CINXE.COM

Net, Software S0039 | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v16/theme/favicon.ico" type='image/x-icon'> <title>Net, Software S0039 | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v16/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v16/"><img src="/versions/v16/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v16/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v16/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/groups">Groups</a> <a class="dropdown-item" href="/versions/v16/software">Software</a> <a class="dropdown-item" href="/versions/v16/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v16/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v16/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v16/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v16/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v16/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v16/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v16/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v16/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v16/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1" target="_blank">ATT&CK v16.1</a> which is the current version of ATT&CK. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div class="container-fluid d-none"> ATT&CK v16 has been released! Check out the <a href='https://medium.com/mitre-attack/attack-v16-561c76af94cf'>blog post</a> for more information. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v16/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v16/software/">Software</a></li> <li class="breadcrumb-item">Net</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1> Net </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>The <a href="/versions/v16/software/S0039">Net</a> utility is a component of the Windows operating system. It is used in command-line operations for control of users, groups, services, and network connections. <span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015."data-reference="Microsoft Net Utility"><sup><a href="https://msdn.microsoft.com/en-us/library/aa939914" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p><p><a href="/versions/v16/software/S0039">Net</a> has a great deal of functionality, <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999"><sup><a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span> much of which is useful for an adversary, such as gathering system and network information for Discovery, moving laterally through <a href="/versions/v16/techniques/T1021/002">SMB/Windows Admin Shares</a> using <code>net use</code> commands, and interacting with services. The net1.exe utility is executed for certain functionality when net.exe is run and can be used directly in commands such as <code>net1 user</code>.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div id="card-id" class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>S0039 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="Names that have overlapping reference to a software entry and may refer to the same or similar software in threat intelligence reporting">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Associated Software</span>: net.exe </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="This software is commercial, open-source, built-in, or publicly available software that could be used by a defender, pen tester, red teamer, or an adversary">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Type</span>: TOOL </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms</span>: Windows </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors</span>: David Ferguson, CyberSponse </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version</span>: 2.6 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>01 February 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of S0039" href="/versions/v16/software/S0039/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of S0039" href="/software/S0039/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <!--stop-indexing-for-search--> <div class="dropdown h3 mt-3 float-right"> <button class="btn btn-navy dropdown-toggle" type="button" id="dropdownMenuButton" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>ATT&amp;CK<sup>&reg;</sup> Navigator Layers</b> </button> <div class="dropdown-menu" aria-labelledby="dropdownMenuButton"> <h6 class="dropdown-header">Enterprise Layer</h6> <a class="dropdown-item" href="/versions/v16/software/S0039/S0039-enterprise-layer.json" download target="_blank">download</a> <!-- only show view on navigator link if layer link is defined --> <a class="dropdown-item" href="#" id="view-layer-on-navigator-enterprise" target="_blank">view <img width="10" src="/versions/v16/theme/images/external-site-dark.jpeg"></a> <script src="/versions/v16/theme/scripts/settings.js"></script> <script> if (window.location.protocol == "https:") { //view on navigator only works when this site is hosted on HTTPS var layerURL = window.location.protocol + "//" + window.location.host + base_url + "software/S0039/S0039-enterprise-layer.json"; document.getElementById("view-layer-on-navigator-enterprise").href = "https://mitre-attack.github.io/attack-navigator//#layerURL=" + encodeURIComponent(layerURL); } else { //hide button document.getElementById("view-layer-on-navigator-enterprise").classList.add("d-none"); } </script> </div> </div> <!