses multiple types of encryption and encoding in its malware files, including AES, Caracachs, RC4, basic XOR with constant 0xA7, and other techniques.<span onclick=scrollToRef('scite-155') id="scite-ref-155-a" class="scite-citeref-number" data-reference="Novetta Blockbuster"><sup><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" data-hasqtip="154" aria-describedby="qtip-154">[155]</a></sup></span><span onclick=scrollToRef('scite-156') id="scite-ref-156-a" class="scite-citeref-number" data-reference="Novetta Blockbuster Loaders"><sup><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a></sup></span><span onclick=scrollToRef('scite-157') id="scite-ref-157-a" class="scite-citeref-number" data-reference="Novetta Blockbuster RATs"><sup><a href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" data-hasqtip="156" aria-describedby="qtip-156">[157]</a></sup></span><span onclick=scrollToRef('scite-158') id="scite-ref-158-a" class="scite-citeref-number" data-reference="McAfee Lazarus Resurfaces Feb 2018"><sup><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" data-hasqtip="157" aria-describedby="qtip-157">[158]</a></sup></span><span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" data-reference="TrendMicro macOS Dacls May 2020"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0077"> G0077 </a> </td> <td> <a href="/versions/v9/groups/G0077"> Leafminer </a> </td> <td> <p><a href="/versions/v9/groups/G0077">Leafminer</a> obfuscated scripts that were used on victim machines.<span onclick=scrollToRef('scite-159') id="scite-ref-159-a" class="scite-citeref-number" data-reference="Symantec Leafminer July 2018"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" target="_blank" data-hasqtip="158" aria-describedby="qtip-158">[159]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0065"> G0065 </a> </td> <td> <a href="/versions/v9/groups/G0065"> Leviathan </a> </td> <td> <p><a href="/versions/v9/groups/G0065">Leviathan</a> has obfuscated code using base64 and gzip compression.<span onclick=scrollToRef('scite-160') id="scite-ref-160-a" class="scite-citeref-number" data-reference="Proofpoint Leviathan Oct 2017"><sup><a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="159" aria-describedby="qtip-159">[160]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0395"> S0395 </a> </td> <td> <a href="/versions/v9/software/S0395"> LightNeuron </a> </td> <td> <p><a href="/versions/v9/software/S0395">LightNeuron</a> encrypts its configuration files with AES-256.<span onclick=scrollToRef('scite-161') id="scite-ref-161-a" class="scite-citeref-number" data-reference="ESET LightNeuron May 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank" data-hasqtip="160" aria-describedby="qtip-160">[161]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0447"> S0447 </a> </td> <td> <a href="/versions/v9/software/S0447"> Lokibot </a> </td> <td> <p><a href="/versions/v9/software/S0447">Lokibot</a> has obfuscated strings with base64 encoding.<span onclick=scrollToRef('scite-162') id="scite-ref-162-a" class="scite-citeref-number" data-reference="Infoblox Lokibot January 2019"><sup><a href="https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22" target="_blank" data-hasqtip="161" aria-describedby="qtip-161">[162]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0451"> S0451 </a> </td> <td> <a href="/versions/v9/software/S0451"> LoudMiner </a> </td> <td> <p><a href="/versions/v9/software/S0451">LoudMiner</a> has obfuscated various scripts and encrypted DMG files.<span onclick=scrollToRef('scite-163') id="scite-ref-163-a" class="scite-citeref-number" data-reference="ESET LoudMiner June 2019"><sup><a href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank" data-hasqtip="162" aria-describedby="qtip-162">[163]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0409"> S0409 </a> </td> <td> <a href="/versions/v9/software/S0409"> Machete </a> </td> <td> <p><a href="/versions/v9/software/S0409">Machete</a> has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. <a href="/versions/v9/groups/G0095">Machete</a> has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.<span onclick=scrollToRef('scite-164') id="scite-ref-164-a" class="scite-citeref-number" data-reference="Cylance Machete Mar 2017"><sup><a href="https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" target="_blank" data-hasqtip="163" aria-describedby="qtip-163">[164]</a></sup></span><span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" data-reference="ESET Machete July 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0059"> G0059 </a> </td> <td> <a href="/versions/v9/groups/G0059"> Magic Hound </a> </td> <td> <p><a href="/versions/v9/groups/G0059">Magic Hound</a> malware has used base64-encoded commands and files, and has also encrypted embedded strings with AES.<span onclick=scrollToRef('scite-166') id="scite-ref-166-a" class="scite-citeref-number" data-reference="Unit 42 Magic Hound Feb 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="165" aria-describedby="qtip-165">[166]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0167"> S0167 </a> </td> <td> <a href="/versions/v9/software/S0167"> Matryoshka </a> </td> <td> <p><a href="/versions/v9/software/S0167">Matryoshka</a> obfuscates API function names using a substitute cipher combined with Base64 encoding.<span onclick=scrollToRef('scite-167') id="scite-ref-167-a" class="scite-citeref-number" data-reference="CopyKittens Nov 2015"><sup><a href="https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" target="_blank" data-hasqtip="166" aria-describedby="qtip-166">[167]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0449"> S0449 </a> </td> <td> <a href="/versions/v9/software/S0449"> Maze </a> </td> <td> <p><a href="/versions/v9/software/S0449">Maze</a> has decrypted strings and other important information during the encryption process. <a href="/versions/v9/software/S0449">Maze</a> also calls certain functions dynamically to hinder analysis.<span onclick=scrollToRef('scite-168') id="scite-ref-168-a" class="scite-citeref-number" data-reference="McAfee Maze March 2020"><sup><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/" target="_blank" data-hasqtip="167" aria-describedby="qtip-167">[168]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0500"> S0500 </a> </td> <td> <a href="/versions/v9/software/S0500"> MCMD </a> </td> <td> <p><a href="/versions/v9/software/S0500">MCMD</a> can Base64 encode output strings prior to sending to C2.<span onclick=scrollToRef('scite-169') id="scite-ref-169-a" class="scite-citeref-number" data-reference="Secureworks MCMD July 2019"><sup><a href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank" data-hasqtip="168" aria-describedby="qtip-168">[169]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0045"> G0045 </a> </td> <td> <a href="/versions/v9/groups/G0045"> menuPass </a> </td> <td> <p><a href="/versions/v9/groups/G0045">menuPass</a> has encoded strings in its malware with base64 as well as with a simple, single-byte XOR obfuscation using key 0x40.<span onclick=scrollToRef('scite-170') id="scite-ref-170-a" class="scite-citeref-number" data-reference="Accenture Hogfish April 2018"><sup><a href="https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" target="_blank" data-hasqtip="169" aria-describedby="qtip-169">[170]</a></sup></span><span onclick=scrollToRef('scite-171') id="scite-ref-171-a" class="scite-citeref-number" data-reference="FireEye APT10 Sept 2018"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank" data-hasqtip="170" aria-describedby="qtip-170">[171]</a></sup></span><span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" data-reference="Symantec Cicada November 2020"><sup><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0455"> S0455 </a> </td> <td> <a href="/versions/v9/software/S0455"> Metamorfo </a> </td> <td> <p><a href="/versions/v9/software/S0455">Metamorfo</a> has obfuscated and encrypted some payloads.<span onclick=scrollToRef('scite-173') id="scite-ref-173-a" class="scite-citeref-number" data-reference="Medium Metamorfo Apr 2020"><sup><a href="https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" target="_blank" data-hasqtip="172" aria-describedby="qtip-172">[173]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0339"> S0339 </a> </td> <td> <a href="/versions/v9/software/S0339"> Micropsia </a> </td> <td> <p><a href="/versions/v9/software/S0339">Micropsia</a> obfuscates the configuration with a custom Base64 and XOR.<span onclick=scrollToRef('scite-174') id="scite-ref-174-a" class="scite-citeref-number" data-reference="Talos Micropsia June 2017"><sup><a href="https://blog.talosintelligence.com/2017/06/palestine-delphi.html" target="_blank" data-hasqtip="173" aria-describedby="qtip-173">[174]</a></sup></span><span onclick=scrollToRef('scite-175') id="scite-ref-175-a" class="scite-citeref-number" data-reference="Radware Micropsia July 2018"><sup><a href="https://blog.radware.com/security/2018/07/micropsia-malware/" target="_blank" data-hasqtip="174" aria-describedby="qtip-174">[175]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0051"> S0051 </a> </td> <td> <a href="/versions/v9/software/S0051"> MiniDuke </a> </td> <td> <p><a href="/versions/v9/software/S0051">MiniDuke</a> can use control flow flattening to obscure code.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" data-reference="ESET Dukes October 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0103"> G0103 </a> </td> <td> <a href="/versions/v9/groups/G0103"> Mofang </a> </td> <td> <p><a href="/versions/v9/groups/G0103">Mofang</a> has compressed the <a href="/versions/v9/software/S0444">ShimRat</a> executable within malicious email attachments. <a href="/versions/v9/groups/G0103">Mofang</a> has also encrypted payloads before they are downloaded to victims.<span onclick=scrollToRef('scite-176') id="scite-ref-176-a" class="scite-citeref-number" data-reference="FOX-IT May 2016 Mofang"><sup><a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="175" aria-describedby="qtip-175">[176]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0021"> G0021 </a> </td> <td> <a href="/versions/v9/groups/G0021"> Molerats </a> </td> <td> <p><a href="/versions/v9/groups/G0021">Molerats</a> has delivered compressed executables within ZIP files to victims.<span onclick=scrollToRef('scite-177') id="scite-ref-177-a" class="scite-citeref-number" data-reference="Kaspersky MoleRATs April 2019"><sup><a href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank" data-hasqtip="176" aria-describedby="qtip-176">[177]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0284"> S0284 </a> </td> <td> <a href="/versions/v9/software/S0284"> More_eggs </a> </td> <td> <p><a href="/versions/v9/software/S0284">More_eggs</a>'s payload has been encrypted with a key that has the hostname and processor family information appended to the end.<span onclick=scrollToRef('scite-178') id="scite-ref-178-a" class="scite-citeref-number" data-reference="ESET EvilNum July 2020"><sup><a href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank" data-hasqtip="177" aria-describedby="qtip-177">[178]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0256"> S0256 </a> </td> <td> <a href="/versions/v9/software/S0256"> Mosquito </a> </td> <td> <p><a href="/versions/v9/software/S0256">Mosquito</a>’s installer is obfuscated with a custom crypter to obfuscate the installer.<span onclick=scrollToRef('scite-179') id="scite-ref-179-a" class="scite-citeref-number" data-reference="ESET Turla Mosquito Jan 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="178" aria-describedby="qtip-178">[179]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0069"> G0069 </a> </td> <td> <a href="/versions/v9/groups/G0069"> MuddyWater </a> </td> <td> <p><a href="/versions/v9/groups/G0069">MuddyWater</a> has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.<span onclick=scrollToRef('scite-180') id="scite-ref-180-a" class="scite-citeref-number" data-reference="Unit 42 MuddyWater Nov 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank" data-hasqtip="179" aria-describedby="qtip-179">[180]</a></sup></span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" data-reference="GitHub Invoke-Obfuscation"><sup><a href="https://github.com/danielbohannon/Invoke-Obfuscation" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span> The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.<span onclick=scrollToRef('scite-180') id="scite-ref-180-a" class="scite-citeref-number" data-reference="Unit 42 MuddyWater Nov 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank" data-hasqtip="179" aria-describedby="qtip-179">[180]</a></sup></span><span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" data-reference="FireEye MuddyWater Mar 2018"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a></sup></span><span onclick=scrollToRef('scite-182') id="scite-ref-182-a" class="scite-citeref-number" data-reference="Securelist MuddyWater Oct 2018"><sup><a href="https://securelist.com/muddywater/88059/" target="_blank" data-hasqtip="181" aria-describedby="qtip-181">[182]</a></sup></span><span onclick=scrollToRef('scite-183') id="scite-ref-183-a" class="scite-citeref-number" data-reference="Talos MuddyWater May 2019"><sup><a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank" data-hasqtip="182" aria-describedby="qtip-182">[183]</a></sup></span><span onclick=scrollToRef('scite-184') id="scite-ref-184-a" class="scite-citeref-number" data-reference="ClearSky MuddyWater June 2019"><sup><a href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" target="_blank" data-hasqtip="183" aria-describedby="qtip-183">[184]</a></sup></span><span onclick=scrollToRef('scite-185') id="scite-ref-185-a" class="scite-citeref-number" data-reference="Trend Micro Muddy Water March 2021"><sup><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" data-hasqtip="184" aria-describedby="qtip-184">[185]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0129"> G0129 </a> </td> <td> <a href="/versions/v9/groups/G0129"> Mustang Panda </a> </td> <td> <p><a href="/versions/v9/groups/G0129">Mustang Panda</a> has delivered initial payloads hidden using archives and encoding measures.<span onclick=scrollToRef('scite-186') id="scite-ref-186-a" class="scite-citeref-number" data-reference="Crowdstrike MUSTANG PANDA June 2018"><sup><a href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/" target="_blank" data-hasqtip="185" aria-describedby="qtip-185">[186]</a></sup></span><span onclick=scrollToRef('scite-187') id="scite-ref-187-a" class="scite-citeref-number" data-reference="Anomali MUSTANG PANDA October 2019"><sup><a href="https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations" target="_blank" data-hasqtip="186" aria-describedby="qtip-186">[187]</a></sup></span><span onclick=scrollToRef('scite-188') id="scite-ref-188-a" class="scite-citeref-number" data-reference="Secureworks BRONZE PRESIDENT December 2019"><sup><a href="https://www.secureworks.com/research/bronze-president-targets-ngos" target="_blank" data-hasqtip="187" aria-describedby="qtip-187">[188]</a></sup></span><span onclick=scrollToRef('scite-189') id="scite-ref-189-a" class="scite-citeref-number" data-reference="Recorded Future REDDELTA July 2020"><sup><a href="https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf" target="_blank" data-hasqtip="188" aria-describedby="qtip-188">[189]</a></sup></span><span onclick=scrollToRef('scite-190') id="scite-ref-190-a" class="scite-citeref-number" data-reference="Proofpoint TA416 November 2020"><sup><a href="https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader" target="_blank" data-hasqtip="189" aria-describedby="qtip-189">[190]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0228"> S0228 </a> </td> <td> <a href="/versions/v9/software/S0228"> NanHaiShu </a> </td> <td> <p><a href="/versions/v9/software/S0228">NanHaiShu</a> encodes files in Base64.<span onclick=scrollToRef('scite-191') id="scite-ref-191-a" class="scite-citeref-number" data-reference="fsecure NanHaiShu July 2016"><sup><a href="https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf" target="_blank" data-hasqtip="190" aria-describedby="qtip-190">[191]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0336"> S0336 </a> </td> <td> <a href="/versions/v9/software/S0336"> NanoCore </a> </td> <td> <p><a href="/versions/v9/software/S0336">NanoCore</a>’s plugins were obfuscated with Eazfuscater.NET 3.3.<span onclick=scrollToRef('scite-192') id="scite-ref-192-a" class="scite-citeref-number" data-reference="PaloAlto NanoCore Feb 2016"><sup><a href="https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/" target="_blank" data-hasqtip="191" aria-describedby="qtip-191">[192]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0457"> S0457 </a> </td> <td> <a href="/versions/v9/software/S0457"> Netwalker </a> </td> <td> <p><a href="/versions/v9/software/S0457">Netwalker</a>'s PowerShell script has been obfuscated with multiple layers including base64 and hexadecimal encoding and XOR-encryption, as well as obfuscated PowerShell functions and variables. <a href="/versions/v9/software/S0457">Netwalker</a>'s DLL has also been embedded within the PowerShell script in hex format.<span onclick=scrollToRef('scite-193') id="scite-ref-193-a" class="scite-citeref-number" data-reference="TrendMicro Netwalker May 2020"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/" target="_blank" data-hasqtip="192" aria-describedby="qtip-192">[193]</a></sup></span><span onclick=scrollToRef('scite-194') id="scite-ref-194-a" class="scite-citeref-number" data-reference="Sophos Netwalker May 2020"><sup><a href="https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/" target="_blank" data-hasqtip="193" aria-describedby="qtip-193">[194]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0198"> S0198 </a> </td> <td> <a href="/versions/v9/software/S0198"> NETWIRE </a> </td> <td> <p><a href="/versions/v9/software/S0198">NETWIRE</a> has used a custom obfuscation algorithm to hide strings including Registry keys, APIs, and DLL names.<span onclick=scrollToRef('scite-195') id="scite-ref-195-a" class="scite-citeref-number" data-reference="FireEye NETWIRE March 2019"><sup><a href="https://www.fireeye.com/blog/threat-research/2019/03/dissecting-netwire-phishing-campaign-usage-of-process-hollowing.html" target="_blank" data-hasqtip="194" aria-describedby="qtip-194">[195]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0014"> G0014 </a> </td> <td> <a href="/versions/v9/groups/G0014"> Night Dragon </a> </td> <td> <p>A <a href="/versions/v9/groups/G0014">Night Dragon</a> DLL included an XOR-encoded section.<span onclick=scrollToRef('scite-196') id="scite-ref-196-a" class="scite-citeref-number" data-reference="McAfee Night Dragon"><sup><a href="https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" target="_blank" data-hasqtip="195" aria-describedby="qtip-195">[196]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0385"> S0385 </a> </td> <td> <a href="/versions/v9/software/S0385"> njRAT </a> </td> <td> <p><a href="/versions/v9/software/S0385">njRAT</a> has included a base64 encoded executable.<span onclick=scrollToRef('scite-197') id="scite-ref-197-a" class="scite-citeref-number" data-reference="Trend Micro njRAT 2018"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" target="_blank" data-hasqtip="196" aria-describedby="qtip-196">[197]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0353"> S0353 </a> </td> <td> <a href="/versions/v9/software/S0353"> NOKKI </a> </td> <td> <p><a href="/versions/v9/software/S0353">NOKKI</a> uses Base64 encoding for strings.<span onclick=scrollToRef('scite-198') id="scite-ref-198-a" class="scite-citeref-number" data-reference="Unit 42 NOKKI Sept 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank" data-hasqtip="197" aria-describedby="qtip-197">[198]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0049"> G0049 </a> </td> <td> <a href="/versions/v9/groups/G0049"> OilRig </a> </td> <td> <p><a href="/versions/v9/groups/G0049">OilRig</a> has encrypted and encoded data in its malware, including by using base64.<span onclick=scrollToRef('scite-199') id="scite-ref-199-a" class="scite-citeref-number" data-reference="FireEye APT34 Dec 2017"><sup><a href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank" data-hasqtip="198" aria-describedby="qtip-198">[199]</a></sup></span><span onclick=scrollToRef('scite-200') id="scite-ref-200-a" class="scite-citeref-number" data-reference="Unit 42 QUADAGENT July 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank" data-hasqtip="199" aria-describedby="qtip-199">[200]</a></sup></span><span onclick=scrollToRef('scite-201') id="scite-ref-201-a" class="scite-citeref-number" data-reference="Unit 42 Playbook Dec 2017"><sup><a href="https://pan-unit42.github.io/playbook_viewer/" target="_blank" data-hasqtip="200" aria-describedby="qtip-200">[201]</a></sup></span><span onclick=scrollToRef('scite-202') id="scite-ref-202-a" class="scite-citeref-number" data-reference="Crowdstrike Helix Kitten Nov 2018"><sup><a href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/" target="_blank" data-hasqtip="201" aria-describedby="qtip-201">[202]</a></sup></span><span onclick=scrollToRef('scite-203') id="scite-ref-203-a" class="scite-citeref-number" data-reference="Unit42 OilRig Nov 2018"><sup><a href="https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/" target="_blank" data-hasqtip="202" aria-describedby="qtip-202">[203]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0138"> S0138 </a> </td> <td> <a href="/versions/v9/software/S0138"> OLDBAIT </a> </td> <td> <p><a href="/versions/v9/software/S0138">OLDBAIT</a> obfuscates internal strings and unpacks them at startup.