CINXE.COM

Exfiltration Over C2 Channel, Technique T1041 - Enterprise | MITRE ATT&CK®

<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v13/theme/favicon.ico" type='image/x-icon'> <title>Exfiltration Over C2 Channel, Technique T1041 - Enterprise | MITRE ATT&CK&reg;</title> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap-glyphicon.min.css" /> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v13/theme/style/bootstrap-select.min.css" /> <link rel="stylesheet" type="text/css" href="/versions/v13/theme/style.min.css?e8044105"> <link rel="stylesheet" href="https://cdnjs.cloudflare.com/ajax/libs/font-awesome/4.7.0/css/font-awesome.min.css"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v13/"><img src="/versions/v13/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/techniques/ics/">ICS</a> </div> </li> <li class="nav-item"> <a href="/versions/v13/datasources" class="nav-link" ><b>Data Sources</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v13/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v13/mitigations/ics/">ICS</a> </div> </li> <li class="nav-item"> <a href="/versions/v13/groups" class="nav-link" ><b>Groups</b></a> </li> <li class="nav-item"> <a href="/versions/v13/software/" class="nav-link" ><b>Software</b></a> </li> <li class="nav-item"> <a href="/versions/v13/campaigns" class="nav-link" ><b>Campaigns</b></a> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v13/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v13/resources/">General Information</a> <a class="dropdown-item" href="/versions/v13/resources/getting-started/">Getting Started</a> <a class="dropdown-item" href="/versions/v13/resources/training/">Training</a> <a class="dropdown-item" href="/versions/v13/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v13/resources/working-with-attack/">Working with ATT&CK</a> <a class="dropdown-item" href="/versions/v13/resources/faq/">FAQ</a> <a class="dropdown-item" href="/resources/updates/">Updates</a> <a class="dropdown-item" href="/resources/versions/">Versions of ATT&CK</a> <a class="dropdown-item" href="/versions/v13/resources/related-projects/">Related Projects</a> <a class="dropdown-item" href="/versions/v13/resources/brand/">Brand Guide</a> </div> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v13/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <a href="/versions/v13/resources/contribute/" class="nav-link" ><b>Contribute</b></a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v13/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v13.1" target="_blank">ATT&CK v13.1</a> which was live between April 25, 2023 and October 30, 2023. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer"></div> <!--stop-indexing-for-search--> <div id="v-tab" role="tablist" aria-orientation="vertical" class="h-100"> <div class="sidenav-wrapper"> <div class="heading" data-toggle="collapse" data-target="#sidebar-collapse" id="v-home-tab" aria-selected="false">TECHNIQUES <i class="fa fa-fw fa-chevron-down"></i> <i class="fa fa-fw fa-chevron-up"></i> </div> <br class="br-mobile"> <div class="collapse show" id="sidebar-collapse"> <div class="sidenav-list"> <div class="sidenav"> <div class="sidenav-head " id="enterprise"> <a href="/versions/v13/techniques/enterprise/"> Enterprise </a> <div class="expand-button collapsed" id="enterprise-header" data-toggle="collapse" data-target="#enterprise-body" aria-expanded="false" aria-controls="#enterprise-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-body" aria-labelledby="enterprise-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043"> <a href="/versions/v13/tactics/TA0043"> Reconnaissance </a> <div class="expand-button collapsed" id="enterprise-TA0043-header" data-toggle="collapse" data-target="#enterprise-TA0043-body" aria-expanded="false" aria-controls="#enterprise-TA0043-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-body" aria-labelledby="enterprise-TA0043-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595"> <a href="/versions/v13/techniques/T1595/"> Active Scanning </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1595-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1595-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1595-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1595-body" aria-labelledby="enterprise-TA0043-T1595-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595-T1595.001"> <a href="/versions/v13/techniques/T1595/001/"> Scanning IP Blocks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595-T1595.002"> <a href="/versions/v13/techniques/T1595/002/"> Vulnerability Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1595-T1595.003"> <a href="/versions/v13/techniques/T1595/003/"> Wordlist Scanning </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592"> <a href="/versions/v13/techniques/T1592/"> Gather Victim Host Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1592-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1592-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1592-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1592-body" aria-labelledby="enterprise-TA0043-T1592-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592-T1592.001"> <a href="/versions/v13/techniques/T1592/001/"> Hardware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592-T1592.002"> <a href="/versions/v13/techniques/T1592/002/"> Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592-T1592.003"> <a href="/versions/v13/techniques/T1592/003/"> Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1592-T1592.004"> <a href="/versions/v13/techniques/T1592/004/"> Client Configurations </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589"> <a href="/versions/v13/techniques/T1589/"> Gather Victim Identity Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1589-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1589-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1589-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1589-body" aria-labelledby="enterprise-TA0043-T1589-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589-T1589.001"> <a