--start-indexing-for-search--> <h2 class="pt-3 mb-2" id="techniques">Techniques Used</h2> <div class="tables-mobile"> <table class="table techniques-used background table-bordered"> <thead> <tr> <th class="p-2" scope="col">Domain</th> <th class="p-2" colspan="2">ID</th> <th class="p-2" scope="col">Name</th> <th class="p-2" scope="col">Use</th> </tr> </thead> <tbody> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1087">T1087</a> </td> <td> <a href="/versions/v16/techniques/T1087/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/001">Local Account</a> </td> <td> <p>Commands under <code>net user</code> can be used in <a href="/versions/v16/software/S0039">Net</a> to gather information about and manipulate user accounts.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999"><sup><a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1087/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1087">Account Discovery</a>: <a href="/versions/v16/techniques/T1087/002">Domain Account</a> </td> <td> <p><a href="/versions/v16/software/S0039">Net</a> commands used with the <code>/domain</code> flag can be used to gather information about and manipulate user accounts on the current domain.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Microsoft. (2017, February 14). Net Commands On Windows Operating Systems. Retrieved March 19, 2020."data-reference="Microsoft Net"><sup><a href="https://support.microsoft.com/en-us/help/556003" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1098">T1098</a> </td> <td> <a href="/versions/v16/techniques/T1098/007">.007</a> </td> <td> <a href="/versions/v16/techniques/T1098">Account Manipulation</a>: <a href="/versions/v16/techniques/T1098/007">Additional Local or Domain Groups</a> </td> <td> <p>The <code>net localgroup</code> and <code>net group</code> commands in <a href="/versions/v16/software/S0039">Net</a> can be used to add existing users to local and domain groups.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Microsoft. (2016, August 31). Net Localgroup. Retrieved August 5, 2024."data-reference="Microsoft Net Localgroup"><sup><a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span> <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Microsoft. (2016, August 31). Net group. Retrieved August 5, 2024."data-reference="Microsoft Net Group"><sup><a href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1136">T1136</a> </td> <td> <a href="/versions/v16/techniques/T1136/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1136">Create Account</a>: <a href="/versions/v16/techniques/T1136/001">Local Account</a> </td> <td> <p>The <code>net user username \password</code> commands in <a href="/versions/v16/software/S0039">Net</a> can be used to create a local account.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999"><sup><a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1136/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1136">Create Account</a>: <a href="/versions/v16/techniques/T1136/002">Domain Account</a> </td> <td> <p>The <code>net user username \password \domain</code> commands in <a href="/versions/v16/software/S0039">Net</a> can be used to create a domain account.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999"><sup><a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1070">T1070</a> </td> <td> <a href="/versions/v16/techniques/T1070/005">.005</a> </td> <td> <a href="/versions/v16/techniques/T1070">Indicator Removal</a>: <a href="/versions/v16/techniques/T1070/005">Network Share Connection Removal</a> </td> <td> <p>The <code>net use \system\share /delete</code> command can be used in <a href="/versions/v16/software/S0039">Net</a> to remove an established connection to a network share.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Microsoft. (n.d.). Net Use. Retrieved November 25, 2016."data-reference="Technet Net Use"><sup><a href="https://technet.microsoft.com/bb490717.aspx" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1135">T1135</a> </td> <td> <a href="/versions/v16/techniques/T1135">Network Share Discovery</a> </td> <td> <p>The <code>net view \remotesystem</code> and <code>net share</code> commands in <a href="/versions/v16/software/S0039">Net</a> can be used to find shared drives and directories on remote and local systems respectively.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999"><sup><a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1201">T1201</a> </td> <td> <a href="/versions/v16/techniques/T1201">Password Policy Discovery</a> </td> <td> <p>The <code>net accounts</code> and <code>net accounts /domain</code> commands with <a href="/versions/v16/software/S0039">Net</a> can be used to obtain password policy information.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999"><sup><a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1069">T1069</a> </td> <td> <a href="/versions/v16/techniques/T1069/001">.001</a> </td> <td> <a href="/versions/v16/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v16/techniques/T1069/001">Local Groups</a> </td> <td> <p>Commands such as <code>net group</code> and <code>net localgroup</code> can be used in <a href="/versions/v16/software/S0039">Net</a> to gather information about and manipulate groups.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999"><sup><a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique enterprise" id="enterprise"> <td></td> <td></td> <td> <a href="/versions/v16/techniques/T1069/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1069">Permission Groups Discovery</a>: <a href="/versions/v16/techniques/T1069/002">Domain Groups</a> </td> <td> <p>Commands such as <code>net group /domain</code> can be used in <a href="/versions/v16/software/S0039">Net</a> to gather information about and manipulate groups.