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" data-reference="FireEye APT28"><sup><a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0264"> S0264 </a> </td> <td> <a href="/versions/v9/software/S0264"> OopsIE </a> </td> <td> <p><a href="/versions/v9/software/S0264">OopsIE</a> uses the Confuser protector to obfuscate an embedded .Net Framework assembly used for C2. <a href="/versions/v9/software/S0264">OopsIE</a> also encodes collected data in hexadecimal format before writing to files on disk and obfuscates strings.<span onclick=scrollToRef('scite-204') id="scite-ref-204-a" class="scite-citeref-number" data-reference="Unit 42 OopsIE! Feb 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank" data-hasqtip="203" aria-describedby="qtip-203">[204]</a></sup></span><span onclick=scrollToRef('scite-205') id="scite-ref-205-a" class="scite-citeref-number" data-reference="Unit 42 OilRig Sept 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" target="_blank" data-hasqtip="204" aria-describedby="qtip-204">[205]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0116"> G0116 </a> </td> <td> <a href="/versions/v9/groups/G0116"> Operation Wocao </a> </td> <td> <p><a href="/versions/v9/groups/G0116">Operation Wocao</a> has executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.<span onclick=scrollToRef('scite-206') id="scite-ref-206-a" class="scite-citeref-number" data-reference="FoxIT Wocao December 2019"><sup><a href="https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf" target="_blank" data-hasqtip="205" aria-describedby="qtip-205">[206]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0229"> S0229 </a> </td> <td> <a href="/versions/v9/software/S0229"> Orz </a> </td> <td> <p>Some <a href="/versions/v9/software/S0229">Orz</a> strings are base64 encoded, such as the embedded DLL known as MockDll.<span onclick=scrollToRef('scite-160') id="scite-ref-160-a" class="scite-citeref-number" data-reference="Proofpoint Leviathan Oct 2017"><sup><a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="159" aria-describedby="qtip-159">[160]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0352"> S0352 </a> </td> <td> <a href="/versions/v9/software/S0352"> OSX_OCEANLOTUS.D </a> </td> <td> <p><a href="/versions/v9/software/S0352">OSX_OCEANLOTUS.D</a> encrypts its strings in RSA256 and encodes them in a custom base64 scheme and XOR.<span onclick=scrollToRef('scite-207') id="scite-ref-207-a" class="scite-citeref-number" data-reference="TrendMicro MacOS April 2018"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" target="_blank" data-hasqtip="206" aria-describedby="qtip-206">[207]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0594"> S0594 </a> </td> <td> <a href="/versions/v9/software/S0594"> Out1 </a> </td> <td> <p><a href="/versions/v9/software/S0594">Out1</a> has the ability to encode data.<span onclick=scrollToRef('scite-185') id="scite-ref-185-a" class="scite-citeref-number" data-reference="Trend Micro Muddy Water March 2021"><sup><a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" data-hasqtip="184" aria-describedby="qtip-184">[185]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0598"> S0598 </a> </td> <td> <a href="/versions/v9/software/S0598"> P.A.S. Webshell </a> </td> <td> <p><a href="/versions/v9/software/S0598">P.A.S. Webshell</a> can use encryption and base64 encoding to hide strings and to enforce access control once deployed.<span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" data-reference="ANSSI Sandworm January 2021"><sup><a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0040"> G0040 </a> </td> <td> <a href="/versions/v9/groups/G0040"> Patchwork </a> </td> <td> <p><a href="/versions/v9/groups/G0040">Patchwork</a> has obfuscated a script with Crypto Obfuscator.<span onclick=scrollToRef('scite-208') id="scite-ref-208-a" class="scite-citeref-number" data-reference="TrendMicro Patchwork Dec 2017"><sup><a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="207" aria-describedby="qtip-207">[208]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0587"> S0587 </a> </td> <td> <a href="/versions/v9/software/S0587"> Penquin </a> </td> <td> <p><a href="/versions/v9/software/S0587">Penquin</a> has encrypted strings in the binary for obfuscation.<span onclick=scrollToRef('scite-209') id="scite-ref-209-a" class="scite-citeref-number" data-reference="Leonardo Turla Penquin May 2020"><sup><a href="https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank" data-hasqtip="208" aria-describedby="qtip-208">[209]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0517"> S0517 </a> </td> <td> <a href="/versions/v9/software/S0517"> Pillowmint </a> </td> <td> <p><a href="/versions/v9/software/S0517">Pillowmint</a> has been compressed and stored within a registry key. <a href="/versions/v9/software/S0517">Pillowmint</a> has also obfuscated the AES key used for encryption.<span onclick=scrollToRef('scite-210') id="scite-ref-210-a" class="scite-citeref-number" data-reference="Trustwave Pillowmint June 2020"><sup><a href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/" target="_blank" data-hasqtip="209" aria-describedby="qtip-209">[210]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0501"> S0501 </a> </td> <td> <a href="/versions/v9/software/S0501"> PipeMon </a> </td> <td> <p><a href="/versions/v9/software/S0501">PipeMon</a> modules are stored encrypted on disk.<span onclick=scrollToRef('scite-211') id="scite-ref-211-a" class="scite-citeref-number" data-reference="ESET PipeMon May 2020"><sup><a href="https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" target="_blank" data-hasqtip="210" aria-describedby="qtip-210">[211]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0124"> S0124 </a> </td> <td> <a href="/versions/v9/software/S0124"> Pisloader </a> </td> <td> <p><a href="/versions/v9/software/S0124">Pisloader</a> obfuscates files by splitting strings into smaller sub-strings and including "garbage" strings that are never used. The malware also uses return-oriented programming (ROP) technique and single-byte XOR to obfuscate data.<span onclick=scrollToRef('scite-212') id="scite-ref-212-a" class="scite-citeref-number" data-reference="Palo Alto DNS Requests"><sup><a href="http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank" data-hasqtip="211" aria-describedby="qtip-211">[212]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0428"> S0428 </a> </td> <td> <a href="/versions/v9/software/S0428"> PoetRAT </a> </td> <td> <p><a href="/versions/v9/software/S0428">PoetRAT</a> has used a custom encryption scheme for communication between scripts and pyminifier to obfuscate scripts.<span onclick=scrollToRef('scite-213') id="scite-ref-213-a" class="scite-citeref-number" data-reference="Talos PoetRAT April 2020"><sup><a href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank" data-hasqtip="212" aria-describedby="qtip-212">[213]</a></sup></span><span onclick=scrollToRef('scite-214') id="scite-ref-214-a" class="scite-citeref-number" data-reference="Talos PoetRAT October 2020"><sup><a href="https://blog.talosintelligence.com/2020/10/poetrat-update.html" target="_blank" data-hasqtip="213" aria-describedby="qtip-213">[214]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0012"> S0012 </a> </td> <td> <a href="/versions/v9/software/S0012"> PoisonIvy </a> </td> <td> <p><a href="/versions/v9/software/S0012">PoisonIvy</a> hides any strings related to its own indicators of compromise.<span onclick=scrollToRef('scite-215') id="scite-ref-215-a" class="scite-citeref-number" data-reference="Symantec Darkmoon Aug 2005"><sup><a href="https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" target="_blank" data-hasqtip="214" aria-describedby="qtip-214">[215]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0518"> S0518 </a> </td> <td> <a href="/versions/v9/software/S0518"> PolyglotDuke </a> </td> <td> <p><a href="/versions/v9/software/S0518">PolyglotDuke</a> can custom encrypt strings.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" data-reference="ESET Dukes October 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0453"> S0453 </a> </td> <td> <a href="/versions/v9/software/S0453"> Pony </a> </td> <td> <p><a href="/versions/v9/software/S0453">Pony</a> attachments have been delivered via compressed archive files. <a href="/versions/v9/software/S0453">Pony</a> also obfuscates the memory flow by adding junk instructions when executing to make analysis more difficult.<span onclick=scrollToRef('scite-216') id="scite-ref-216-a" class="scite-citeref-number" data-reference="Malwarebytes Pony April 2016"><sup><a href="https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/" target="_blank" data-hasqtip="215" aria-describedby="qtip-215">[216]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0150"> S0150 </a> </td> <td> <a href="/versions/v9/software/S0150"> POSHSPY </a> </td> <td> <p><a href="/versions/v9/software/S0150">POSHSPY</a> appends a file signature header (randomly selected from six file types) to encrypted data prior to upload or download.<span onclick=scrollToRef('scite-217') id="scite-ref-217-a" class="scite-citeref-number" data-reference="FireEye POSHSPY April 2017"><sup><a href="https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" target="_blank" data-hasqtip="216" aria-describedby="qtip-216">[217]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0194"> S0194 </a> </td> <td> <a href="/versions/v9/software/S0194"> PowerSploit </a> </td> <td> <p><a href="/versions/v9/software/S0194">PowerSploit</a> contains a collection of ScriptModification modules that compress and encode scripts and payloads.<span onclick=scrollToRef('scite-218') id="scite-ref-218-a" class="scite-citeref-number" data-reference="GitHub PowerSploit May 2012"><sup><a href="https://github.com/PowerShellMafia/PowerSploit" target="_blank" data-hasqtip="217" aria-describedby="qtip-217">[218]</a></sup></span><span onclick=scrollToRef('scite-219') id="scite-ref-219-a" class="scite-citeref-number" data-reference="PowerSploit Documentation"><sup><a href="http://powersploit.readthedocs.io" target="_blank" data-hasqtip="218" aria-describedby="qtip-218">[219]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0393"> S0393 </a> </td> <td> <a href="/versions/v9/software/S0393"> PowerStallion </a> </td> <td> <p><a href="/versions/v9/software/S0393">PowerStallion</a> uses a XOR cipher to encrypt command output written to its OneDrive C2 server.<span onclick=scrollToRef('scite-220') id="scite-ref-220-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="219" aria-describedby="qtip-219">[220]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0223"> S0223 </a> </td> <td> <a href="/versions/v9/software/S0223"> POWERSTATS </a> </td> <td> <p><a href="/versions/v9/software/S0223">POWERSTATS</a> uses character replacement, <a href="/versions/v9/techniques/T1059/001">PowerShell</a> environment variables, and XOR encoding to obfuscate code. <a href="/versions/v9/software/S0223">POWERSTATS</a>'s backdoor code is a multi-layer obfuscated, encoded, and compressed blob. <span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" data-reference="FireEye MuddyWater Mar 2018"><sup><a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a></sup></span><span onclick=scrollToRef('scite-221') id="scite-ref-221-a" class="scite-citeref-number" data-reference="ClearSky MuddyWater Nov 2018"><sup><a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" data-hasqtip="220" aria-describedby="qtip-220">[221]</a></sup></span> <a href="/versions/v9/software/S0223">POWERSTATS</a> has used PowerShell code with custom string obfuscation <span onclick=scrollToRef('scite-222') id="scite-ref-222-a" class="scite-citeref-number" data-reference="TrendMicro POWERSTATS V3 June 2019"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" data-hasqtip="221" aria-describedby="qtip-221">[222]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0113"> S0113 </a> </td> <td> <a href="/versions/v9/software/S0113"> Prikormka </a> </td> <td> <p>Some resources in <a href="/versions/v9/software/S0113">Prikormka</a> are encrypted with a simple XOR operation or encoded with Base64.<span onclick=scrollToRef('scite-223') id="scite-ref-223-a" class="scite-citeref-number" data-reference="ESET Operation Groundbait"><sup><a href="http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" target="_blank" data-hasqtip="222" aria-describedby="qtip-222">[223]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0196"> S0196 </a> </td> <td> <a href="/versions/v9/software/S0196"> PUNCHBUGGY </a> </td> <td> <p><a href="/versions/v9/software/S0196">PUNCHBUGGY</a> has hashed most its code's functions and encrypted payloads with base64 and XOR.<span onclick=scrollToRef('scite-224') id="scite-ref-224-a" class="scite-citeref-number" data-reference="Morphisec ShellTea June 2019"><sup><a href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank" data-hasqtip="223" aria-describedby="qtip-223">[224]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0197"> S0197 </a> </td> <td> <a href="/versions/v9/software/S0197"> PUNCHTRACK </a> </td> <td> <p><a href="/versions/v9/software/S0197">PUNCHTRACK</a> is loaded and executed by a highly obfuscated launcher.<span onclick=scrollToRef('scite-225') id="scite-ref-225-a" class="scite-citeref-number" data-reference="FireEye Fin8 May 2016"><sup><a href="https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html" target="_blank" data-hasqtip="224" aria-describedby="qtip-224">[225]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0024"> G0024 </a> </td> <td> <a href="/versions/v9/groups/G0024"> Putter Panda </a> </td> <td> <p>Droppers used by <a href="/versions/v9/groups/G0024">Putter Panda</a> use RC4 or a 16-byte XOR key consisting of the bytes 0xA0 – 0xAF to obfuscate payloads.<span onclick=scrollToRef('scite-226') id="scite-ref-226-a" class="scite-citeref-number" data-reference="CrowdStrike Putter Panda"><sup><a href="http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" target="_blank" data-hasqtip="225" aria-describedby="qtip-225">[226]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0269"> S0269 </a> </td> <td> <a href="/versions/v9/software/S0269"> QUADAGENT </a> </td> <td> <p><a href="/versions/v9/software/S0269">QUADAGENT</a> was likely obfuscated using Invoke-Obfuscation.<span onclick=scrollToRef('scite-200') id="scite-ref-200-a" class="scite-citeref-number" data-reference="Unit 42 QUADAGENT July 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank" data-hasqtip="199" aria-describedby="qtip-199">[200]</a></sup></span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" data-reference="GitHub Invoke-Obfuscation"><sup><a href="https://github.com/danielbohannon/Invoke-Obfuscation" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0565"> S0565 </a> </td> <td> <a href="/versions/v9/software/S0565"> Raindrop </a> </td> <td> <p><a href="/versions/v9/software/S0565">Raindrop</a> encrypted its payload using a simple XOR algorithm with a single-byte key.<span onclick=scrollToRef('scite-227') id="scite-ref-227-a" class="scite-citeref-number" data-reference="Symantec RAINDROP January 2021"><sup><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank" data-hasqtip="226" aria-describedby="qtip-226">[227]</a></sup></span><span onclick=scrollToRef('scite-228') id="scite-ref-228-a" class="scite-citeref-number" data-reference="Microsoft Deep Dive Solorigate January 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="227" aria-describedby="qtip-227">[228]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0458"> S0458 </a> </td> <td> <a href="/versions/v9/software/S0458"> Ramsay </a> </td> <td> <p><a href="/versions/v9/software/S0458">Ramsay</a> has base64-encoded its portable executable and hidden itself under a JPG header. <a href="/versions/v9/software/S0458">Ramsay</a> can also embed information within document footers.<span onclick=scrollToRef('scite-229') id="scite-ref-229-a" class="scite-citeref-number" data-reference="Eset Ramsay May 2020"><sup><a href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank" data-hasqtip="228" aria-describedby="qtip-228">[229]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0172"> S0172 </a> </td> <td> <a href="/versions/v9/software/S0172"> Reaver </a> </td> <td> <p><a href="/versions/v9/software/S0172">Reaver</a> encrypts some of its files with XOR.<span onclick=scrollToRef('scite-230') id="scite-ref-230-a" class="scite-citeref-number" data-reference="Palo Alto Reaver Nov 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" target="_blank" data-hasqtip="229" aria-describedby="qtip-229">[230]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0153"> S0153 </a> </td> <td> <a href="/versions/v9/software/S0153"> RedLeaves </a> </td> <td> <p>A <a href="/versions/v9/software/S0153">RedLeaves</a> configuration file is encrypted with a simple XOR key, 0x53.<span onclick=scrollToRef('scite-231') id="scite-ref-231-a" class="scite-citeref-number" data-reference="PWC Cloud Hopper Technical Annex April 2017"><sup><a href="https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" target="_blank" data-hasqtip="230" aria-describedby="qtip-230">[231]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0511"> S0511 </a> </td> <td> <a href="/versions/v9/software/S0511"> RegDuke </a> </td> <td> <p><a href="/versions/v9/software/S0511">RegDuke</a> can use control-flow flattening or the commercially available .NET Reactor for obfuscation.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" data-reference="ESET Dukes October 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0332"> S0332 </a> </td> <td> <a href="/versions/v9/software/S0332"> Remcos </a> </td> <td> <p><a href="/versions/v9/software/S0332">Remcos</a> uses RC4 and base64 to obfuscate data, including Registry entries and file paths.<span onclick=scrollToRef('scite-232') id="scite-ref-232-a" class="scite-citeref-number" data-reference="Talos Remcos Aug 2018"><sup><a href="https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html" target="_blank" data-hasqtip="231" aria-describedby="qtip-231">[232]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0375"> S0375 </a> </td> <td> <a href="/versions/v9/software/S0375"> Remexi </a> </td> <td> <p><a href="/versions/v9/software/S0375">Remexi</a> obfuscates its configuration data with XOR.<span onclick=scrollToRef('scite-233') id="scite-ref-233-a" class="scite-citeref-number" data-reference="Securelist Remexi Jan 2019"><sup><a href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank" data-hasqtip="232" aria-describedby="qtip-232">[233]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0125"> S0125 </a> </td> <td> <a href="/versions/v9/software/S0125"> Remsec </a> </td> <td> <p>Some data in <a href="/versions/v9/software/S0125">Remsec</a> is encrypted using RC5 in CBC mode, AES-CBC with a hardcoded key, RC4, or Salsa20. Some data is also base64-encoded.<span onclick=scrollToRef('scite-234') id="scite-ref-234-a" class="scite-citeref-number" data-reference="Symantec Remsec IOCs"><sup><a href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" target="_blank" data-hasqtip="233" aria-describedby="qtip-233">[234]</a></sup></span><span onclick=scrollToRef('scite-235') id="scite-ref-235-a" class="scite-citeref-number" data-reference="Kaspersky ProjectSauron Technical Analysis"><sup><a href="https://securelist.com/files/2016/07/The-ProjectSauron-APT_Technical_Analysis_KL.pdf" target="_blank" data-hasqtip="234" aria-describedby="qtip-234">[235]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0496"> S0496 </a> </td> <td> <a href="/versions/v9/software/S0496"> REvil </a> </td> <td> <p><a href="/versions/v9/software/S0496">REvil</a> has used encrypted strings and configuration files.