href="/versions/v13/techniques/T1589/001/"> Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589-T1589.002"> <a href="/versions/v13/techniques/T1589/002/"> Email Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1589-T1589.003"> <a href="/versions/v13/techniques/T1589/003/"> Employee Names </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590"> <a href="/versions/v13/techniques/T1590/"> Gather Victim Network Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1590-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1590-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1590-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1590-body" aria-labelledby="enterprise-TA0043-T1590-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.001"> <a href="/versions/v13/techniques/T1590/001/"> Domain Properties </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.002"> <a href="/versions/v13/techniques/T1590/002/"> DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.003"> <a href="/versions/v13/techniques/T1590/003/"> Network Trust Dependencies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.004"> <a href="/versions/v13/techniques/T1590/004/"> Network Topology </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.005"> <a href="/versions/v13/techniques/T1590/005/"> IP Addresses </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1590-T1590.006"> <a href="/versions/v13/techniques/T1590/006/"> Network Security Appliances </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591"> <a href="/versions/v13/techniques/T1591/"> Gather Victim Org Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1591-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1591-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1591-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1591-body" aria-labelledby="enterprise-TA0043-T1591-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591-T1591.001"> <a href="/versions/v13/techniques/T1591/001/"> Determine Physical Locations </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591-T1591.002"> <a href="/versions/v13/techniques/T1591/002/"> Business Relationships </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591-T1591.003"> <a href="/versions/v13/techniques/T1591/003/"> Identify Business Tempo </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1591-T1591.004"> <a href="/versions/v13/techniques/T1591/004/"> Identify Roles </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598"> <a href="/versions/v13/techniques/T1598/"> Phishing for Information </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1598-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1598-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1598-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1598-body" aria-labelledby="enterprise-TA0043-T1598-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598-T1598.001"> <a href="/versions/v13/techniques/T1598/001/"> Spearphishing Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598-T1598.002"> <a href="/versions/v13/techniques/T1598/002/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1598-T1598.003"> <a href="/versions/v13/techniques/T1598/003/"> Spearphishing Link </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597"> <a href="/versions/v13/techniques/T1597/"> Search Closed Sources </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1597-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1597-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1597-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1597-body" aria-labelledby="enterprise-TA0043-T1597-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597-T1597.001"> <a href="/versions/v13/techniques/T1597/001/"> Threat Intel Vendors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1597-T1597.002"> <a href="/versions/v13/techniques/T1597/002/"> Purchase Technical Data </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596"> <a href="/versions/v13/techniques/T1596/"> Search Open Technical Databases </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1596-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1596-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1596-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1596-body" aria-labelledby="enterprise-TA0043-T1596-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.001"> <a href="/versions/v13/techniques/T1596/001/"> DNS/Passive DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.002"> <a href="/versions/v13/techniques/T1596/002/"> WHOIS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.003"> <a href="/versions/v13/techniques/T1596/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.004"> <a href="/versions/v13/techniques/T1596/004/"> CDNs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1596-T1596.005"> <a href="/versions/v13/techniques/T1596/005/"> Scan Databases </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593"> <a href="/versions/v13/techniques/T1593/"> Search Open Websites/Domains </a> <div class="expand-button collapsed" id="enterprise-TA0043-T1593-header" data-toggle="collapse" data-target="#enterprise-TA0043-T1593-body" aria-expanded="false" aria-controls="#enterprise-TA0043-T1593-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0043-T1593-body" aria-labelledby="enterprise-TA0043-T1593-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593-T1593.001"> <a href="/versions/v13/techniques/T1593/001/"> Social Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593-T1593.002"> <a href="/versions/v13/techniques/T1593/002/"> Search Engines </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1593-T1593.003"> <a href="/versions/v13/techniques/T1593/003/"> Code Repositories </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0043-T1594"> <a href="/versions/v13/techniques/T1594/"> Search