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999"><sup><a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1021">T1021</a> </td> <td> <a href="/versions/v16/techniques/T1021/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1021">Remote Services</a>: <a href="/versions/v16/techniques/T1021/002">SMB/Windows Admin Shares</a> </td> <td> <p>Lateral movement can be done with <a href="/versions/v16/software/S0039">Net</a> through <code>net use</code> commands to connect to the on remote systems.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999"><sup><a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1018">T1018</a> </td> <td> <a href="/versions/v16/techniques/T1018">Remote System Discovery</a> </td> <td> <p>Commands such as <code>net view</code> can be used in <a href="/versions/v16/software/S0039">Net</a> to gather information about available remote systems.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999"><sup><a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1049">T1049</a> </td> <td> <a href="/versions/v16/techniques/T1049">System Network Connections Discovery</a> </td> <td> <p>Commands such as <code>net use</code> and <code>net session</code> can be used in <a href="/versions/v16/software/S0039">Net</a> to gather information about network connections from a particular host.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999"><sup><a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1007">T1007</a> </td> <td> <a href="/versions/v16/techniques/T1007">System Service Discovery</a> </td> <td> <p>The <code>net start</code> command can be used in <a href="/versions/v16/software/S0039">Net</a> to find information about Windows services.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999"><sup><a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="sub technique noparent enterprise" id="enterprise"> <td> Enterprise </td> <td> <a href="/versions/v16/techniques/T1569">T1569</a> </td> <td> <a href="/versions/v16/techniques/T1569/002">.002</a> </td> <td> <a href="/versions/v16/techniques/T1569">System Services</a>: <a href="/versions/v16/techniques/T1569/002">Service Execution</a> </td> <td> <p>The <code>net start</code> and <code>net stop</code> commands can be used in <a href="/versions/v16/software/S0039">Net</a> to execute or stop Windows services.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015."data-reference="Savill 1999"><sup><a href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr class="technique enterprise" id="enterprise"> <td> Enterprise </td> <td colspan="2"> <a href="/versions/v16/techniques/T1124">T1124</a> </td> <td> <a href="/versions/v16/techniques/T1124">System Time Discovery</a> </td> <td> <p>The <code>net time</code> command can be used in <a href="/versions/v16/software/S0039">Net</a> to determine the local or remote system time.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Microsoft. (n.d.). Net time. Retrieved November 25, 2016."data-reference="TechNet Net Time"><sup><a href="https://technet.microsoft.com/bb490716.aspx" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="groups">Groups That Use This Software</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col" width="20%">Name</th> <th scope="col">References</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/groups/G0019">G0019</a> </td> <td> <a href="/versions/v16/groups/G0019">Naikon</a> </td> <td> <p><span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019."data-reference="Baumgartner Naikon 2015"><sup><a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0059">G0059</a> </td> <td> <a href="/versions/v16/groups/G0059">Magic Hound</a> </td> <td> <p><span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022"><sup><a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span><span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021"><sup><a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0082">G0082</a> </td> <td> <a href="/versions/v16/groups/G0082">APT38</a> </td> <td> <p><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018."data-reference="FireEye APT38 Oct 2018"><sup><a href="https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0035">G0035</a> </td> <td> <a href="/versions/v16/groups/G0035">Dragonfly</a> </td> <td> <p><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A"><sup><a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0009">G0009</a> </td> <td> <a href="/versions/v16/groups/G0009">Deep Panda</a> </td> <td> <p><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014."data-reference="Alperovitch 2014"><sup><a href="https://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0027">G0027</a> </td> <td> <a href="/versions/v16/groups/G0027">Threat Group-3390</a> </td> <td> <p><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017."data-reference="SecureWorks BRONZE UNION June 2017"><sup><a href="https://www.secureworks.com/research/bronze-union" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0049">G0049</a> </td> <td> <a href="/versions/v16/groups/G0049">OilRig</a> </td> <td> <p><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017."data-reference="Palo Alto OilRig May 2016"><sup><a href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span><span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017."data-reference="FireEye APT34 Dec 2017"><sup><a href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0028">G0028</a> </td> <td> <a href="/versions/v16/groups/G0028">Threat Group-1314</a> </td> <td> <p><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016."data-reference="Dell