<span onclick=scrollToRef('scite-236') id="scite-ref-236-a" class="scite-citeref-number" data-reference="G Data Sodinokibi June 2019"><sup><a href="https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data" target="_blank" data-hasqtip="235" aria-describedby="qtip-235">[236]</a></sup></span><span onclick=scrollToRef('scite-237') id="scite-ref-237-a" class="scite-citeref-number" data-reference="Secureworks GandCrab and REvil September 2019"><sup><a href="https://www.secureworks.com/blog/revil-the-gandcrab-connection" target="_blank" data-hasqtip="236" aria-describedby="qtip-236">[237]</a></sup></span><span onclick=scrollToRef('scite-238') id="scite-ref-238-a" class="scite-citeref-number" data-reference="McAfee Sodinokibi October 2019"><sup><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" target="_blank" data-hasqtip="237" aria-describedby="qtip-237">[238]</a></sup></span><span onclick=scrollToRef('scite-239') id="scite-ref-239-a" class="scite-citeref-number" data-reference="Intel 471 REvil March 2020"><sup><a href="https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/" target="_blank" data-hasqtip="238" aria-describedby="qtip-238">[239]</a></sup></span><span onclick=scrollToRef('scite-240') id="scite-ref-240-a" class="scite-citeref-number" data-reference="Group IB Ransomware May 2020"><sup><a href="https://www.group-ib.com/whitepapers/ransomware-uncovered.html" target="_blank" data-hasqtip="239" aria-describedby="qtip-239">[240]</a></sup></span><span onclick=scrollToRef('scite-241') id="scite-ref-241-a" class="scite-citeref-number" data-reference="Picus Sodinokibi January 2020"><sup><a href="https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware" target="_blank" data-hasqtip="240" aria-describedby="qtip-240">[241]</a></sup></span><span onclick=scrollToRef('scite-242') id="scite-ref-242-a" class="scite-citeref-number" data-reference="Secureworks REvil September 2019"><sup><a href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank" data-hasqtip="241" aria-describedby="qtip-241">[242]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0433"> S0433 </a> </td> <td> <a href="/versions/v9/software/S0433"> Rifdoor </a> </td> <td> <p><a href="/versions/v9/software/S0433">Rifdoor</a> has encrypted strings with a single byte XOR algorithm.<span onclick=scrollToRef('scite-132') id="scite-ref-132-a" class="scite-citeref-number" data-reference="Carbon Black HotCroissant April 2020"><sup><a href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0448"> S0448 </a> </td> <td> <a href="/versions/v9/software/S0448"> Rising Sun </a> </td> <td> <p>Configuration data used by <a href="/versions/v9/software/S0448">Rising Sun</a> is encrypted using RC4.<span onclick=scrollToRef('scite-243') id="scite-ref-243-a" class="scite-citeref-number" data-reference="McAfee Sharpshooter December 2018"><sup><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank" data-hasqtip="242" aria-describedby="qtip-242">[243]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0106"> G0106 </a> </td> <td> <a href="/versions/v9/groups/G0106"> Rocke </a> </td> <td> <p><a href="/versions/v9/groups/G0106">Rocke</a> has modified UPX headers after packing files to break unpackers.<span onclick=scrollToRef('scite-244') id="scite-ref-244-a" class="scite-citeref-number" data-reference="Anomali Rocke March 2019"><sup><a href="https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" target="_blank" data-hasqtip="243" aria-describedby="qtip-243">[244]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0270"> S0270 </a> </td> <td> <a href="/versions/v9/software/S0270"> RogueRobin </a> </td> <td> <p>The PowerShell script with the <a href="/versions/v9/software/S0270">RogueRobin</a> payload was obfuscated using the COMPRESS technique in Invoke-Obfuscation.<span onclick=scrollToRef('scite-245') id="scite-ref-245-a" class="scite-citeref-number" data-reference="Unit 42 DarkHydrus July 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank" data-hasqtip="244" aria-describedby="qtip-244">[245]</a></sup></span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" data-reference="GitHub Invoke-Obfuscation"><sup><a href="https://github.com/danielbohannon/Invoke-Obfuscation" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0148"> S0148 </a> </td> <td> <a href="/versions/v9/software/S0148"> RTM </a> </td> <td> <p><a href="/versions/v9/software/S0148">RTM</a> strings, network data, configuration, and modules are encrypted with a modified RC4 algorithm. <a href="/versions/v9/software/S0148">RTM</a> has also been delivered to targets as various archive files including ZIP, 7-ZIP, and RAR.<span onclick=scrollToRef('scite-246') id="scite-ref-246-a" class="scite-citeref-number" data-reference="ESET RTM Feb 2017"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank" data-hasqtip="245" aria-describedby="qtip-245">[246]</a></sup></span><span onclick=scrollToRef('scite-247') id="scite-ref-247-a" class="scite-citeref-number" data-reference="Unit42 Redaman January 2019"><sup><a href="https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" target="_blank" data-hasqtip="246" aria-describedby="qtip-246">[247]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0074"> S0074 </a> </td> <td> <a href="/versions/v9/software/S0074"> Sakula </a> </td> <td> <p><a href="/versions/v9/software/S0074">Sakula</a> uses single-byte XOR obfuscation to obfuscate many of its files.<span onclick=scrollToRef('scite-248') id="scite-ref-248-a" class="scite-citeref-number" data-reference="Dell Sakula"><sup><a href="http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/" target="_blank" data-hasqtip="247" aria-describedby="qtip-247">[248]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0370"> S0370 </a> </td> <td> <a href="/versions/v9/software/S0370"> SamSam </a> </td> <td> <p><a href="/versions/v9/software/S0370">SamSam</a> has been seen using AES or DES to encrypt payloads and payload components.<span onclick=scrollToRef('scite-249') id="scite-ref-249-a" class="scite-citeref-number" data-reference="Sophos SamSam Apr 2018"><sup><a href="https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf" target="_blank" data-hasqtip="248" aria-describedby="qtip-248">[249]</a></sup></span><span onclick=scrollToRef('scite-250') id="scite-ref-250-a" class="scite-citeref-number" data-reference="Talos SamSam Jan 2018"><sup><a href="https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html" target="_blank" data-hasqtip="249" aria-describedby="qtip-249">[250]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0034"> G0034 </a> </td> <td> <a href="/versions/v9/groups/G0034"> Sandworm Team </a> </td> <td> <p><a href="/versions/v9/groups/G0034">Sandworm Team</a> has used Base64 encoding within malware variants. <a href="/versions/v9/groups/G0034">Sandworm Team</a> has also used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.<span onclick=scrollToRef('scite-251') id="scite-ref-251-a" class="scite-citeref-number" data-reference="iSight Sandworm Oct 2014"><sup><a href="https://web.archive.org/web/20160503234007/https://www.isightpartners.com/2014/10/cve-2014-4114/" target="_blank" data-hasqtip="250" aria-describedby="qtip-250">[251]</a></sup></span><span onclick=scrollToRef('scite-252') id="scite-ref-252-a" class="scite-citeref-number" data-reference="ESET Telebots Dec 2016"><sup><a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="251" aria-describedby="qtip-251">[252]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0461"> S0461 </a> </td> <td> <a href="/versions/v9/software/S0461"> SDBbot </a> </td> <td> <p><a href="/versions/v9/software/S0461">SDBbot</a> has the ability to XOR the strings for its installer component with a hardcoded 128 byte key.<span onclick=scrollToRef('scite-253') id="scite-ref-253-a" class="scite-citeref-number" data-reference="Proofpoint TA505 October 2019"><sup><a href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank" data-hasqtip="252" aria-describedby="qtip-252">[253]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0345"> S0345 </a> </td> <td> <a href="/versions/v9/software/S0345"> Seasalt </a> </td> <td> <p><a href="/versions/v9/software/S0345">Seasalt</a> obfuscates configuration data.<span onclick=scrollToRef('scite-254') id="scite-ref-254-a" class="scite-citeref-number" data-reference="Mandiant APT1 Appendix"><sup><a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" target="_blank" data-hasqtip="253" aria-describedby="qtip-253">[254]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0596"> S0596 </a> </td> <td> <a href="/versions/v9/software/S0596"> ShadowPad </a> </td> <td> <p><a href="/versions/v9/software/S0596">ShadowPad</a> has encrypted a virtual file system and various files.<span onclick=scrollToRef('scite-255') id="scite-ref-255-a" class="scite-citeref-number" data-reference="Securelist ShadowPad Aug 2017"><sup><a href="https://securelist.com/shadowpad-in-corporate-networks/81432/" target="_blank" data-hasqtip="254" aria-describedby="qtip-254">[255]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0140"> S0140 </a> </td> <td> <a href="/versions/v9/software/S0140"> Shamoon </a> </td> <td> <p><a href="/versions/v9/software/S0140">Shamoon</a> contains base64-encoded strings.<span onclick=scrollToRef('scite-256') id="scite-ref-256-a" class="scite-citeref-number" data-reference="Palo Alto Shamoon Nov 2016"><sup><a href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" target="_blank" data-hasqtip="255" aria-describedby="qtip-255">[256]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0450"> S0450 </a> </td> <td> <a href="/versions/v9/software/S0450"> SHARPSTATS </a> </td> <td> <p><a href="/versions/v9/software/S0450">SHARPSTATS</a> has used base64 encoding and XOR to obfuscate PowerShell scripts.<span onclick=scrollToRef('scite-222') id="scite-ref-222-a" class="scite-citeref-number" data-reference="TrendMicro POWERSTATS V3 June 2019"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" data-hasqtip="221" aria-describedby="qtip-221">[222]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0444"> S0444 </a> </td> <td> <a href="/versions/v9/software/S0444"> ShimRat </a> </td> <td> <p><a href="/versions/v9/software/S0444">ShimRat</a> has been delivered as a package that includes compressed DLL and shellcode payloads within a .dat file.<span onclick=scrollToRef('scite-176') id="scite-ref-176-a" class="scite-citeref-number" data-reference="FOX-IT May 2016 Mofang"><sup><a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="175" aria-describedby="qtip-175">[176]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0445"> S0445 </a> </td> <td> <a href="/versions/v9/software/S0445"> ShimRatReporter </a> </td> <td> <p><a href="/versions/v9/software/S0445">ShimRatReporter</a> encrypted gathered information with a combination of shifting and XOR using a static key.<span onclick=scrollToRef('scite-176') id="scite-ref-176-a" class="scite-citeref-number" data-reference="FOX-IT May 2016 Mofang"><sup><a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="175" aria-describedby="qtip-175">[176]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0063"> S0063 </a> </td> <td> <a href="/versions/v9/software/S0063"> SHOTPUT </a> </td> <td> <p><a href="/versions/v9/software/S0063">SHOTPUT</a> is obscured using XOR encoding and appended to a valid GIF file.<span onclick=scrollToRef('scite-257') id="scite-ref-257-a" class="scite-citeref-number" data-reference="FireEye Clandestine Wolf"><sup><a href="https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html" target="_blank" data-hasqtip="256" aria-describedby="qtip-256">[257]</a></sup></span><span onclick=scrollToRef('scite-258') id="scite-ref-258-a" class="scite-citeref-number" data-reference="Palo Alto CVE-2015-3113 July 2015"><sup><a href="http://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/" target="_blank" data-hasqtip="257" aria-describedby="qtip-257">[258]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0589"> S0589 </a> </td> <td> <a href="/versions/v9/software/S0589"> Sibot </a> </td> <td> <p><a href="/versions/v9/software/S0589">Sibot</a> has obfuscated scripts used in execution.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" data-reference="MSTIC NOBELIUM Mar 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0121"> G0121 </a> </td> <td> <a href="/versions/v9/groups/G0121"> Sidewinder </a> </td> <td> <p><a href="/versions/v9/groups/G0121">Sidewinder</a> has used base64 encoding and ECDH-P256 encryption for scripts and files.<span onclick=scrollToRef('scite-259') id="scite-ref-259-a" class="scite-citeref-number" data-reference="ATT Sidewinder January 2021"><sup><a href="https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" target="_blank" data-hasqtip="258" aria-describedby="qtip-258">[259]</a></sup></span><span onclick=scrollToRef('scite-260') id="scite-ref-260-a" class="scite-citeref-number" data-reference="Rewterz Sidewinder APT April 2020"><sup><a href="https://www.rewterz.com/threats/sidewinder-apt-group-campaign-analysis" target="_blank" data-hasqtip="259" aria-describedby="qtip-259">[260]</a></sup></span><span onclick=scrollToRef('scite-261') id="scite-ref-261-a" class="scite-citeref-number" data-reference="Cyble Sidewinder September 2020"><sup><a href="https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/" target="_blank" data-hasqtip="260" aria-describedby="qtip-260">[261]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0091"> G0091 </a> </td> <td> <a href="/versions/v9/groups/G0091"> Silence </a> </td> <td> <p><a href="/versions/v9/groups/G0091">Silence</a> has used environment variable string substitution for obfuscation.<span onclick=scrollToRef('scite-262') id="scite-ref-262-a" class="scite-citeref-number" data-reference="Cyber Forensicator Silence Jan 2019"><sup><a href="https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/" target="_blank" data-hasqtip="261" aria-describedby="qtip-261">[262]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0468"> S0468 </a> </td> <td> <a href="/versions/v9/software/S0468"> Skidmap </a> </td> <td> <p><a href="/versions/v9/software/S0468">Skidmap</a> has encrypted it's main payload using 3DES.<span onclick=scrollToRef('scite-263') id="scite-ref-263-a" class="scite-citeref-number" data-reference="Trend Micro Skidmap"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/" target="_blank" data-hasqtip="262" aria-describedby="qtip-262">[263]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0226"> S0226 </a> </td> <td> <a href="/versions/v9/software/S0226"> Smoke Loader </a> </td> <td> <p><a href="/versions/v9/software/S0226">Smoke Loader</a> uses a simple one-byte XOR method to obfuscate values in the malware.<span onclick=scrollToRef('scite-264') id="scite-ref-264-a" class="scite-citeref-number" data-reference="Malwarebytes SmokeLoader 2016"><sup><a href="https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" target="_blank" data-hasqtip="263" aria-describedby="qtip-263">[264]</a></sup></span><span onclick=scrollToRef('scite-265') id="scite-ref-265-a" class="scite-citeref-number" data-reference="Talos Smoke Loader July 2018"><sup><a href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank" data-hasqtip="264" aria-describedby="qtip-264">[265]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0516"> S0516 </a> </td> <td> <a href="/versions/v9/software/S0516"> SoreFang </a> </td> <td> <p><a href="/versions/v9/software/S0516">SoreFang</a> has the ability to encode and RC6 encrypt data sent to C2.<span onclick=scrollToRef('scite-266') id="scite-ref-266-a" class="scite-citeref-number" data-reference="CISA SoreFang July 2016"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" data-hasqtip="265" aria-describedby="qtip-265">[266]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0374"> S0374 </a> </td> <td> <a href="/versions/v9/software/S0374"> SpeakUp </a> </td> <td> <p><a href="/versions/v9/software/S0374">SpeakUp</a> encodes its second-stage payload with Base64. <span onclick=scrollToRef('scite-267') id="scite-ref-267-a" class="scite-citeref-number" data-reference="CheckPoint SpeakUp Feb 2019"><sup><a href="https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" target="_blank" data-hasqtip="266" aria-describedby="qtip-266">[267]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0390"> S0390 </a> </td> <td> <a href="/versions/v9/software/S0390"> SQLRat </a> </td> <td> <p><a href="/versions/v9/software/S0390">SQLRat</a> has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.<span onclick=scrollToRef('scite-268') id="scite-ref-268-a" class="scite-citeref-number" data-reference="Flashpoint FIN 7 March 2019"><sup><a href="https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" target="_blank" data-hasqtip="267" aria-describedby="qtip-267">[268]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0380"> S0380 </a> </td> <td> <a href="/versions/v9/software/S0380"> StoneDrill </a> </td> <td> <p><a href="/versions/v9/software/S0380">StoneDrill</a> has obfuscated its module with an alphabet-based table or XOR encryption.<span onclick=scrollToRef('scite-269') id="scite-ref-269-a" class="scite-citeref-number" data-reference="Kaspersky StoneDrill 2017"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf" target="_blank" data-hasqtip="268" aria-describedby="qtip-268">[269]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0142"> S0142 </a> </td> <td> <a href="/versions/v9/software/S0142"> StreamEx </a> </td> <td> <p><a href="/versions/v9/software/S0142">StreamEx</a> obfuscates some commands by using statically programmed fragments of strings when starting a DLL. It also uses a one-byte xor against 0x91 to encode configuration data.<span onclick=scrollToRef('scite-270') id="scite-ref-270-a" class="scite-citeref-number" data-reference="Cylance Shell Crew Feb 2017"><sup><a href="https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" target="_blank" data-hasqtip="269" aria-describedby="qtip-269">[270]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0491"> S0491 </a> </td> <td> <a href="/versions/v9/software/S0491"> StrongPity </a> </td> <td> <p><a href="/versions/v9/software/S0491">StrongPity</a> has used encrypted strings in its dropper component.<span onclick=scrollToRef('scite-271') id="scite-ref-271-a" class="scite-citeref-number" data-reference="Talos Promethium June 2020"><sup><a href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank" data-hasqtip="270" aria-describedby="qtip-270">[271]</a></sup></span><span onclick=scrollToRef('scite-272') id="scite-ref-272-a" class="scite-citeref-number" data-reference="Bitdefender StrongPity June 2020"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" target="_blank" data-hasqtip="271" aria-describedby="qtip-271">[272]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0559"> S0559 </a> </td> <td> <a href="/versions/v9/software/S0559"> SUNBURST </a> </td> <td> <p><a href="/versions/v9/software/S0559">SUNBURST</a> strings were compressed and encoded in Base64.<span onclick=scrollToRef('scite-273') id="scite-ref-273-a" class="scite-citeref-number" data-reference="Microsoft Analyzing Solorigate Dec 2020"><sup><a href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank" data-hasqtip="272" aria-describedby="qtip-272">[273]</a></sup></span> <a href="/versions/v9/software/S0559">SUNBURST</a> also obfuscated collected system information using a FNV-1a + XOR algorithm.<span onclick=scrollToRef('scite-274') id="scite-ref-274-a" class="scite-citeref-number" data-reference="FireEye SUNBURST Backdoor December 2020"><sup><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="273" aria-describedby="qtip-273">[274]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0562"> S0562 </a> </td> <td> <a href="/versions/v9/software/S0562"> SUNSPOT </a> </td> <td> <p><a href="/versions/v9/software/S0562">SUNSPOT</a> encrypted log entries it collected with the stream cipher RC4 using a hard-coded key. It also uses AES128-CBC encrypted blobs for <a href="/versions/v9/software/S0559">SUNBURST</a> source code and data extracted from the SolarWinds Orion <MsBuild.exe</code> process.<span onclick=scrollToRef('scite-275') id="scite-ref-275-a" class="scite-citeref-number" data-reference="CrowdStrike SUNSPOT Implant January 2021"><sup><a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank" data-hasqtip="274" aria-describedby="qtip-274">[275]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0578"> S0578 </a> </td> <td> <a href="/versions/v9/software/S0578"> SUPERNOVA </a> </td> <td> <p><a href="/versions/v9/software/S0578">SUPERNOVA</a> contained Base64-encoded strings.<span onclick=scrollToRef('scite-276') id="scite-ref-276-a" class="scite-citeref-number" data-reference="CISA Supernova Jan 2021"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a" target="_blank" data-hasqtip="275" aria-describedby="qtip-275">[276]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0242"> S0242 </a> </td> <td> <a href="/versions/v9/software/S0242"> SynAck </a> </td> <td> <p><a href="/versions/v9/software/S0242">SynAck</a> payloads are obfuscated prior to compilation to inhibit analysis and/or reverse engineering.