Victim-Owned Websites </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042"> <a href="/versions/v13/tactics/TA0042"> Resource Development </a> <div class="expand-button collapsed" id="enterprise-TA0042-header" data-toggle="collapse" data-target="#enterprise-TA0042-body" aria-expanded="false" aria-controls="#enterprise-TA0042-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-body" aria-labelledby="enterprise-TA0042-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1650"> <a href="/versions/v13/techniques/T1650/"> Acquire Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583"> <a href="/versions/v13/techniques/T1583/"> Acquire Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1583-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1583-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1583-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1583-body" aria-labelledby="enterprise-TA0042-T1583-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.001"> <a href="/versions/v13/techniques/T1583/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.002"> <a href="/versions/v13/techniques/T1583/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.003"> <a href="/versions/v13/techniques/T1583/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.004"> <a href="/versions/v13/techniques/T1583/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.005"> <a href="/versions/v13/techniques/T1583/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.006"> <a href="/versions/v13/techniques/T1583/006/"> Web Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.007"> <a href="/versions/v13/techniques/T1583/007/"> Serverless </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1583-T1583.008"> <a href="/versions/v13/techniques/T1583/008/"> Malvertising </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586"> <a href="/versions/v13/techniques/T1586/"> Compromise Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1586-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1586-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1586-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1586-body" aria-labelledby="enterprise-TA0042-T1586-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586-T1586.001"> <a href="/versions/v13/techniques/T1586/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586-T1586.002"> <a href="/versions/v13/techniques/T1586/002/"> Email Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1586-T1586.003"> <a href="/versions/v13/techniques/T1586/003/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584"> <a href="/versions/v13/techniques/T1584/"> Compromise Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1584-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1584-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1584-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1584-body" aria-labelledby="enterprise-TA0042-T1584-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.001"> <a href="/versions/v13/techniques/T1584/001/"> Domains </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.002"> <a href="/versions/v13/techniques/T1584/002/"> DNS Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.003"> <a href="/versions/v13/techniques/T1584/003/"> Virtual Private Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.004"> <a href="/versions/v13/techniques/T1584/004/"> Server </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.005"> <a href="/versions/v13/techniques/T1584/005/"> Botnet </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.006"> <a href="/versions/v13/techniques/T1584/006/"> Web Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1584-T1584.007"> <a href="/versions/v13/techniques/T1584/007/"> Serverless </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587"> <a href="/versions/v13/techniques/T1587/"> Develop Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1587-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1587-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1587-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1587-body" aria-labelledby="enterprise-TA0042-T1587-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587-T1587.001"> <a href="/versions/v13/techniques/T1587/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587-T1587.002"> <a href="/versions/v13/techniques/T1587/002/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587-T1587.003"> <a href="/versions/v13/techniques/T1587/003/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1587-T1587.004"> <a href="/versions/v13/techniques/T1587/004/"> Exploits </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585"> <a href="/versions/v13/techniques/T1585/"> Establish Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1585-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1585-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1585-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1585-body" aria-labelledby="enterprise-TA0042-T1585-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585-T1585.001"> <a href="/versions/v13/techniques/T1585/001/"> Social Media Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585-T1585.002"> <a href="/versions/v13/techniques/T1585/002/"> Email Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1585-T1585.003"> <a href="/versions/v13/techniques/T1585/003/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588"> <a href="/versions/v13/techniques/T1588/"> Obtain Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1588-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1588-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1588-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1588-body" aria-labelledby="enterprise-TA0042-T1588-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.001"> <a href="/versions/v13/techniques/T1588/001/"> Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.002"> <a