TG-1314"><sup><a href="http://www.secureworks.com/resources/blog/living-off-the-land/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0007">G0007</a> </td> <td> <a href="/versions/v16/groups/G0007">APT28</a> </td> <td> <p><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021."data-reference="Cybersecurity Advisory GRU Brute Force Campaign July 2021"><sup><a href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0096">G0096</a> </td> <td> <a href="/versions/v16/groups/G0096">APT41</a> </td> <td> <p><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."data-reference="FireEye APT41 Aug 2019"><sup><a href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0045">G0045</a> </td> <td> <a href="/versions/v16/groups/G0045">menuPass</a> </td> <td> <p><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017"><sup><a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0004">G0004</a> </td> <td> <a href="/versions/v16/groups/G0004">Ke3chang</a> </td> <td> <p><span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION "KE3CHANG": Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014."data-reference="Mandiant Operation Ke3chang November 2014"><sup><a href="https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a></sup></span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018."data-reference="NCC Group APT15 Alive and Strong"><sup><a href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0065">G0065</a> </td> <td> <a href="/versions/v16/groups/G0065">Leviathan</a> </td> <td> <p><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019."data-reference="FireEye APT40 March 2019"><sup><a href="https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1023">G1023</a> </td> <td> <a href="/versions/v16/groups/G1023">APT5</a> </td> <td> <p><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024."data-reference="Mandiant Pulse Secure Update May 2021"><sup><a href="https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0071">G0071</a> </td> <td> <a href="/versions/v16/groups/G0071">Orangeworm</a> </td> <td> <p><span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018."data-reference="Symantec Orangeworm April 2018"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0093">G0093</a> </td> <td> <a href="/versions/v16/groups/G0093">GALLIUM</a> </td> <td> <p><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019."data-reference="Cybereason Soft Cell June 2019"><sup><a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0018">G0018</a> </td> <td> <a href="/versions/v16/groups/G0018">admin@338</a> </td> <td> <p><span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015."data-reference="FireEye admin@338"><sup><a href="https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1032">G1032</a> </td> <td> <a href="/versions/v16/groups/G1032">INC Ransom</a> </td> <td> <p><span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024."data-reference="Huntress INC Ransomware May 2024"><sup><a href="https://www.huntress.com/blog/lolbin-to-inc-ransomware" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0114">G0114</a> </td> <td> <a href="/versions/v16/groups/G0114">Chimera</a> </td> <td> <p><span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024."data-reference="NCC Group Chimera January 2021"><sup><a href="https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0006">G0006</a> </td> <td> <a href="/versions/v16/groups/G0006">APT1</a> </td> <td> <p><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016."data-reference="Mandiant APT1"><sup><a href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0061">G0061</a> </td> <td> <a href="/versions/v16/groups/G0061">FIN8</a> </td> <td> <p><span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018."data-reference="FireEye Know Your Enemy FIN8 Aug 2016"><sup><a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0092">G0092</a> </td> <td> <a href="/versions/v16/groups/G0092">TA505</a> </td> <td> <p><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020."data-reference="Trend Micro TA505 June 2019"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1022">G1022</a> </td> <td> <a href="/versions/v16/groups/G1022">ToddyCat</a> </td> <td> <p><span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat Check Logs October 2023"><sup><a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0010">G0010</a> </td> <td> <a href="/versions/v16/groups/G0010">Turla</a> </td> <td> <p><span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014."data-reference="Kaspersky Turla"><sup><a href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0064">G0064</a> </td> <td> <a href="/versions/v16/groups/G0064">APT33</a> </td> <td> <p><span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019."data-reference="Symantec Elfin Mar 2019"><sup><a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0102">G0102</a> </td> <td> <a href="/versions/v16/groups/G0102">Wizard Spider</a> </td> <td> <p><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020."data-reference="CrowdStrike Ryuk January 2019"><sup><a href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a></sup></span><span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020."data-reference="Red Canary Hospital Thwarted Ryuk October 2020"><sup><a href="https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a></sup></span><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020."data-reference="FireEye KEGTAP SINGLEMALT October 2020"><sup><a href="https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a></sup></span><span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020."data-reference="DFIR