<span onclick=scrollToRef('scite-277') id="scite-ref-277-a" class="scite-citeref-number" data-reference="SecureList SynAck Doppelgänging May 2018"><sup><a href="https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" target="_blank" data-hasqtip="276" aria-describedby="qtip-276">[277]</a></sup></span><span onclick=scrollToRef('scite-278') id="scite-ref-278-a" class="scite-citeref-number" data-reference="Kaspersky Lab SynAck May 2018"><sup><a href="https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging" target="_blank" data-hasqtip="277" aria-describedby="qtip-277">[278]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0092"> G0092 </a> </td> <td> <a href="/versions/v9/groups/G0092"> TA505 </a> </td> <td> <p><a href="/versions/v9/groups/G0092">TA505</a> has password-protected malicious Word documents and used base64 encoded PowerShell commands.<span onclick=scrollToRef('scite-279') id="scite-ref-279-a" class="scite-citeref-number" data-reference="Proofpoint TA505 Sep 2017"><sup><a href="https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter" target="_blank" data-hasqtip="278" aria-describedby="qtip-278">[279]</a></sup></span><span onclick=scrollToRef('scite-280') id="scite-ref-280-a" class="scite-citeref-number" data-reference="Cybereason TA505 April 2019"><sup><a href="https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware" target="_blank" data-hasqtip="279" aria-describedby="qtip-279">[280]</a></sup></span><span onclick=scrollToRef('scite-281') id="scite-ref-281-a" class="scite-citeref-number" data-reference="Deep Instinct TA505 Apr 2019"><sup><a href="https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/" target="_blank" data-hasqtip="280" aria-describedby="qtip-280">[281]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0127"> G0127 </a> </td> <td> <a href="/versions/v9/groups/G0127"> TA551 </a> </td> <td> <p><a href="/versions/v9/groups/G0127">TA551</a> has used obfuscated variable names in a JavaScript configuration file.<span onclick=scrollToRef('scite-282') id="scite-ref-282-a" class="scite-citeref-number" data-reference="Unit 42 Valak July 2020"><sup><a href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank" data-hasqtip="281" aria-describedby="qtip-281">[282]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0467"> S0467 </a> </td> <td> <a href="/versions/v9/software/S0467"> TajMahal </a> </td> <td> <p><a href="/versions/v9/software/S0467">TajMahal</a> has used an encrypted Virtual File System to store plugins.<span onclick=scrollToRef('scite-283') id="scite-ref-283-a" class="scite-citeref-number" data-reference="Kaspersky TajMahal April 2019"><sup><a href="https://securelist.com/project-tajmahal/90240/" target="_blank" data-hasqtip="282" aria-describedby="qtip-282">[283]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0560"> S0560 </a> </td> <td> <a href="/versions/v9/software/S0560"> TEARDROP </a> </td> <td> <p><a href="/versions/v9/software/S0560">TEARDROP</a> created and read from a file with a fake JPG header, and its payload was encrypted with a simple rotating XOR cipher.<span onclick=scrollToRef('scite-274') id="scite-ref-274-a" class="scite-citeref-number" data-reference="FireEye SUNBURST Backdoor December 2020"><sup><a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="273" aria-describedby="qtip-273">[274]</a></sup></span><span onclick=scrollToRef('scite-284') id="scite-ref-284-a" class="scite-citeref-number" data-reference="Check Point Sunburst Teardrop December 2020"><sup><a href="https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/" target="_blank" data-hasqtip="283" aria-describedby="qtip-283">[284]</a></sup></span><span onclick=scrollToRef('scite-228') id="scite-ref-228-a" class="scite-citeref-number" data-reference="Microsoft Deep Dive Solorigate January 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="227" aria-describedby="qtip-227">[228]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0027"> G0027 </a> </td> <td> <a href="/versions/v9/groups/G0027"> Threat Group-3390 </a> </td> <td> <p>A <a href="/versions/v9/groups/G0027">Threat Group-3390</a> tool can encrypt payloads using XOR. <a href="/versions/v9/groups/G0027">Threat Group-3390</a> malware is also obfuscated using Metasploit’s shikata_ga_nai encoder as well as compressed with LZNT1 compression.<span onclick=scrollToRef('scite-285') id="scite-ref-285-a" class="scite-citeref-number" data-reference="Nccgroup Emissary Panda May 2018"><sup><a href="https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/" target="_blank" data-hasqtip="284" aria-describedby="qtip-284">[285]</a></sup></span><span onclick=scrollToRef('scite-286') id="scite-ref-286-a" class="scite-citeref-number" data-reference="Securelist LuckyMouse June 2018"><sup><a href="https://securelist.com/luckymouse-hits-national-data-center/86083/" target="_blank" data-hasqtip="285" aria-describedby="qtip-285">[286]</a></sup></span><span onclick=scrollToRef('scite-287') id="scite-ref-287-a" class="scite-citeref-number" data-reference="Unit42 Emissary Panda May 2019"><sup><a href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" target="_blank" data-hasqtip="286" aria-describedby="qtip-286">[287]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0131"> S0131 </a> </td> <td> <a href="/versions/v9/software/S0131"> TINYTYPHON </a> </td> <td> <p><a href="/versions/v9/software/S0131">TINYTYPHON</a> has used XOR with 0x90 to obfuscate its configuration file.<span onclick=scrollToRef('scite-288') id="scite-ref-288-a" class="scite-citeref-number" data-reference="Forcepoint Monsoon"><sup><a href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank" data-hasqtip="287" aria-describedby="qtip-287">[288]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0266"> S0266 </a> </td> <td> <a href="/versions/v9/software/S0266"> TrickBot </a> </td> <td> <p><a href="/versions/v9/software/S0266">TrickBot</a> uses non-descriptive names to hide functionality and uses an AES CBC (256 bits) encryption algorithm for its loader and configuration files.<span onclick=scrollToRef('scite-289') id="scite-ref-289-a" class="scite-citeref-number" data-reference="S2 Grupo TrickBot June 2017"><sup><a href="https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" target="_blank" data-hasqtip="288" aria-describedby="qtip-288">[289]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0094"> S0094 </a> </td> <td> <a href="/versions/v9/software/S0094"> Trojan.Karagany </a> </td> <td> <p><a href="/versions/v9/software/S0094">Trojan.Karagany</a> can base64 encode and AES-128-CBC encrypt data prior to transmission.<span onclick=scrollToRef('scite-290') id="scite-ref-290-a" class="scite-citeref-number" data-reference="Secureworks Karagany July 2019"><sup><a href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank" data-hasqtip="289" aria-describedby="qtip-289">[290]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0081"> G0081 </a> </td> <td> <a href="/versions/v9/groups/G0081"> Tropic Trooper </a> </td> <td> <p><a href="/versions/v9/groups/G0081">Tropic Trooper</a> has encrypted configuration files.<span onclick=scrollToRef('scite-291') id="scite-ref-291-a" class="scite-citeref-number" data-reference="TrendMicro Tropic Trooper Mar 2018"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/" target="_blank" data-hasqtip="290" aria-describedby="qtip-290">[291]</a></sup></span><span onclick=scrollToRef('scite-292') id="scite-ref-292-a" class="scite-citeref-number" data-reference="TrendMicro Tropic Trooper May 2020"><sup><a href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank" data-hasqtip="291" aria-describedby="qtip-291">[292]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0010"> G0010 </a> </td> <td> <a href="/versions/v9/groups/G0010"> Turla </a> </td> <td> <p><a href="/versions/v9/groups/G0010">Turla</a> has used encryption (including salted 3DES via <a href="/versions/v9/software/S0194">PowerSploit</a>'s <code>Out-EncryptedScript.ps1</code>), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads.<span onclick=scrollToRef('scite-220') id="scite-ref-220-a" class="scite-citeref-number" data-reference="ESET Turla PowerShell May 2019"><sup><a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="219" aria-describedby="qtip-219">[220]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0263"> S0263 </a> </td> <td> <a href="/versions/v9/software/S0263"> TYPEFRAME </a> </td> <td> <p>APIs and strings in some <a href="/versions/v9/software/S0263">TYPEFRAME</a> variants are RC4 encrypted. Another variant is encoded with XOR.<span onclick=scrollToRef('scite-293') id="scite-ref-293-a" class="scite-citeref-number" data-reference="US-CERT TYPEFRAME June 2018"><sup><a href="https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" target="_blank" data-hasqtip="292" aria-describedby="qtip-292">[293]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0333"> S0333 </a> </td> <td> <a href="/versions/v9/software/S0333"> UBoatRAT </a> </td> <td> <p><a href="/versions/v9/software/S0333">UBoatRAT</a> encrypts instructions in the payload using a simple XOR cipher.<span onclick=scrollToRef('scite-294') id="scite-ref-294-a" class="scite-citeref-number" data-reference="PaloAlto UBoatRAT Nov 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/" target="_blank" data-hasqtip="293" aria-describedby="qtip-293">[294]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0386"> S0386 </a> </td> <td> <a href="/versions/v9/software/S0386"> Ursnif </a> </td> <td> <p><a href="/versions/v9/software/S0386">Ursnif</a> has used an XOR-based algorithm to encrypt Tor clients dropped to disk.<span onclick=scrollToRef('scite-295') id="scite-ref-295-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016"><sup><a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="294" aria-describedby="qtip-294">[295]</a></sup></span> <a href="/versions/v9/software/S0386">Ursnif</a> droppers have also been delivered as password-protected zip files that execute base64 encoded <a href="/versions/v9/techniques/T1059/001">PowerShell</a> commands.<span onclick=scrollToRef('scite-296') id="scite-ref-296-a" class="scite-citeref-number" data-reference="Bromium Ursnif Mar 2017"><sup><a href="https://www.bromium.com/how-ursnif-evades-detection/" target="_blank" data-hasqtip="295" aria-describedby="qtip-295">[296]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0136"> S0136 </a> </td> <td> <a href="/versions/v9/software/S0136"> USBStealer </a> </td> <td> <p>Most strings in <a href="/versions/v9/software/S0136">USBStealer</a> are encrypted using 3DES and XOR and reversed.<span onclick=scrollToRef('scite-297') id="scite-ref-297-a" class="scite-citeref-number" data-reference="ESET Sednit USBStealer 2014"><sup><a href="http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" target="_blank" data-hasqtip="296" aria-describedby="qtip-296">[297]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0476"> S0476 </a> </td> <td> <a href="/versions/v9/software/S0476"> Valak </a> </td> <td> <p><a href="/versions/v9/software/S0476">Valak</a> has the ability to base64 encode and XOR encrypt strings.<span onclick=scrollToRef('scite-298') id="scite-ref-298-a" class="scite-citeref-number" data-reference="Cybereason Valak May 2020"><sup><a href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank" data-hasqtip="297" aria-describedby="qtip-297">[298]</a></sup></span><span onclick=scrollToRef('scite-282') id="scite-ref-282-a" class="scite-citeref-number" data-reference="Unit 42 Valak July 2020"><sup><a href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank" data-hasqtip="281" aria-describedby="qtip-281">[282]</a></sup></span><span onclick=scrollToRef('scite-299') id="scite-ref-299-a" class="scite-citeref-number" data-reference="SentinelOne Valak June 2020"><sup><a href="https://assets.sentinelone.com/labs/sentinel-one-valak-i " target="_blank" data-hasqtip="298" aria-describedby="qtip-298">[299]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0257"> S0257 </a> </td> <td> <a href="/versions/v9/software/S0257"> VERMIN </a> </td> <td> <p><a href="/versions/v9/software/S0257">VERMIN</a> is obfuscated using the obfuscation tool called ConfuserEx.<span onclick=scrollToRef('scite-300') id="scite-ref-300-a" class="scite-citeref-number" data-reference="Unit 42 VERMIN Jan 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" target="_blank" data-hasqtip="299" aria-describedby="qtip-299">[300]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0180"> S0180 </a> </td> <td> <a href="/versions/v9/software/S0180"> Volgmer </a> </td> <td> <p>A <a href="/versions/v9/software/S0180">Volgmer</a> variant is encoded using a simple XOR cipher.<span onclick=scrollToRef('scite-301') id="scite-ref-301-a" class="scite-citeref-number" data-reference="US-CERT Volgmer 2 Nov 2017"><sup><a href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF" target="_blank" data-hasqtip="300" aria-describedby="qtip-300">[301]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0579"> S0579 </a> </td> <td> <a href="/versions/v9/software/S0579"> Waterbear </a> </td> <td> <p><a href="/versions/v9/software/S0579">Waterbear</a> has used RC4 encrypted shellcode.<span onclick=scrollToRef('scite-302') id="scite-ref-302-a" class="scite-citeref-number" data-reference="Trend Micro Waterbear December 2019"><sup><a href="https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html" target="_blank" data-hasqtip="301" aria-describedby="qtip-301">[302]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0107"> G0107 </a> </td> <td> <a href="/versions/v9/groups/G0107"> Whitefly </a> </td> <td> <p><a href="/versions/v9/groups/G0107">Whitefly</a> has encrypted the payload used for C2.<span onclick=scrollToRef('scite-303') id="scite-ref-303-a" class="scite-citeref-number" data-reference="Symantec Whitefly March 2019"><sup><a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore" target="_blank" data-hasqtip="302" aria-describedby="qtip-302">[303]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0112"> G0112 </a> </td> <td> <a href="/versions/v9/groups/G0112"> Windshift </a> </td> <td> <p><a href="/versions/v9/groups/G0112">Windshift</a> has used string encoding with floating point calculations.<span onclick=scrollToRef('scite-304') id="scite-ref-304-a" class="scite-citeref-number" data-reference="Blackberry Bahamut"><sup><a href="https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" target="_blank" data-hasqtip="303" aria-describedby="qtip-303">[304]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0466"> S0466 </a> </td> <td> <a href="/versions/v9/software/S0466"> WindTail </a> </td> <td> <p><a href="/versions/v9/software/S0466">WindTail</a> can be delivered as a compressed, encrypted, and encoded payload.<span onclick=scrollToRef('scite-305') id="scite-ref-305-a" class="scite-citeref-number" data-reference="objective-see windtail2 jan 2019"><sup><a href="https://objective-see.com/blog/blog_0x3D.html" target="_blank" data-hasqtip="304" aria-describedby="qtip-304">[305]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0430"> S0430 </a> </td> <td> <a href="/versions/v9/software/S0430"> Winnti for Linux </a> </td> <td> <p><a href="/versions/v9/software/S0430">Winnti for Linux</a> can encode its configuration file with single-byte XOR encoding.<span onclick=scrollToRef('scite-306') id="scite-ref-306-a" class="scite-citeref-number" data-reference="Chronicle Winnti for Linux May 2019"><sup><a href="https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a" target="_blank" data-hasqtip="305" aria-describedby="qtip-305">[306]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/groups/G0102"> G0102 </a> </td> <td> <a href="/versions/v9/groups/G0102"> Wizard Spider </a> </td> <td> <p><a href="/versions/v9/groups/G0102">Wizard Spider</a> used Base64 encoding to obfuscate an <a href="/versions/v9/software/S0363">Empire</a> service and PowerShell commands.<span onclick=scrollToRef('scite-307') id="scite-ref-307-a" class="scite-citeref-number" data-reference="FireEye Ryuk and Trickbot January 2019"><sup><a href="https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" target="_blank" data-hasqtip="306" aria-describedby="qtip-306">[307]</a></sup></span><span onclick=scrollToRef('scite-308') id="scite-ref-308-a" class="scite-citeref-number" data-reference="DFIR Ryuk's Return October 2020"><sup><a href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank" data-hasqtip="307" aria-describedby="qtip-307">[308]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0117"> S0117 </a> </td> <td> <a href="/versions/v9/software/S0117"> XTunnel </a> </td> <td> <p>A version of <a href="/versions/v9/software/S0117">XTunnel</a> introduced in July 2015 obfuscated the binary using opaque predicates and other techniques in a likely attempt to obfuscate it and bypass security products.<span onclick=scrollToRef('scite-309') id="scite-ref-309-a" class="scite-citeref-number" data-reference="ESET Sednit Part 2"><sup><a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank" data-hasqtip="308" aria-describedby="qtip-308">[309]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0388"> S0388 </a> </td> <td> <a href="/versions/v9/software/S0388"> YAHOYAH </a> </td> <td> <p><a href="/versions/v9/software/S0388">YAHOYAH</a> encrypts its configuration file using a simple algorithm.<span onclick=scrollToRef('scite-310') id="scite-ref-310-a" class="scite-citeref-number" data-reference="TrendMicro TropicTrooper 2015"><sup><a href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" target="_blank" data-hasqtip="309" aria-describedby="qtip-309">[310]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0230"> S0230 </a> </td> <td> <a href="/versions/v9/software/S0230"> ZeroT </a> </td> <td> <p><a href="/versions/v9/software/S0230">ZeroT</a> has encrypted its payload with RC4.<span onclick=scrollToRef('scite-311') id="scite-ref-311-a" class="scite-citeref-number" data-reference="Proofpoint ZeroT Feb 2017"><sup><a href="https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" target="_blank" data-hasqtip="310" aria-describedby="qtip-310">[311]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v9/software/S0330"> S0330 </a> </td> <td> <a href="/versions/v9/software/S0330"> Zeus Panda </a> </td> <td> <p><a href="/versions/v9/software/S0330">Zeus Panda</a> encrypts strings with XOR and obfuscates the macro code from the initial payload. <a href="/versions/v9/software/S0330">Zeus Panda</a> also encrypts all configuration and settings in AES and RC4.<span onclick=scrollToRef('scite-312') id="scite-ref-312-a" class="scite-citeref-number" data-reference="Talos Zeus Panda Nov 2017"><sup><a href="https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More" target="_blank" data-hasqtip="311" aria-describedby="qtip-311">[312]</a></sup></span><span onclick=scrollToRef('scite-313') id="scite-ref-313-a" class="scite-citeref-number" data-reference="GDATA Zeus Panda June 2017"><sup><a href="https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" target="_blank" data-hasqtip="312" aria-describedby="qtip-312">[313]</a></sup></span></p> </td> </tr> </tbody> </table> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v9/mitigations/M1049"> M1049 </a> </td> <td> <a href="/versions/v9/mitigations/M1049"> Antivirus/Antimalware </a> </td> <td> <p>Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10 to analyze commands after being processed/interpreted. <span onclick=scrollToRef('scite-314') id="scite-ref-314-a" class="scite-citeref-number" data-reference="Microsoft AMSI June 2015"><sup><a href="https://cloudblogs.microsoft.com/microsoftsecure/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/?source=mmpc" target="_blank" data-hasqtip="313" aria-describedby="qtip-313">[314]</a></sup></span></p> </td> </tr> </tbody> </table> <h2 class="pt-3" id="detection">Detection</h2> <div> <p>Detection of file obfuscation is difficult unless artifacts are left behind by the obfuscation process that are uniquely detectable with a signature. If detection of the obfuscation itself is not possible, it may be possible to detect the malicious activity that caused the obfuscated file (for example, the method that was used to write, read, or modify the file on the file system). </p><p>Flag and analyze commands containing indicators of obfuscation and known suspicious syntax such as uninterpreted escape characters like '''^''' and '''"'''. Windows' Sysmon and Event ID 4688 displays command-line arguments for processes. Deobfuscation tools can be used to detect these indicators in files/payloads. <span onclick=scrollToRef('scite-315') id="scite-ref-315-a" class="scite-citeref-number" data-reference="GitHub Revoke-Obfuscation"><sup><a href="https://github.com/danielbohannon/Revoke-Obfuscation" target="_blank" data-hasqtip="314" aria-describedby="qtip-314">[315]</a></sup></span> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye Revoke-Obfuscation July 2017"><sup><a href="https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span> <span onclick=scrollToRef('scite-316') id="scite-ref-316-a" class="scite-citeref-number" data-reference="GitHub Office-Crackros Aug 2016"><sup><a href="https://github.com/itsreallynick/office-crackros" target="_blank" data-hasqtip="315" aria-describedby="qtip-315">[316]</a></sup></span> </p><p>Obfuscation used in payloads for Initial Access can be detected at the network. Use network intrusion detection systems and email gateway filtering to identify compressed and encrypted attachments and scripts. Some email attachment detonation systems can open compressed and encrypted attachments. Payloads delivered over an encrypted connection from a website require encrypted network traffic inspection. </p><p>The first detection of a malicious tool may trigger an anti-virus or other security tool alert. Similar events may also occur at the boundary through network IDS, email scanning appliance, etc. The initial detection should be treated as an indication of a potentially more invasive intrusion. The alerting system should be thoroughly investigated beyond that initial alert for activity that was not detected. Adversaries may continue with an operation, assuming that individual events like an anti-virus detect will not be investigated or that an analyst will not be able to conclusively link that event to other activity occurring on the network. </p> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.volexity.com/blog/2016/11/09/powerduke-post-election-spear-phishing-campaigns-targeting-think-tanks-and-ngos/" target="_blank"> Adair, S.. (2016, November 9). PowerDuke: Widespread Post-Election Spear Phishing Campaigns Targeting Think Tanks and NGOs. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.welivesecurity.com/2013/04/26/linuxcdorked-new-apache-backdoor-in-the-wild-serves-blackhole/" target="_blank"> Pierre-Marc Bureau. (2013, April 26). Linux/Cdorked.A: New Apache backdoor being used in the wild to serve Blackhole. Retrieved September 10, 2017. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.carbonblack.com/2016/09/23/security-advisory-variants-well-known-adware-families-discovered-include-sophisticated-obfuscation-techniques-previously-associated-nation-state-attacks/" target="_blank"> Tedesco, B. (2016, September 23). Security Alert Summary. Retrieved February 12, 2018. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" target="_blank"> Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.fireeye.com/content/dam/fireeye-www/blog/pdfs/revoke-obfuscation-report.pdf" target="_blank"> Bohannon, D. & Holmes, L. (2017, July 27). Revoke-Obfuscation: PowerShell Obfuscation Detection Using Science. Retrieved February 12, 2018. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://researchcenter.paloaltonetworks.com/2017/03/unit42-pulling-back-the-curtains-on-encodedcommand-powershell-attacks/" target="_blank"> White, J. (2017, March 10). Pulling Back the Curtains on EncodedCommand PowerShell Attacks. Retrieved February 12, 2018. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://securelist.com/sofacy-apt-hits-high-profile-targets-with-updated-toolset/72924/" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2015, December 4). Sofacy APT hits high profile targets with updated toolset. Retrieved December 10, 2015. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://download.bitdefender.com/resources/media/materials/white-papers/en/Bitdefender_In-depth_analysis_of_APT28%E2%80%93The_Political_Cyber-Espionage.pdf" target="_blank"> Bitdefender. (2015, December). APT28 Under the Scope. Retrieved February 23, 2017. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.fortinet.com/blog/threat-research/analysis-of-new-agent-tesla-spyware-variant.html" target="_blank"> Zhang, X. (2018, April 05). Analysis of New Agent Tesla Spyware Variant. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://blog.malwarebytes.com/threat-analysis/2020/04/new-agenttesla-variant-steals-wifi-credentials/" target="_blank"> Jazi, H. (2020, April 16). New AgentTesla variant steals WiFi credentials. Retrieved May 19, 2020. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank"> Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank"> Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" target="_blank"> QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank"> Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved November 15, 2018. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html" target="_blank"> Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-sofacy-attacks-multiple-government-entities/" target="_blank"> Lee, B, et al. (2018, February 28). Sofacy Attacks Multiple Government Entities. Retrieved March 15, 2018. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-sofacy-groups-parallel-attacks/" target="_blank"> Lee, B., Falcone, R. (2018, June 06). Sofacy Group’s Parallel Attacks. Retrieved June 18, 2018. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://blog.talosintelligence.com/2017/10/cyber-conflict-decoy-document.html" target="_blank"> Mercer, W., et al. (2017, October 22). "Cyber Conflict" Decoy Document Used in Real Cyber Conflict. Retrieved November 2, 2018. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank"> Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank"> Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank"> Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank"> Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://github.com/danielbohannon/Invoke-Obfuscation" target="_blank"> Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.welivesecurity.com/2018/03/13/oceanlotus-ships-new-backdoor/" target="_blank"> Foltýn, T. (2018, March 13). OceanLotus ships new backdoor using old tricks. Retrieved May 22, 2018. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www.cybereason.com/blog/operation-cobalt-kitty-apt" target="_blank"> Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" target="_blank"> Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.welivesecurity.com/2019/04/09/oceanlotus-macos-malware-update/" target="_blank"> Dumont, R.. (2019, April 9). OceanLotus: macOS malware update. Retrieved April 15, 2019. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://www.fireeye.com/blog/threat-research/2018/12/overruled-containing-a-potentially-destructive-adversary.html" target="_blank"> Ackerman, G., et al. (2018, December 21). OVERRULED: Containing a Potentially Destructive Adversary. Retrieved January 17, 2019. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://blog.talosintelligence.com/2018/01/korea-in-crosshairs.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, January 16). Korea In The Crosshairs. Retrieved May 21, 2018. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://securelist.com/scarcruft-continues-to-evolve-introduces-bluetooth-harvester/90729/" target="_blank"> GReAT. (2019, May 13). ScarCruft continues to evolve, introduces Bluetooth harvester. Retrieved June 4, 2019. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank"> FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www.fireeye.com/blog/threat-research/2020/03/apt41-initiates-global-intrusion-campaign-using-multiple-exploits.html" target="_blank"> Glyer, C, et al. (2020, March). This Is Not a Test: APT41 Initiates Global Intrusion Campaign Using Multiple Exploits. Retrieved April 28, 2020. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://research.checkpoint.com/2020/naikon-apt-cyber-espionage-reloaded/" target="_blank"> CheckPoint. (2020, May 7). Naikon APT: Cyber Espionage Reloaded. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank"> Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://securelist.com/the-tetrade-brazilian-banking-malware/97779/" target="_blank"> GReAT. (2020, July 14). The Tetrade: Brazilian banking malware goes global. Retrieved November 9, 2020. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank"> Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-continues-heists-mounts-attacks-on-financial-organizations-in-latin-america/" target="_blank"> Trend Micro. (2018, November 20). Lazarus Continues Heists, Mounts Attacks on Financial Organizations in Latin America. Retrieved December 3, 2018. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://documents.trendmicro.com/assets/pdf/Operation-ENDTRADE-TICK-s-Multi-Stage-Backdoors-for-Attacking-Industries-and-Stealing-Classified-Data.pdf" target="_blank"> Chen, J. et al. (2019, November). Operation ENDTRADE: TICK’s Multi-Stage Backdoors for Attacking Industries and Stealing Classified Data. Retrieved June 9, 2020. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank"> Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank"> Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/" target="_blank"> Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://unit42.paloaltonetworks.com/bendybear-shellcode-blacktech/" target="_blank"> Harbison, M. (2021, February 9). BendyBear: Novel Chinese Shellcode Linked With Cyber Espionage Group BlackTech. Retrieved February 16, 2021. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-bisonal-malware-used-attacks-russia-south-korea/" target="_blank"> Hayashi, K., Ray, V. (2018, July 31). Bisonal Malware Used in Attacks Against Russia and South Korea. Retrieved August 7, 2018. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.crowdstrike.com/blog/big-game-hunting-the-evolution-of-indrik-spider-from-dridex-wire-fraud-to-bitpaymer-targeted-ransomware/" target="_blank"> Frankoff, S., Hartley, B. (2018, November 14). Big Game Hunting: The Evolution of INDRIK SPIDER From Dridex Wire Fraud to BitPaymer Targeted Ransomware. Retrieved January 6, 2021. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://securelist.com/blackoasis-apt-and-new-targeted-attacks-leveraging-zero-day-exploit/82732/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2017, October 16). BlackOasis APT and new targeted attacks leveraging zero-day exploit. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank"> US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank"> Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.fireeye.com/blog/threat-research/2019/10/mahalo-fin7-responding-to-new-tools-and-techniques.html" target="_blank"> Carr, N, et all. (2019, October 10). Mahalo FIN7: Responding to the Criminal Operators’ New Tools and Techniques. Retrieved October 11, 2019. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://mackeeper.com/blog/post/610-macos-bundlore-adware-analysis/" target="_blank"> Sushko, O. (2019, April 17). macOS Bundlore: Mac Virus Bypassing macOS Security Features. Retrieved June 30, 2020. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://www.fireeye.com/blog/threat-research/2017/06/behind-the-carbanak-backdoor.html" target="_blank"> Bennett, J., Vengerik, B. (2017, June 12). Behind the CARBANAK Backdoor. Retrieved June 11, 2018. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" target="_blank"> Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" target="_blank"> ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://www.accenture.com/us-en/blogs/cyber-defense/turla-belugasturgeon-compromises-government-entity" target="_blank"> Accenture. (2020, October). Turla uses HyperStack, Carbon, and Kazuar to compromise government entity. Retrieved December 2, 2020. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://researchcenter.paloaltonetworks.com/2017/04/unit42-cardinal-rat-active-two-years/" target="_blank"> Grunzweig, J.. (2017, April 20). Cardinal RAT Active for Over Two Years. Retrieved December 8, 2018. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://unit42.paloaltonetworks.com/the-fractured-statue-campaign-u-s-government-targeted-in-spear-phishing-attacks/" target="_blank"> McCabe, A. (2020, January 23). The Fractured Statue Campaign: U.S. Government Agency Targeted in Spear-Phishing Attacks. Retrieved June 2, 2020. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" target="_blank"> Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://cycraft.com/download/%5BTLP-White%5D20200415%20Chimera_V4.1.pdf" target="_blank"> Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank"> Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://blog.morphisec.com/cobalt-gang-2.0" target="_blank"> Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href=" https://talos-intelligence-site.s3.amazonaws.com/production/document_files/files/000/095/031/original/Talos_Cobalt_Strike.pdf" target="_blank"> Mavis, N. (2020, September 21). The Art and Science of Detecting Cobalt Strike. Retrieved April 6, 2021. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://blog.malwarebytes.com/threat-analysis/2018/10/mac-cryptocurrency-ticker-app-installs-backdoors/" target="_blank"> Thomas Reed. (2018, October 29). Mac cryptocurrency ticker app installs backdoors. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-comnie-continues-target-organizations-east-asia/" target="_blank"> Grunzweig, J. (2018, January 31). Comnie Continues to Target Organizations in East Asia. Retrieved June 7, 2018. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank"> Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a" target="_blank"> CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://www.carbonblack.com/blog/tau-threat-discovery-conti-ransomware/" target="_blank"> Baskin, B. (2020, July 8). TAU Threat Discovery: Conti Ransomware. Retrieved February 17, 2021. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://www.cybereason.com/blog/cybereason-vs.-conti-ransomware" target="_blank"> Rochberger, L. (2021, January 12). Cybereason vs. Conti Ransomware. Retrieved February 17, 2021. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" target="_blank"> Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/rpt-apt28.pdf" target="_blank"> FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://blog-assets.f-secure.com/wp-content/uploads/2019/10/15163418/CozyDuke.pdf" target="_blank"> F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-dacls-rat-backdoor-show-lazarus-multi-platform-attack-capability/" target="_blank"> Mabutas, G. (2020, May 11). New MacOS Dacls RAT Backdoor Shows Lazarus’ Multi-Platform Attack Capability. Retrieved August 10, 2020. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="https://info.lookout.com/rs/051-ESQ-475/images/Lookout_Dark-Caracal_srr_20180118_us_v.1.0.pdf" target="_blank"> Blaich, A., et al. (2018, January 18). Dark Caracal: Cyber-espionage at a Global Scale. Retrieved April 11, 2018. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://securelist.com/darkhotels-attacks-in-2015/71713/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2015, August 10). Darkhotel's attacks in 2015. Retrieved November 2, 2018. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://www.microsoft.com/security/blog/2016/07/14/reverse-engineering-dubnium-stage-2-payload-analysis/" target="_blank"> Microsoft. (2016, July 14). Reverse engineering DUBNIUM – Stage 2 payload analysis . Retrieved March 31, 2021. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="http://blog.trendmicro.com/trendlabs-security-intelligence/redbaldknight-bronze-butler-daserf-backdoor-now-using-steganography/" target="_blank"> Chen, J. and Hsieh, M. (2017, November 7). REDBALDKNIGHT/BRONZE BUTLER’s Daserf Backdoor Now Using Steganography. Retrieved December 27, 2017. </a> </span> </span> </li> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href="https://securelist.com/use-of-dns-tunneling-for-cc-communications/78203/" target="_blank"> Shulmin, A., Yunakovsky, S. (2017, April 28). Use of DNS Tunneling for C&C Communications. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://researchcenter.paloaltonetworks.com/2018/10/unit42-nokki-almost-ties-the-knot-with-dogcall-reaper-group-uses-new-malware-to-deploy-rat/" target="_blank"> Grunzweig, J. (2018, October 01). NOKKI Almost Ties the Knot with DOGCALL: Reaper Group Uses New Malware to Deploy RAT. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-78" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-78" href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank"> NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. </a> </span> </span> </li> <li> <span id="scite-79" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-79" href="https://securelist.com/my-name-is-dtrack/93338/" target="_blank"> Konstantin Zykov. (2019, September 23). Hello! My name is Dtrack. Retrieved January 20, 2021. </a> </span> </span> </li> <li> <span id="scite-80" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-80" href="https://www.cylance.com/content/dam/cylance/pdfs/reports/Op_Dust_Storm_Report.pdf" target="_blank"> Gross, J. (2016, February 23). Operation Dust Storm. Retrieved September 19, 2017. </a> </span> </span> </li> <li> <span id="scite-81" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-81" href="https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" target="_blank"> ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. </a> </span> </span> </li> <li> <span id="scite-82" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-82" href="https://www.welivesecurity.com/2014/02/21/an-in-depth-analysis-of-linuxebury/" target="_blank"> M.Léveillé, M.. (2014, February 21). An In-depth Analysis of Linux/Ebury. Retrieved April 19, 2019. </a> </span> </span> </li> <li> <span id="scite-83" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-83" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-239a" target="_blank"> Cybersecurity and Infrastructure Security Agency. (2020, August 26). MAR-10301706-1.v1 - North Korean Remote Access Tool: ECCENTRICBANDWAGON. Retrieved March 18, 2021. </a> </span> </span> </li> <li> <span id="scite-84" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-84" href="https://web.archive.org/web/20190717233006/http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/the-elderwood-project.pdf" target="_blank"> O'Gorman, G., and McDonald, G.. (2012, September 6). The Elderwood Project. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-85" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-85" href="https://www.paloaltonetworks.com/resources/research/unit42-operation-lotus-blossom.html" target="_blank"> Falcone, R., et al.. (2015, June 16). Operation Lotus Blossom. Retrieved February 15, 2016. </a> </span> </span> </li> <li> <span id="scite-86" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-86" href="http://researchcenter.paloaltonetworks.com/2015/12/attack-on-french-diplomat-linked-to-operation-lotus-blossom/" target="_blank"> Falcone, R. and Miller-Osborn, J.. (2015, December 18). Attack on French Diplomat Linked to Operation Lotus Blossom. Retrieved February 15, 2016. </a> </span> </span> </li> <li> <span id="scite-87" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-87" href="http://researchcenter.paloaltonetworks.com/2016/02/emissary-trojan-changelog-did-operation-lotus-blossom-cause-it-to-evolve/" target="_blank"> Falcone, R. and Miller-Osborn, J.. (2016, February 3). Emissary Trojan Changelog: Did Operation Lotus Blossom Cause It to Evolve?. Retrieved February 15, 2016. </a> </span> </span> </li> <li> <span id="scite-88" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-88" href="https://blog.talosintelligence.com/2019/01/return-of-emotet.html" target="_blank"> Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-89" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-89" href="https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" target="_blank"> Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-90" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-90" href="https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html" target="_blank"> Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-91" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-91" href="https://www.welivesecurity.com/2018/12/28/analysis-latest-emotet-propagation-campaign/" target="_blank"> Perez, D.. (2018, December 28). Analysis of the latest Emotet propagation campaign. Retrieved April 16, 2019. </a> </span> </span> </li> <li> <span id="scite-92" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-92" href="https://github.com/EmpireProject/Empire" target="_blank"> Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. </a> </span> </span> </li> <li> <span id="scite-93" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-93" href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. </a> </span> </span> </li> <li> <span id="scite-94" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-94" href="https://www.welivesecurity.com/2018/10/11/new-telebots-backdoor-linking-industroyer-notpetya/" target="_blank"> Cherepanov, A., Lipovsky, R. (2018, October 11). New TeleBots backdoor: First evidence linking Industroyer to NotPetya. Retrieved November 27, 2018. </a> </span> </span> </li> <li> <span id="scite-95" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-95" href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-005.pdf" target="_blank"> ANSSI. (2021, January 27). SANDWORM INTRUSION SET CAMPAIGN TARGETING CENTREON SYSTEMS. Retrieved March 30, 2021. </a> </span> </span> </li> <li> <span id="scite-96" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-96" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Operation_Ghost_Dukes.pdf" target="_blank"> Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. </a> </span> </span> </li> <li> <span id="scite-97" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-97" href="https://www.fireeye.com/blog/threat-research/2018/07/microsoft-office-vulnerabilities-used-to-distribute-felixroot-backdoor.html" target="_blank"> Patil, S. (2018, June 26). Microsoft Office Vulnerabilities Used to Distribute FELIXROOT Backdoor in Recent Campaign. Retrieved July 31, 2018. </a> </span> </span> </li> <li> <span id="scite-98" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-98" href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank"> Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. </a> </span> </span> </li> <li> <span id="scite-99" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-99" href="https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" target="_blank"> Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019. </a> </span> </span> </li> <li> <span id="scite-100" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-100" href="https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" target="_blank"> Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. </a> </span> </span> </li> <li> <span id="scite-101" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-101" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </span> </span> </li> <li> <span id="scite-102" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-102" href="http://www.finfisher.com/FinFisher/index.html" target="_blank"> FinFisher. (n.d.). Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-103" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-103" href="https://cloudblogs.microsoft.com/microsoftsecure/2018/03/01/finfisher-exposed-a-researchers-tale-of-defeating-traps-tricks-and-complex-virtual-machines/" target="_blank"> Allievi, A.,Flori, E. (2018, March 01). FinFisher exposed: A researcher’s tale of defeating traps, tricks, and complex virtual machines. Retrieved July 9, 2018. </a> </span> </span> </li> <li> <span id="scite-104" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-104" href="https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" target="_blank"> Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. </a> </span> </span> </li> <li> <span id="scite-105" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-105" href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank"> CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. </a> </span> </span> </li> <li> <span id="scite-106" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-106" href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank"> Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. </a> </span> </span> </li> <li> <span id="scite-107" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-107" href="https://objective-see.com/blog/blog_0x25.html" target="_blank"> Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. </a> </span> </span> </li> <li> <span id="scite-108" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-108" href="https://vms.drweb.com/virus/?i=4276269" target="_blank"> Doctor Web. (2014, November 21). Linux.BackDoor.Fysbis.1. Retrieved December 7, 2017. </a> </span> </span> </li> <li> <span id="scite-109" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-109" href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"> Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. </a> </span> </span> </li> <li> <span id="scite-110" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-110" href="https://www.symantec.com/blogs/threat-intelligence/gallmaker-attack-group" target="_blank"> Symantec Security Response. (2018, October 10). Gallmaker: New Attack Group Eschews Malware to Live off the Land. Retrieved November 27, 2018. </a> </span> </span> </li> <li> <span id="scite-111" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-111" href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank"> Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. </a> </span> </span> </li> <li> <span id="scite-112" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-112" href="https://securelist.com/introducing-whitebear/81638/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. </a> </span> </span> </li> <li> <span id="scite-113" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-113" href="https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis" target="_blank"> Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020. </a> </span> </span> </li> <li> <span id="scite-114" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-114" href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/goldenspy-chapter-two-the-uninstaller/" target="_blank"> Trustwave SpiderLabs. (2020, June 26). GoldenSpy: Chapter Two – The Uninstaller. Retrieved July 23, 2020. </a> </span> </span> </li> <li> <span id="scite-115" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-115" href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank"> Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. </a> </span> </span> </li> <li> <span id="scite-116" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-116" href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank"> Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. </a> </span> </span> </li> <li> <span id="scite-117" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-117" href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank"> ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. </a> </span> </span> </li> <li> <span id="scite-118" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-118" href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-119" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-119" href="https://citizenlab.ca/2016/08/group5-syria/" target="_blank"> Scott-Railton, J., et al. (2016, August 2). Group5: Syria and the Iranian Connection. Retrieved September 26, 2016. </a> </span> </span> </li> <li> <span id="scite-120" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-120" href="http://blogs.cisco.com/security/h1n1-technical-analysis-reveals-new-capabilities" target="_blank"> Reynolds, J.. (2016, September 13). H1N1: Technical analysis reveals new capabilities. Retrieved September 26, 2016. </a> </span> </span> </li> <li> <span id="scite-121" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-121" href="https://threatpost.com/spammers-revive-hancitor-downloader-campaigns/123011/" target="_blank"> Tom Spring. (2017, January 11). Spammers Revive Hancitor Downloader Campaigns. Retrieved August 13, 2020. </a> </span> </span> </li> <li> <span id="scite-122" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-122" href="https://www.fireeye.com/blog/threat-research/2016/09/hancitor_aka_chanit.html" target="_blank"> Anubhav, A., Jallepalli, D. (2016, September 23). Hancitor (AKA Chanitor) observed using multiple attack approaches. Retrieved August 13, 2020. </a> </span> </span> </li> <li> <span id="scite-123" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-123" href="https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" target="_blank"> Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019. </a> </span> </span> </li> <li> <span id="scite-124" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-124" href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank"> Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. </a> </span> </span> </li> <li> <span id="scite-125" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-125" href="https://www.fidelissecurity.com/sites/default/files/FTA_1020_Fidelis_Inocnation_FINAL_0.pdf" target="_blank"> Fidelis Cybersecurity. (2015, December 16). Fidelis Threat Advisory #1020: Dissecting the Malware Involved in the INOCNATION Campaign. Retrieved March 24, 2016. </a> </span> </span> </li> <li> <span id="scite-126" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-126" href="https://www.intezer.com/blog-hiddenwasp-malware-targeting-linux-systems/" target="_blank"> Sanmillan, I. (2019, May 29). HiddenWasp Malware Stings Targeted Linux Systems. Retrieved June 24, 2019. </a> </span> </span> </li> <li> <span id="scite-127" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-127" href="https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" target="_blank"> Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. </a> </span> </span> </li> <li> <span id="scite-128" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-128" href="https://www.zscaler.com/blogs/security-research/return-higaisa-apt" target="_blank"> Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. </a> </span> </span> </li> <li> <span id="scite-129" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-129" href="https://unit42.paloaltonetworks.com/hildegard-malware-teamtnt/" target="_blank"> Chen, J. et al. (2021, February 3). Hildegard: New TeamTNT Cryptojacking Malware Targeting Kubernetes. Retrieved April 5, 2021. </a> </span> </span> </li> <li> <span id="scite-130" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-130" href="https://www.fireeye.com/blog/threat-research/2018/03/suspected-chinese-espionage-group-targeting-maritime-and-engineering-industries.html" target="_blank"> FireEye. (2018, March 16). Suspected Chinese Cyber Espionage Group (TEMP.Periscope) Targeting U.S. Engineering and Maritime Industries. Retrieved April 11, 2018. </a> </span> </span> </li> <li> <span id="scite-131" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-131" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank"> Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-132" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-132" href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank"> Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. </a> </span> </span> </li> <li> <span id="scite-133" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-133" href="https://www.secureworks.com/research/threat-group-3390-targets-organizations-for-cyberespionage" target="_blank"> Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, August 5). Threat Group-3390 Targets Organizations for Cyberespionage. Retrieved August 18, 2018. </a> </span> </span> </li> <li> <span id="scite-134" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-134" href="https://www.symantec.com/connect/blogs/trojanhydraq-incident" target="_blank"> Symantec Security Response. (2010, January 18). The Trojan.Hydraq Incident. Retrieved February 20, 2018. </a> </span> </span> </li> <li> <span id="scite-135" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-135" href="https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware" target="_blank"> Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. </a> </span> </span> </li> <li> <span id="scite-136" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-136" href="https://securelist.com/cloud-atlas-redoctober-apt-is-back-in-style/68083/" target="_blank"> GReAT. (2014, December 10). Cloud Atlas: RedOctober APT is back in style. Retrieved May 8, 2020. </a> </span> </span> </li> <li> <span id="scite-137" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-137" href="https://asert.arbornetworks.com/innaput-actors-utilize-remote-access-trojan-since-2016-presumably-targeting-victim-files/" target="_blank"> ASERT Team. (2018, April 04). Innaput Actors Utilize Remote Access Trojan Since 2016, Presumably Targeting Victim Files. Retrieved July 9, 2018. </a> </span> </span> </li> <li> <span id="scite-138" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-138" href="https://www.welivesecurity.com/2018/06/07/invisimole-equipped-spyware-undercover/" target="_blank"> Hromcová, Z. (2018, June 07). InvisiMole: Surprisingly equipped spyware, undercover since 2013. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-139" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-139" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank"> Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. </a> </span> </span> </li> <li> <span id="scite-140" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-140" href="https://github.com/peewpw/Invoke-PSImage" target="_blank"> Adams, B. (2017, December 17). Invoke-PSImage. Retrieved April 10, 2018. </a> </span> </span> </li> <li> <span id="scite-141" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-141" href=" https://unit42.paloaltonetworks.com/ironnetinjector/" target="_blank"> Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021. </a> </span> </span> </li> <li> <span id="scite-142" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-142" href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/" target="_blank"> Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018. </a> </span> </span> </li> <li> <span id="scite-143" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-143" href="https://labsblog.f-secure.com/2015/09/08/sofacy-recycles-carberp-and-metasploit-code/" target="_blank"> F-Secure. (2015, September 8). Sofacy Recycles Carberp and Metasploit Code. Retrieved August 3, 2016. </a> </span> </span> </li> <li> <span id="scite-144" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-144" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. </a> </span> </span> </li> <li> <span id="scite-145" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-145" href="https://download.microsoft.com/download/2/2/5/225BFE3E-E1DE-4F5B-A77B-71200928D209/Platinum%20feature%20article%20-%20Targeted%20attacks%20in%20South%20and%20Southeast%20Asia%20April%202016.pdf" target="_blank"> Windows Defender Advanced Threat Hunting Team. (2016, April 29). PLATINUM: Targeted attacks in South and Southeast Asia. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-146" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-146" href="https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques" target="_blank"> Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018. </a> </span> </span> </li> <li> <span id="scite-147" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-147" href="https://www.symantec.com/connect/blogs/cross-platform-frutas-rat-builder-and-back-door" target="_blank"> Bingham, J. (2013, February 11). Cross-Platform Frutas RAT Builder and Back Door. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-148" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-148" href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank"> Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. </a> </span> </span> </li> <li> <span id="scite-149" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-149" href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank"> Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. </a> </span> </span> </li> <li> <span id="scite-150" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-150" href="https://citizenlab.ca/2016/11/parliament-keyboy/" target="_blank"> Hulcoop, A., et al. (2016, November 17). It’s Parliamentary KeyBoy and the targeting of the Tibetan Community. Retrieved June 13, 2019. </a> </span> </span> </li> <li> <span id="scite-151" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-151" href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank"> Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. </a> </span> </span> </li> <li> <span id="scite-152" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-152" href="https://threatconnect.com/blog/kimsuky-phishing-operations-putting-in-work/" target="_blank"> ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020. </a> </span> </span> </li> <li> <span id="scite-153" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-153" href="https://www.virusbulletin.com/virusbulletin/2020/03/vb2019-paper-kimsuky-group-tracking-king-spearphishing/" target="_blank"> Kim, J. et al. (2019, October). KIMSUKY GROUP: TRACKING THE KING OF THE SPEAR PHISHING. Retrieved November 2, 2020. </a> </span> </span> </li> <li> <span id="scite-154" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-154" href="https://www.symantec.com/security-center/writeup/2016-081923-2700-99" target="_blank"> Moench, B. and Aboud, E. (2016, August 23). Trojan.Kwampirs. Retrieved May 10, 2018. </a> </span> </span> </li> <li> <span id="scite-155" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-155" href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. </a> </span> </span> </li> <li> <span id="scite-156" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-156" href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. </a> </span> </span> </li> <li> <span id="scite-157" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-157" href="https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. </a> </span> </span> </li> <li> <span id="scite-158" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-158" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank"> Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="159.0"> <li> <span id="scite-159" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-159" href="https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" target="_blank"> Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. </a> </span> </span> </li> <li> <span id="scite-160" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-160" href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank"> Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-161" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-161" href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank"> Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. </a> </span> </span> </li> <li> <span id="scite-162" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-162" href="https://insights.infoblox.com/threat-intelligence-reports/threat-intelligence--22" target="_blank"> Hoang, M. (2019, January 31). Malicious Activity Report: Elements of Lokibot Infostealer. Retrieved May 15, 2020. </a> </span> </span> </li> <li> <span id="scite-163" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-163" href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank"> Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. </a> </span> </span> </li> <li> <span id="scite-164" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-164" href="https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" target="_blank"> The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-165" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-165" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-166" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-166" href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank"> Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. </a> </span> </span> </li> <li> <span id="scite-167" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-167" href="https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" target="_blank"> Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017. </a> </span> </span> </li> <li> <span id="scite-168" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-168" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/" target="_blank"> Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020. </a> </span> </span> </li> <li> <span id="scite-169" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-169" href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank"> Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. </a> </span> </span> </li> <li> <span id="scite-170" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-170" href="https://www.accenture.com/t20180423T055005Z_w_/se-en/_acnmedia/PDF-76/Accenture-Hogfish-Threat-Analysis.pdf" target="_blank"> Accenture Security. (2018, April 23). Hogfish Redleaves Campaign. Retrieved July 2, 2018. </a> </span> </span> </li> <li> <span id="scite-171" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-171" href="https://www.fireeye.com/blog/threat-research/2018/09/apt10-targeting-japanese-corporations-using-updated-ttps.html" target="_blank"> Matsuda, A., Muhammad I. (2018, September 13). APT10 Targeting Japanese Corporations Using Updated TTPs. Retrieved September 17, 2018. </a> </span> </span> </li> <li> <span id="scite-172" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-172" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage" target="_blank"> Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. </a> </span> </span> </li> <li> <span id="scite-173" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-173" href="https://medium.com/@chenerlich/the-avast-abuser-metamorfo-banking-malware-hides-by-abusing-avast-executable-ac9b8b392767" target="_blank"> Erlich, C. (2020, April 3). The Avast Abuser: Metamorfo Banking Malware Hides By Abusing Avast Executable. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-174" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-174" href="https://blog.talosintelligence.com/2017/06/palestine-delphi.html" target="_blank"> Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018. </a> </span> </span> </li> <li> <span id="scite-175" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-175" href="https://blog.radware.com/security/2018/07/micropsia-malware/" target="_blank"> Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. </a> </span> </span> </li> <li> <span id="scite-176" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-176" href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank"> Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-177" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-177" href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank"> GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. </a> </span> </span> </li> <li> <span id="scite-178" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-178" href="https://www.welivesecurity.com/2020/07/09/more-evil-deep-look-evilnum-toolset/" target="_blank"> Porolli, M. (2020, July 9). More evil: A deep look at Evilnum and its toolset. Retrieved January 22, 2021. </a> </span> </span> </li> <li> <span id="scite-179" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-179" href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank"> ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. </a> </span> </span> </li> <li> <span id="scite-180" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-180" href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank"> Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018. </a> </span> </span> </li> <li> <span id="scite-181" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-181" href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank"> Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. </a> </span> </span> </li> <li> <span id="scite-182" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-182" href="https://securelist.com/muddywater/88059/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. </a> </span> </span> </li> <li> <span id="scite-183" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-183" href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank"> Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-184" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-184" href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" target="_blank"> ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020. </a> </span> </span> </li> <li> <span id="scite-185" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-185" href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank"> Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. </a> </span> </span> </li> <li> <span id="scite-186" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-186" href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-june-mustang-panda/" target="_blank"> Meyers, A. (2018, June 15). Meet CrowdStrike’s Adversary of the Month for June: MUSTANG PANDA. Retrieved April 12, 2021. </a> </span> </span> </li> <li> <span id="scite-187" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-187" href="https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations" target="_blank"> Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. </a> </span> </span> </li> <li> <span id="scite-188" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-188" href="https://www.secureworks.com/research/bronze-president-targets-ngos" target="_blank"> Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-189" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-189" href="https://go.recordedfuture.com/hubfs/reports/cta-2020-0728.pdf" target="_blank"> Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-190" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-190" href="https://www.proofpoint.com/us/blog/threat-insight/ta416-goes-ground-and-returns-golang-plugx-malware-loader" target="_blank"> Proofpoint Threat Research Team. (2020, November 23). TA416 Goes to Ground and Returns with a Golang PlugX Malware Loader. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-191" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-191" href="https://www.f-secure.com/documents/996508/1030745/nanhaishu_whitepaper.pdf" target="_blank"> F-Secure Labs. (2016, July). NANHAISHU RATing the South China Sea. Retrieved July 6, 2018. </a> </span> </span> </li> <li> <span id="scite-192" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-192" href="https://researchcenter.paloaltonetworks.com/2016/02/nanocorerat-behind-an-increase-in-tax-themed-phishing-e-mails/" target="_blank"> Kasza, A., Halfpop, T. (2016, February 09). NanoCoreRAT Behind an Increase in Tax-Themed Phishing E-mails. Retrieved November 9, 2018. </a> </span> </span> </li> <li> <span id="scite-193" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-193" href="https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/" target="_blank"> Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-194" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-194" href="https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/" target="_blank"> Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020. </a> </span> </span> </li> <li> <span id="scite-195" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-195" href="https://www.fireeye.com/blog/threat-research/2019/03/dissecting-netwire-phishing-campaign-usage-of-process-hollowing.html" target="_blank"> Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-196" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-196" href="https://securingtomorrow.mcafee.com/wp-content/uploads/2011/02/McAfee_NightDragon_wp_draft_to_customersv1-1.pdf" target="_blank"> McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. </a> </span> </span> </li> <li> <span id="scite-197" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-197" href="https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" target="_blank"> Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. </a> </span> </span> </li> <li> <span id="scite-198" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-198" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-new-konni-malware-attacking-eurasia-southeast-asia/" target="_blank"> Grunzweig, J., Lee, B. (2018, September 27). New KONNI Malware attacking Eurasia and Southeast Asia. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-199" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-199" href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank"> Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-200" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-200" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank"> Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. </a> </span> </span> </li> <li> <span id="scite-201" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-201" href="https://pan-unit42.github.io/playbook_viewer/" target="_blank"> Unit 42. (2017, December 15). Unit 42 Playbook Viewer. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-202" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-202" href="https://www.crowdstrike.com/blog/meet-crowdstrikes-adversary-of-the-month-for-november-helix-kitten/" target="_blank"> Meyers, A. (2018, November 27). Meet CrowdStrike’s Adversary of the Month for November: HELIX KITTEN. Retrieved December 18, 2018. </a> </span> </span> </li> <li> <span id="scite-203" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-203" href="https://unit42.paloaltonetworks.com/unit42-analyzing-oilrigs-ops-tempo-testing-weaponization-delivery/" target="_blank"> Falcone, R., Wilhoit, K.. (2018, November 16). Analyzing OilRig’s Ops Tempo from Testing to Weaponization to Delivery. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-204" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-204" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank"> Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-205" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-205" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" target="_blank"> Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. </a> </span> </span> </li> <li> <span id="scite-206" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-206" href="https://resources.fox-it.com/rs/170-CAK-271/images/201912_Report_Operation_Wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </span> </span> </li> <li> <span id="scite-207" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-207" href="https://blog.trendmicro.com/trendlabs-security-intelligence/new-macos-backdoor-linked-to-oceanlotus-found/" target="_blank"> Horejsi, J. (2018, April 04). New MacOS Backdoor Linked to OceanLotus Found. Retrieved November 13, 2018. </a> </span> </span> </li> <li> <span id="scite-208" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-208" href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank"> Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-209" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-209" href="https://www.leonardocompany.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank"> Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. </a> </span> </span> </li> <li> <span id="scite-210" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-210" href="https://www.trustwave.com/en-us/resources/blogs/spiderlabs-blog/pillowmint-fin7s-monkey-thief/" target="_blank"> Trustwave SpiderLabs. (2020, June 22). Pillowmint: FIN7’s Monkey Thief . Retrieved July 27, 2020. </a> </span> </span> </li> <li> <span id="scite-211" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-211" href="https://www.welivesecurity.com/2020/05/21/no-game-over-winnti-group/" target="_blank"> Tartare, M. et al. (2020, May 21). No “Game over” for the Winnti Group. Retrieved August 24, 2020. </a> </span> </span> </li> <li> <span id="scite-212" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-212" href="http://researchcenter.paloaltonetworks.com/2016/05/unit42-new-wekby-attacks-use-dns-requests-as-command-and-control-mechanism/" target="_blank"> Grunzweig, J., et al. (2016, May 24). New Wekby Attacks Use DNS Requests As Command and Control Mechanism. Retrieved August 17, 2016. </a> </span> </span> </li> <li> <span id="scite-213" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-213" href="https://blog.talosintelligence.com/2020/04/poetrat-covid-19-lures.html" target="_blank"> Mercer, W, et al. (2020, April 16). PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors. Retrieved April 27, 2020. </a> </span> </span> </li> <li> <span id="scite-214" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-214" href="https://blog.talosintelligence.com/2020/10/poetrat-update.html" target="_blank"> Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. </a> </span> </span> </li> <li> <span id="scite-215" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-215" href="https://www.symantec.com/security_response/writeup.jsp?docid=2005-081910-3934-99" target="_blank"> Hayashi, K. (2005, August 18). Backdoor.Darkmoon. Retrieved February 23, 2018. </a> </span> </span> </li> <li> <span id="scite-216" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-216" href="https://blog.malwarebytes.com/threat-analysis/2015/11/no-money-but-pony-from-a-mail-to-a-trojan-horse/" target="_blank"> hasherezade. (2016, April 11). No money, but Pony! From a mail to a trojan horse. Retrieved May 21, 2020. </a> </span> </span> </li> <li> <span id="scite-217" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-217" href="https://www.fireeye.com/blog/threat-research/2017/03/dissecting_one_ofap.html" target="_blank"> Dunwoody, M.. (2017, April 3). Dissecting One of APT29’s Fileless WMI and PowerShell Backdoors (POSHSPY). Retrieved April 5, 2017. </a> </span> </span> </li> <li> <span id="scite-218" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-218" href="https://github.com/PowerShellMafia/PowerSploit" target="_blank"> PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. </a> </span> </span> </li> <li> <span id="scite-219" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-219" href="http://powersploit.readthedocs.io" target="_blank"> PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. </a> </span> </span> </li> <li> <span id="scite-220" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-220" href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank"> Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. </a> </span> </span> </li> <li> <span id="scite-221" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-221" href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank"> ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. </a> </span> </span> </li> <li> <span id="scite-222" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-222" href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank"> Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. </a> </span> </span> </li> <li> <span id="scite-223" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-223" href="http://www.welivesecurity.com/wp-content/uploads/2016/05/Operation-Groundbait.pdf" target="_blank"> Cherepanov, A.. (2016, May 17). Operation Groundbait: Analysis of a surveillance toolkit. Retrieved May 18, 2016. </a> </span> </span> </li> <li> <span id="scite-224" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-224" href="http://blog.morphisec.com/security-alert-fin8-is-back" target="_blank"> Gorelik, M.. (2019, June 10). SECURITY ALERT: FIN8 IS BACK IN BUSINESS, TARGETING THE HOSPITALITY INDUSTRY. Retrieved June 13, 2019. </a> </span> </span> </li> <li> <span id="scite-225" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-225" href="https://www.fireeye.com/blog/threat-research/2016/05/windows-zero-day-payment-cards.html" target="_blank"> Kizhakkinan, D. et al.. (2016, May 11). Threat Actor Leverages Windows Zero-day Exploit in Payment Card Data Attacks. Retrieved February 12, 2018. </a> </span> </span> </li> <li> <span id="scite-226" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-226" href="http://cdn0.vox-cdn.com/assets/4589853/crowdstrike-intelligence-report-putter-panda.original.pdf" target="_blank"> Crowdstrike Global Intelligence Team. (2014, June 9). CrowdStrike Intelligence Report: Putter Panda. Retrieved January 22, 2016. </a> </span> </span> </li> <li> <span id="scite-227" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-227" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/solarwinds-raindrop-malware" target="_blank"> Symantec Threat Hunter Team. (2021, January 18). Raindrop: New Malware Discovered in SolarWinds Investigation. Retrieved January 19, 2021. </a> </span> </span> </li> <li> <span id="scite-228" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-228" href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank"> MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. </a> </span> </span> </li> <li> <span id="scite-229" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-229" href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank"> Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. </a> </span> </span> </li> <li> <span id="scite-230" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-230" href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-new-malware-with-ties-to-sunorcal-discovered/" target="_blank"> Grunzweig, J. and Miller-Osborn, J. (2017, November 10). New Malware with Ties to SunOrcal Discovered. Retrieved November 16, 2017. </a> </span> </span> </li> <li> <span id="scite-231" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-231" href="https://www.pwc.co.uk/cyber-security/pdf/cloud-hopper-annex-b-final.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. </a> </span> </span> </li> <li> <span id="scite-232" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-232" href="https://blog.talosintelligence.com/2018/08/picking-apart-remcos.html" target="_blank"> Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018. </a> </span> </span> </li> <li> <span id="scite-233" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-233" href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank"> Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-234" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-234" href="http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/Symantec_Remsec_IOCs.pdf" target="_blank"> Symantec Security Response. (2016, August 8). Backdoor.Remsec indicators of compromise. Retrieved August 17, 2016. </a> </span> </span> </li> <li> <span id="scite-235" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-235" href="https://securelist.com/files/2016/07/The-ProjectSauron-APT_Technical_Analysis_KL.pdf" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2016, August 9). The ProjectSauron APT. Technical Analysis. Retrieved August 17, 2016. </a> </span> </span> </li> <li> <span id="scite-236" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-236" href="https://www.gdatasoftware.com/blog/2019/06/31724-strange-bits-sodinokibi-spam-cinarat-and-fake-g-data" target="_blank"> Han, Karsten. (2019, June 4). Strange Bits: Sodinokibi Spam, CinaRAT, and Fake G DATA. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-237" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-237" href="https://www.secureworks.com/blog/revil-the-gandcrab-connection" target="_blank"> Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-238" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-238" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-atr-analyzes-sodinokibi-aka-revil-ransomware-as-a-service-what-the-code-tells-us/" target="_blank"> McAfee. (2019, October 2). McAfee ATR Analyzes Sodinokibi aka REvil Ransomware-as-a-Service – What The Code Tells Us. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-239" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-239" href="https://intel471.com/blog/revil-ransomware-as-a-service-an-analysis-of-a-ransomware-affiliate-operation/" target="_blank"> Intel 471 Malware Intelligence team. (2020, March 31). REvil Ransomware-as-a-Service – An analysis of a ransomware affiliate operation. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-240" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-240" href="https://www.group-ib.com/whitepapers/ransomware-uncovered.html" target="_blank"> Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020. </a> </span> </span> </li> <li> <span id="scite-241" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-241" href="https://www.picussecurity.com/blog/a-brief-history-and-further-technical-analysis-of-sodinokibi-ransomware" target="_blank"> Ozarslan, S. (2020, January 15). A Brief History of Sodinokibi. Retrieved August 5, 2020. </a> </span> </span> </li> <li> <span id="scite-242" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-242" href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank"> Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-243" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-243" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank"> Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. </a> </span> </span> </li> <li> <span id="scite-244" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-244" href="https://www.anomali.com/blog/rocke-evolves-its-arsenal-with-a-new-malware-family-written-in-golang" target="_blank"> Anomali Labs. (2019, March 15). Rocke Evolves Its Arsenal With a New Malware Family Written in Golang. Retrieved April 24, 2019. </a> </span> </span> </li> <li> <span id="scite-245" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-245" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank"> Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. </a> </span> </span> </li> <li> <span id="scite-246" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-246" href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank"> Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. </a> </span> </span> </li> <li> <span id="scite-247" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-247" href="https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" target="_blank"> Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. </a> </span> </span> </li> <li> <span id="scite-248" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-248" href="http://www.secureworks.com/cyber-threat-intelligence/threats/sakula-malware-family/" target="_blank"> Dell SecureWorks Counter Threat Unit Threat Intelligence. (2015, July 30). Sakula Malware Family. Retrieved January 26, 2016. </a> </span> </span> </li> <li> <span id="scite-249" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-249" href="https://www.sophos.com/en-us/medialibrary/PDFs/technical-papers/SamSam-ransomware-chooses-Its-targets-carefully-wpna.pdf" target="_blank"> Palotay, D. and Mackenzie, P. (2018, April). SamSam Ransomware Chooses Its Targets Carefully. Retrieved April 15, 2019. </a> </span> </span> </li> <li> <span id="scite-250" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-250" href="https://blog.talosintelligence.com/2018/01/samsam-evolution-continues-netting-over.html" target="_blank"> Ventura, V. (2018, January 22). SamSam - The Evolution Continues Netting Over $325,000 in 4 Weeks. Retrieved April 16, 2019. </a> </span> </span> </li> <li> <span id="scite-251" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-251" href="https://web.archive.org/web/20160503234007/https://www.isightpartners.com/2014/10/cve-2014-4114/" target="_blank"> Ward, S.. (2014, October 14). iSIGHT discovers zero-day vulnerability CVE-2014-4114 used in Russian cyber-espionage campaign. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-252" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-252" href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank"> Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-253" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-253" href="https://www.proofpoint.com/us/threat-insight/post/ta505-distributes-new-sdbbot-remote-access-trojan-get2-downloader" target="_blank"> Schwarz, D. et al. (2019, October 16). TA505 Distributes New SDBbot Remote Access Trojan with Get2 Downloader. Retrieved May 29, 2020. </a> </span> </span> </li> <li> <span id="scite-254" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-254" href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report-appendix.zip" target="_blank"> Mandiant. (n.d.). Appendix C (Digital) - The Malware Arsenal. Retrieved July 18, 2016. </a> </span> </span> </li> <li> <span id="scite-255" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-255" href="https://securelist.com/shadowpad-in-corporate-networks/81432/" target="_blank"> GReAT. (2017, August 15). ShadowPad in corporate networks. Retrieved March 22, 2021. </a> </span> </span> </li> <li> <span id="scite-256" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-256" href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" target="_blank"> Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-257" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-257" href="https://www.fireeye.com/blog/threat-research/2015/06/operation-clandestine-wolf-adobe-flash-zero-day.html" target="_blank"> Eng, E., Caselden, D.. (2015, June 23). Operation Clandestine Wolf – Adobe Flash Zero-Day in APT3 Phishing Campaign. Retrieved January 14, 2016. </a> </span> </span> </li> <li> <span id="scite-258" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-258" href="http://researchcenter.paloaltonetworks.com/2015/07/ups-observations-on-cve-2015-3113-prior-zero-days-and-the-pirpi-payload/" target="_blank"> Falcone, R. and Wartell, R.. (2015, July 27). Observations on CVE-2015-3113, Prior Zero-Days and the Pirpi Payload. Retrieved January 22, 2016. </a> </span> </span> </li> <li> <span id="scite-259" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-259" href="https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" target="_blank"> Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. </a> </span> </span> </li> <li> <span id="scite-260" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-260" href="https://www.rewterz.com/threats/sidewinder-apt-group-campaign-analysis" target="_blank"> Rewertz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021. </a> </span> </span> </li> <li> <span id="scite-261" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-261" href="https://cybleinc.com/2020/09/26/sidewinder-apt-targets-with-futuristic-tactics-and-techniques/" target="_blank"> Cyble. (2020, September 26). SideWinder APT Targets with futuristic Tactics and Techniques. Retrieved January 29, 2021. </a> </span> </span> </li> <li> <span id="scite-262" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-262" href="https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/" target="_blank"> Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019. </a> </span> </span> </li> <li> <span id="scite-263" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-263" href="https://blog.trendmicro.com/trendlabs-security-intelligence/skidmap-linux-malware-uses-rootkit-capabilities-to-hide-cryptocurrency-mining-payload/" target="_blank"> Remillano, A., Urbanec, J. (2019, September 19). Skidmap Linux Malware Uses Rootkit Capabilities to Hide Cryptocurrency-Mining Payload. Retrieved June 4, 2020. </a> </span> </span> </li> <li> <span id="scite-264" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-264" href="https://blog.malwarebytes.com/threat-analysis/2016/08/smoke-loader-downloader-with-a-smokescreen-still-alive/" target="_blank"> Hasherezade. (2016, September 12). Smoke Loader – downloader with a smokescreen still alive. Retrieved March 20, 2018. </a> </span> </span> </li> <li> <span id="scite-265" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-265" href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank"> Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018. </a> </span> </span> </li> <li> <span id="scite-266" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-266" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank"> CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. </a> </span> </span> </li> <li> <span id="scite-267" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-267" href="https://research.checkpoint.com/speakup-a-new-undetected-backdoor-linux-trojan/" target="_blank"> Check Point Research. (2019, February 4). SpeakUp: A New Undetected Backdoor Linux Trojan. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-268" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-268" href="https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" target="_blank"> Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. </a> </span> </span> </li> <li> <span id="scite-269" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-269" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf" target="_blank"> Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. </a> </span> </span> </li> <li> <span id="scite-270" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-270" href="https://www.cylance.com/shell-crew-variants-continue-to-fly-under-big-avs-radar" target="_blank"> Cylance SPEAR Team. (2017, February 9). Shell Crew Variants Continue to Fly Under Big AV’s Radar. Retrieved February 15, 2017. </a> </span> </span> </li> <li> <span id="scite-271" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-271" href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank"> Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. </a> </span> </span> </li> <li> <span id="scite-272" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-272" href="https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" target="_blank"> Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. </a> </span> </span> </li> <li> <span id="scite-273" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-273" href="https://www.microsoft.com/security/blog/2020/12/18/analyzing-solorigate-the-compromised-dll-file-that-started-a-sophisticated-cyberattack-and-how-microsoft-defender-helps-protect/" target="_blank"> MSTIC. (2020, December 18). Analyzing Solorigate, the compromised DLL file that started a sophisticated cyberattack, and how Microsoft Defender helps protect customers . Retrieved January 5, 2021. </a> </span> </span> </li> <li> <span id="scite-274" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-274" href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank"> FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. </a> </span> </span> </li> <li> <span id="scite-275" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-275" href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank"> CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. </a> </span> </span> </li> <li> <span id="scite-276" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-276" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-027a" target="_blank"> CISA. (2021, January 27). Malware Analysis Report (AR21-027A). Retrieved February 22, 2021. </a> </span> </span> </li> <li> <span id="scite-277" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-277" href="https://securelist.com/synack-targeted-ransomware-uses-the-doppelganging-technique/85431/" target="_blank"> Ivanov, A. et al.. (2018, May 7). SynAck targeted ransomware uses the Doppelgänging technique. Retrieved May 22, 2018. </a> </span> </span> </li> <li> <span id="scite-278" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-278" href="https://usa.kaspersky.com/about/press-releases/2018_synack-doppelganging" target="_blank"> Bettencourt, J. (2018, May 7). Kaspersky Lab finds new variant of SynAck ransomware using sophisticated Doppelgänging technique. Retrieved May 24, 2018. </a> </span> </span> </li> <li> <span id="scite-279" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-279" href="https://www.proofpoint.com/us/threat-insight/post/threat-actor-profile-ta505-dridex-globeimposter" target="_blank"> Proofpoint Staff. (2017, September 27). Threat Actor Profile: TA505, From Dridex to GlobeImposter. Retrieved May 28, 2019. </a> </span> </span> </li> <li> <span id="scite-280" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-280" href="https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware" target="_blank"> Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019. </a> </span> </span> </li> <li> <span id="scite-281" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-281" href="https://www.deepinstinct.com/2019/04/02/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload/" target="_blank"> Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved May 28, 2019. </a> </span> </span> </li> <li> <span id="scite-282" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-282" href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank"> Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. </a> </span> </span> </li> <li> <span id="scite-283" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-283" href="https://securelist.com/project-tajmahal/90240/" target="_blank"> GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. </a> </span> </span> </li> <li> <span id="scite-284" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-284" href="https://research.checkpoint.com/2020/sunburst-teardrop-and-the-netsec-new-normal/" target="_blank"> Check Point Research. (2020, December 22). SUNBURST, TEARDROP and the NetSec New Normal. Retrieved January 6, 2021. </a> </span> </span> </li> <li> <span id="scite-285" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-285" href="https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/" target="_blank"> Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018. </a> </span> </span> </li> <li> <span id="scite-286" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-286" href="https://securelist.com/luckymouse-hits-national-data-center/86083/" target="_blank"> Legezo, D. (2018, June 13). LuckyMouse hits national data center to organize country-level waterholing campaign. Retrieved August 18, 2018. </a> </span> </span> </li> <li> <span id="scite-287" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-287" href="https://unit42.paloaltonetworks.com/emissary-panda-attacks-middle-east-government-sharepoint-servers/" target="_blank"> Falcone, R. and Lancaster, T.. (2019, May 28). Emissary Panda Attacks Middle East Government Sharepoint Servers. Retrieved July 9, 2019. </a> </span> </span> </li> <li> <span id="scite-288" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-288" href="https://www.forcepoint.com/sites/default/files/resources/files/forcepoint-security-labs-monsoon-analysis-report.pdf" target="_blank"> Settle, A., et al. (2016, August 8). MONSOON - Analysis Of An APT Campaign. Retrieved September 22, 2016. </a> </span> </span> </li> <li> <span id="scite-289" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-289" href="https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" target="_blank"> Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. </a> </span> </span> </li> <li> <span id="scite-290" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-290" href="https://www.secureworks.com/research/updated-karagany-malware-targets-energy-sector" target="_blank"> Secureworks. (2019, July 24). Updated Karagany Malware Targets Energy Sector. Retrieved August 12, 2020. </a> </span> </span> </li> <li> <span id="scite-291" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-291" href="https://blog.trendmicro.com/trendlabs-security-intelligence/tropic-trooper-new-strategy/" target="_blank"> Horejsi, J., et al. (2018, March 14). Tropic Trooper’s New Strategy. Retrieved November 9, 2018. </a> </span> </span> </li> <li> <span id="scite-292" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-292" href="https://documents.trendmicro.com/assets/Tech-Brief-Tropic-Trooper-s-Back-USBferry-Attack-Targets-Air-gapped-Environments.pdf" target="_blank"> Chen, J.. (2020, May 12). Tropic Trooper’s Back: USBferry Attack Targets Air gapped Environments. Retrieved May 20, 2020. </a> </span> </span> </li> <li> <span id="scite-293" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-293" href="https://www.us-cert.gov/ncas/analysis-reports/AR18-165A" target="_blank"> US-CERT. (2018, June 14). MAR-10135536-12 – North Korean Trojan: TYPEFRAME. Retrieved July 13, 2018. </a> </span> </span> </li> <li> <span id="scite-294" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-294" href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-uboatrat-navigates-east-asia/" target="_blank"> Hayashi, K. (2017, November 28). UBoatRAT Navigates East Asia. Retrieved January 12, 2018. </a> </span> </span> </li> <li> <span id="scite-295" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-295" href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank"> Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-296" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-296" href="https://www.bromium.com/how-ursnif-evades-detection/" target="_blank"> Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019. </a> </span> </span> </li> <li> <span id="scite-297" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-297" href="http://www.welivesecurity.com/2014/11/11/sednit-espionage-group-attacking-air-gapped-networks/" target="_blank"> Calvet, J. (2014, November 11). Sednit Espionage Group Attacking Air-Gapped Networks. Retrieved January 4, 2017. </a> </span> </span> </li> <li> <span id="scite-298" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-298" href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank"> Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. </a> </span> </span> </li> <li> <span id="scite-299" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-299" href="https://assets.sentinelone.com/labs/sentinel-one-valak-i " target="_blank"> Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. </a> </span> </span> </li> <li> <span id="scite-300" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-300" href="https://researchcenter.paloaltonetworks.com/2018/01/unit42-vermin-quasar-rat-custom-malware-used-ukraine/" target="_blank"> Lancaster, T., Cortes, J. (2018, January 29). VERMIN: Quasar RAT and Custom Malware Used In Ukraine. Retrieved July 5, 2018. </a> </span> </span> </li> <li> <span id="scite-301" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-301" href="https://www.us-cert.gov/sites/default/files/publications/MAR-10135536-D_WHITE_S508C.PDF" target="_blank"> US-CERT. (2017, November 01). Malware Analysis Report (MAR) - 10135536-D. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-302" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-302" href="https://www.trendmicro.com/en_us/research/19/l/waterbear-is-back-uses-api-hooking-to-evade-security-product-detection.html" target="_blank"> Su, V. et al. (2019, December 11). Waterbear Returns, Uses API Hooking to Evade Security. Retrieved February 22, 2021. </a> </span> </span> </li> <li> <span id="scite-303" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-303" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/whitefly-espionage-singapore" target="_blank"> Symantec. (2019, March 6). Whitefly: Espionage Group has Singapore in Its Sights. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-304" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-304" href="https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" target="_blank"> The Blackberry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. </a> </span> </span> </li> <li> <span id="scite-305" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-305" href="https://objective-see.com/blog/blog_0x3D.html" target="_blank"> Wardle, Patrick. (2019, January 15). Middle East Cyber-Espionage analyzing WindShift's implant: OSX.WindTail (part 2). Retrieved October 3, 2019. </a> </span> </span> </li> <li> <span id="scite-306" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-306" href="https://medium.com/chronicle-blog/winnti-more-than-just-windows-and-gates-e4f03436031a" target="_blank"> Chronicle Blog. (2019, May 15). Winnti: More than just Windows and Gates. Retrieved April 29, 2020. </a> </span> </span> </li> <li> <span id="scite-307" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-307" href="https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" target="_blank"> Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-308" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-308" href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank"> The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. </a> </span> </span> </li> <li> <span id="scite-309" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-309" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. </a> </span> </span> </li> <li> <span id="scite-310" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-310" href="https://www.trendmicro.de/cloud-content/us/pdfs/security-intelligence/white-papers/wp-operation-tropic-trooper.pdf" target="_blank"> Alintanahin, K. (2015). Operation Tropic Trooper: Relying on Tried-and-Tested Flaws to Infiltrate Secret Keepers. Retrieved June 14, 2019. </a> </span> </span> </li> <li> <span id="scite-311" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-311" href="https://www.proofpoint.com/us/threat-insight/post/APT-targets-russia-belarus-zerot-plugx" target="_blank"> Huss, D., et al. (2017, February 2). Oops, they did it again: APT Targets Russia and Belarus with ZeroT and PlugX. Retrieved April 5, 2018. </a> </span> </span> </li> <li> <span id="scite-312" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-312" href="https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More" target="_blank"> Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-313" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-313" href="https://cyberwtf.files.wordpress.com/2017/07/panda-whitepaper.pdf" target="_blank"> Ebach, L. (2017, June 22). Analysis Results of Zeus.Variant.Panda. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-314" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-314" href="https://cloudblogs.microsoft.com/microsoftsecure/2015/06/09/windows-10-to-offer-application-developers-new-malware-defenses/?source=mmpc" target="_blank"> Microsoft. (2015, June 9). Windows 10 to offer application developers new malware defenses. Retrieved February 12, 2018. </a> </span> </span> </li> <li> <span id="scite-315" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-315" href="https://github.com/danielbohannon/Revoke-Obfuscation" target="_blank"> Bohannon, D. (2017, July 27). Revoke-Obfuscation. Retrieved February 12, 2018. </a> </span> </span> </li> <li> <span id="scite-316" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-316" href="https://github.com/itsreallynick/office-crackros" target="_blank"> Carr, N. (2016, August 14). OfficeCrackros. Retrieved February 12, 2018. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <footer class="footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v9/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> © 2015-2021, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v9/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v9/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v9/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" title="ATT&amp;CK content version 9.0&#013;Website version 3.3.1">ATT&CK v9.0</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v9/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v9/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v9/theme/scripts/popper.min.js"></script> <script src="/versions/v9/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v9/theme/scripts/site.js"></script> <script src="/versions/v9/theme/scripts/flexsearch.es5.js"></script> <script src="/versions/v9/theme/scripts/localforage.min.js"></script> <script src="/versions/v9/theme/scripts/settings.js?7243"></script> <script src="/versions/v9/theme/scripts/search_babelized.js"></script> <!--SCRIPTS--> <script src="/versions/v9/theme/scripts/navigation.js"></script> <script src="/versions/v9/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v9/theme/scripts/settings.js"></script> <script src="/versions/v9/theme/scripts/tour/tour-techniques.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10