href="/versions/v13/techniques/T1588/002/"> Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.003"> <a href="/versions/v13/techniques/T1588/003/"> Code Signing Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.004"> <a href="/versions/v13/techniques/T1588/004/"> Digital Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.005"> <a href="/versions/v13/techniques/T1588/005/"> Exploits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1588-T1588.006"> <a href="/versions/v13/techniques/T1588/006/"> Vulnerabilities </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608"> <a href="/versions/v13/techniques/T1608/"> Stage Capabilities </a> <div class="expand-button collapsed" id="enterprise-TA0042-T1608-header" data-toggle="collapse" data-target="#enterprise-TA0042-T1608-body" aria-expanded="false" aria-controls="#enterprise-TA0042-T1608-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0042-T1608-body" aria-labelledby="enterprise-TA0042-T1608-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.001"> <a href="/versions/v13/techniques/T1608/001/"> Upload Malware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.002"> <a href="/versions/v13/techniques/T1608/002/"> Upload Tool </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.003"> <a href="/versions/v13/techniques/T1608/003/"> Install Digital Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.004"> <a href="/versions/v13/techniques/T1608/004/"> Drive-by Target </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.005"> <a href="/versions/v13/techniques/T1608/005/"> Link Target </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0042-T1608-T1608.006"> <a href="/versions/v13/techniques/T1608/006/"> SEO Poisoning </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001"> <a href="/versions/v13/tactics/TA0001"> Initial Access </a> <div class="expand-button collapsed" id="enterprise-TA0001-header" data-toggle="collapse" data-target="#enterprise-TA0001-body" aria-expanded="false" aria-controls="#enterprise-TA0001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-body" aria-labelledby="enterprise-TA0001-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1189"> <a href="/versions/v13/techniques/T1189/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1190"> <a href="/versions/v13/techniques/T1190/"> Exploit Public-Facing Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1133"> <a href="/versions/v13/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1200"> <a href="/versions/v13/techniques/T1200/"> Hardware Additions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566"> <a href="/versions/v13/techniques/T1566/"> Phishing </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1566-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1566-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1566-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1566-body" aria-labelledby="enterprise-TA0001-T1566-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566-T1566.001"> <a href="/versions/v13/techniques/T1566/001/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566-T1566.002"> <a href="/versions/v13/techniques/T1566/002/"> Spearphishing Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1566-T1566.003"> <a href="/versions/v13/techniques/T1566/003/"> Spearphishing via Service </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1091"> <a href="/versions/v13/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195"> <a href="/versions/v13/techniques/T1195/"> Supply Chain Compromise </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1195-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1195-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1195-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1195-body" aria-labelledby="enterprise-TA0001-T1195-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195-T1195.001"> <a href="/versions/v13/techniques/T1195/001/"> Compromise Software Dependencies and Development Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195-T1195.002"> <a href="/versions/v13/techniques/T1195/002/"> Compromise Software Supply Chain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1195-T1195.003"> <a href="/versions/v13/techniques/T1195/003/"> Compromise Hardware Supply Chain </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1199"> <a href="/versions/v13/techniques/T1199/"> Trusted Relationship </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078"> <a href="/versions/v13/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0001-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0001-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0001-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0001-T1078-body" aria-labelledby="enterprise-TA0001-T1078-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078-T1078.001"> <a href="/versions/v13/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078-T1078.002"> <a href="/versions/v13/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078-T1078.003"> <a href="/versions/v13/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0001-T1078-T1078.004"> <a href="/versions/v13/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002"> <a href="/versions/v13/tactics/TA0002"> Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-header" data-toggle="collapse" data-target="#enterprise-TA0002-body" aria-expanded="false" aria-controls="#enterprise-TA0002-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-body" aria-labelledby="enterprise-TA0002-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1651"> <a href="/versions/v13/techniques/T1651/"> Cloud Administration Command </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059"> <a href="/versions/v13/techniques/T1059/"> Command and Scripting Interpreter </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1059-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1059-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1059-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1059-body" aria-labelledby="enterprise-TA0002-T1059-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.001"> <a