Ryuk's Return October 2020"><sup><a href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a></sup></span><span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020."data-reference="DFIR Ryuk 2 Hour Speed Run November 2020"><sup><a href="https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a></sup></span><span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020."data-reference="DFIR Ryuk in 5 Hours October 2020"><sup><a href="https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a></sup></span><span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020."data-reference="Sophos New Ryuk Attack October 2020"><sup><a href="https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a></sup></span><span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023."data-reference="Mandiant FIN12 Oct 2021"><sup><a href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0034">G0034</a> </td> <td> <a href="/versions/v16/groups/G0034">Sandworm Team</a> </td> <td> <p><span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018"><sup><a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0016">G0016</a> </td> <td> <a href="/versions/v16/groups/G0016">APT29</a> </td> <td> <p><span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020."data-reference="CISA SoreFang July 2016"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0050">G0050</a> </td> <td> <a href="/versions/v16/groups/G0050">APT32</a> </td> <td> <p><span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017"><sup><a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1017">G1017</a> </td> <td> <a href="/versions/v16/groups/G1017">Volt Typhoon</a> </td> <td> <p><span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023."data-reference="Secureworks BRONZE SILHOUETTE May 2023"><sup><a href="https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a></sup></span><span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024."data-reference="CISA AA24-038A PRC Critical Infrastructure February 2024"><sup><a href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0060">G0060</a> </td> <td> <a href="/versions/v16/groups/G0060">BRONZE BUTLER</a> </td> <td> <p><span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018."data-reference="Secureworks BRONZE BUTLER Oct 2017"><sup><a href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="campaigns">Campaigns</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/campaigns/C0026">C0026</a> </td> <td> <a href="/versions/v16/campaigns/C0026">C0026</a> </td> <td> <p><span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023."data-reference="Mandiant Suspected Turla Campaign February 2023"><sup><a href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a></sup></span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://msdn.microsoft.com/en-us/library/aa939914" target="_blank"> Microsoft. (2006, October 18). Net.exe Utility. Retrieved September 22, 2015. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://web.archive.org/web/20150511162820/http://windowsitpro.com/windows/netexe-reference" target="_blank"> Savill, J. (1999, March 4). Net.exe reference. Retrieved September 22, 2015. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://support.microsoft.com/en-us/help/556003" target="_blank"> Microsoft. (2017, February 14). Net Commands On Windows Operating Systems. Retrieved March 19, 2020. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc725622(v=ws.11)" target="_blank"> Microsoft. (2016, August 31). Net Localgroup. Retrieved August 5, 2024. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://learn.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-r2-and-2012/cc754051(v=ws.11)" target="_blank"> Microsoft. (2016, August 31). Net group. Retrieved August 5, 2024. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://technet.microsoft.com/bb490717.aspx" target="_blank"> Microsoft. (n.d.). Net Use. Retrieved November 25, 2016. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://technet.microsoft.com/bb490716.aspx" target="_blank"> Microsoft. (n.d.). Net time. Retrieved November 25, 2016. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07205555/TheNaikonAPT-MsnMM1.pdf" target="_blank"> Baumgartner, K., Golovkin, M.. (2015, May). The MsnMM Campaigns: The Earliest Naikon APT Campaigns. Retrieved April 10, 2019. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank"> Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank"> DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank"> DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.mandiant.com/sites/default/files/2021-09/rpt-apt38-2018-web_v5-1.pdf" target="_blank"> FireEye. (2018, October 03). APT38: Un-usual Suspects. Retrieved November 6, 2018. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank"> US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/" target="_blank"> Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.secureworks.com/research/bronze-union" target="_blank"> Counter Threat Unit Research Team. (2017, June 27). BRONZE UNION Cyberespionage Persists Despite Disclosures. Retrieved July 13, 2017. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="http://researchcenter.paloaltonetworks.com/2016/05/the-oilrig-campaign-attacks-on-saudi-arabian-organizations-deliver-helminth-backdoor/" target="_blank"> Falcone, R. and Lee, B.. (2016, May 26). The OilRig Campaign: Attacks on Saudi Arabian Organizations Deliver Helminth Backdoor. Retrieved May 3, 2017. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank"> Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="http://www.secureworks.com/resources/blog/living-off-the-land/" target="_blank"> Dell SecureWorks Counter Threat Unit Special Operations Team. (2015, May 28). Living off the Land. Retrieved January 26, 2016. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://media.defense.gov/2021/Jul/01/2002753896/-1/-1/1/CSA_GRU_GLOBAL_BRUTE_FORCE_CAMPAIGN_UOO158036-21.PDF" target="_blank"> NSA, CISA, FBI, NCSC. (2021, July). Russian GRU Conducting Global Brute Force Campaign to Compromise Enterprise and Cloud Environments. Retrieved July 26, 2021. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank"> Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" target="_blank"> Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://research.nccgroup.com/2018/03/10/apt15-is-alive-and-strong-an-analysis-of-royalcli-and-royaldns/" target="_blank"> Smallridge, R. (2018, March 10). APT15 is alive and strong: An analysis of RoyalCli and RoyalDNS. Retrieved April 4, 2018. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://www.fireeye.com/blog/threat-research/2019/03/apt40-examining-a-china-nexus-espionage-actor.html" target="_blank"> Plan, F., et al. (2019, March 4). APT40: Examining a China-Nexus Espionage Actor. Retrieved March 18, 2019. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www.mandiant.com/resources/blog/updates-on-chinese-apt-compromising-pulse-secure-vpn-devices" target="_blank"> Perez, D. et al. (2021, May 27). Re-Checking Your Pulse: Updates on Chinese APT Actors Compromising Pulse Secure VPN Devices. Retrieved February 5, 2024. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www.symantec.com/blogs/threat-intelligence/orangeworm-targets-healthcare-us-europe-asia" target="_blank"> Symantec Security Response Attack Investigation Team. (2018, April 23). New Orangeworm attack group targets the healthcare sector in the U.S., Europe, and Asia. Retrieved May 8, 2018. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="27.0"> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"> Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.fireeye.com/blog/threat-research/2015/11/china-based-threat.html" target="_blank"> FireEye Threat Intelligence. (2015, December 1). China-based Cyber Threat Group Uses Dropbox for Malware Communications and Targets Hong Kong Media Outlets. Retrieved December 4, 2015. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://www.huntress.com/blog/lolbin-to-inc-ransomware" target="_blank"> Carvey, H. (2024, May 1). LOLBin to INC Ransomware. Retrieved June 5, 2024. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank"> Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://www.fireeye.com/content/dam/fireeye-www/services/pdfs/mandiant-apt1-report.pdf" target="_blank"> Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://blog.trendmicro.com/trendlabs-security-intelligence/shifting-tactics-breaking-down-ta505-groups-use-of-html-rats-and-other-techniques-in-latest-campaigns/" target="_blank"> Hiroaki, H. and Lu, L. (2019, June 12). Shifting Tactics: Breaking Down TA505 Group’s Use of HTML, RATs and Other Techniques in Latest Campaigns. Retrieved May 29, 2020. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank"> Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://securelist.com/the-epic-turla-operation/65545/" target="_blank"> Kaspersky Lab's Global Research and Analysis Team. (2014, August 7). The Epic Turla Operation: Solving some of the mysteries of Snake/Uroburos. Retrieved December 11, 2014. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank"> Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://www.crowdstrike.com/blog/big-game-hunting-with-ryuk-another-lucrative-targeted-ransomware/" target="_blank"> Hanel, A. (2019, January 10). Big Game Hunting with Ryuk: Another Lucrative Targeted Ransomware. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" target="_blank"> Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" target="_blank"> Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank"> The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" target="_blank"> The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://thedfirreport.com/2020/10/18/ryuk-in-5-hours/" target="_blank"> The DFIR Report. (2020, October 18). Ryuk in 5 Hours. Retrieved October 19, 2020. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://news.sophos.com/en-us/2020/10/14/inside-a-new-ryuk-ransomware-attack/" target="_blank"> Sean Gallagher, Peter Mackenzie, Elida Leite, Syed Shahram, Bill Kearney, Anand Aijan, Sivagnanam Gn, Suraj Mundalik. (2020, October 14). They’re back: inside a new Ryuk ransomware attack. Retrieved October 14, 2020. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank"> Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank"> Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank"> CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" target="_blank"> Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank"> CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank"> Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://www.mandiant.com/resources/blog/turla-galaxy-opportunity" target="_blank"> Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v16/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v16/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v16/theme/scripts/popper.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v16/theme/scripts/site.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/sidebar-load-all.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/tour/tour-relationships.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10