href="/versions/v13/techniques/T1059/001/"> PowerShell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.002"> <a href="/versions/v13/techniques/T1059/002/"> AppleScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.003"> <a href="/versions/v13/techniques/T1059/003/"> Windows Command Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.004"> <a href="/versions/v13/techniques/T1059/004/"> Unix Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.005"> <a href="/versions/v13/techniques/T1059/005/"> Visual Basic </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.006"> <a href="/versions/v13/techniques/T1059/006/"> Python </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.007"> <a href="/versions/v13/techniques/T1059/007/"> JavaScript </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.008"> <a href="/versions/v13/techniques/T1059/008/"> Network Device CLI </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1059-T1059.009"> <a href="/versions/v13/techniques/T1059/009/"> Cloud API </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1609"> <a href="/versions/v13/techniques/T1609/"> Container Administration Command </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1610"> <a href="/versions/v13/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1203"> <a href="/versions/v13/techniques/T1203/"> Exploitation for Client Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559"> <a href="/versions/v13/techniques/T1559/"> Inter-Process Communication </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1559-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1559-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1559-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1559-body" aria-labelledby="enterprise-TA0002-T1559-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559-T1559.001"> <a href="/versions/v13/techniques/T1559/001/"> Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559-T1559.002"> <a href="/versions/v13/techniques/T1559/002/"> Dynamic Data Exchange </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1559-T1559.003"> <a href="/versions/v13/techniques/T1559/003/"> XPC Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1106"> <a href="/versions/v13/techniques/T1106/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053"> <a href="/versions/v13/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1053-body" aria-labelledby="enterprise-TA0002-T1053-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.002"> <a href="/versions/v13/techniques/T1053/002/"> At </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.003"> <a href="/versions/v13/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.005"> <a href="/versions/v13/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.006"> <a href="/versions/v13/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1053-T1053.007"> <a href="/versions/v13/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1648"> <a href="/versions/v13/techniques/T1648/"> Serverless Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1129"> <a href="/versions/v13/techniques/T1129/"> Shared Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1072"> <a href="/versions/v13/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569"> <a href="/versions/v13/techniques/T1569/"> System Services </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1569-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1569-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1569-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1569-body" aria-labelledby="enterprise-TA0002-T1569-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569-T1569.001"> <a href="/versions/v13/techniques/T1569/001/"> Launchctl </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1569-T1569.002"> <a href="/versions/v13/techniques/T1569/002/"> Service Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204"> <a href="/versions/v13/techniques/T1204/"> User Execution </a> <div class="expand-button collapsed" id="enterprise-TA0002-T1204-header" data-toggle="collapse" data-target="#enterprise-TA0002-T1204-body" aria-expanded="false" aria-controls="#enterprise-TA0002-T1204-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0002-T1204-body" aria-labelledby="enterprise-TA0002-T1204-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204-T1204.001"> <a href="/versions/v13/techniques/T1204/001/"> Malicious Link </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204-T1204.002"> <a href="/versions/v13/techniques/T1204/002/"> Malicious File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1204-T1204.003"> <a href="/versions/v13/techniques/T1204/003/"> Malicious Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0002-T1047"> <a href="/versions/v13/techniques/T1047/"> Windows Management Instrumentation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003"> <a href="/versions/v13/tactics/TA0003"> Persistence </a> <div class="expand-button collapsed" id="enterprise-TA0003-header" data-toggle="collapse" data-target="#enterprise-TA0003-body" aria-expanded="false" aria-controls="#enterprise-TA0003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-body" aria-labelledby="enterprise-TA0003-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098"> <a href="/versions/v13/techniques/T1098/"> Account Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1098-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1098-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1098-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1098-body" aria-labelledby="enterprise-TA0003-T1098-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.001"> <a href="/versions/v13/techniques/T1098/001/"> Additional Cloud Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.002"> <a href="/versions/v13/techniques/T1098/002/"> Additional Email Delegate Permissions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.003"> <a href="/versions/v13/techniques/T1098/003/"> Additional Cloud Roles </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.004"> <a href="/versions/v13/techniques/T1098/004/"> SSH Authorized Keys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1098-T1098.005"> <a href="/versions/v13/techniques/T1098/005/"> Device Registration </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1197"> <a href="/versions/v13/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547"> <a href="/versions/v13/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1547-body" aria-labelledby="enterprise-TA0003-T1547-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.001"> <a href="/versions/v13/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.002"> <a href="/versions/v13/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.003"> <a href="/versions/v13/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.004"> <a href="/versions/v13/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.005"> <a href="/versions/v13/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.006"> <a href="/versions/v13/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.007"> <a href="/versions/v13/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.008"> <a href="/versions/v13/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.009"> <a href="/versions/v13/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.010"> <a href="/versions/v13/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.012"> <a href="/versions/v13/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.013"> <a href="/versions/v13/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.014"> <a href="/versions/v13/techniques/T1547/014/"> Active Setup </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1547-T1547.015"> <a href="/versions/v13/techniques/T1547/015/"> Login Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037"> <a href="/versions/v13/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1037-body" aria-labelledby="enterprise-TA0003-T1037-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.001"> <a href="/versions/v13/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.002"> <a href="/versions/v13/techniques/T1037/002/"> Login Hook </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.003"> <a href="/versions/v13/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.004"> <a href="/versions/v13/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1037-T1037.005"> <a href="/versions/v13/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1176"> <a href="/versions/v13/techniques/T1176/"> Browser Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1554"> <a href="/versions/v13/techniques/T1554/"> Compromise Client Software Binary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136"> <a href="/versions/v13/techniques/T1136/"> Create Account </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1136-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1136-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1136-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1136-body" aria-labelledby="enterprise-TA0003-T1136-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136-T1136.001"> <a href="/versions/v13/techniques/T1136/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136-T1136.002"> <a href="/versions/v13/techniques/T1136/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1136-T1136.003"> <a href="/versions/v13/techniques/T1136/003/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543"> <a href="/versions/v13/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1543-body" aria-labelledby="enterprise-TA0003-T1543-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543-T1543.001"> <a href="/versions/v13/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543-T1543.002"> <a href="/versions/v13/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543-T1543.003"> <a href="/versions/v13/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1543-T1543.004"> <a href="/versions/v13/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546"> <a href="/versions/v13/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1546-body" aria-labelledby="enterprise-TA0003-T1546-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.001"> <a href="/versions/v13/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.002"> <a href="/versions/v13/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.003"> <a href="/versions/v13/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.004"> <a href="/versions/v13/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.005"> <a href="/versions/v13/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.006"> <a href="/versions/v13/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.007"> <a href="/versions/v13/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.008"> <a href="/versions/v13/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.009"> <a href="/versions/v13/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.010"> <a href="/versions/v13/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.011"> <a href="/versions/v13/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.012"> <a href="/versions/v13/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.013"> <a href="/versions/v13/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.014"> <a href="/versions/v13/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.015"> <a href="/versions/v13/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1546-T1546.016"> <a href="/versions/v13/techniques/T1546/016/"> Installer Packages </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1133"> <a href="/versions/v13/techniques/T1133/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574"> <a href="/versions/v13/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1574-body" aria-labelledby="enterprise-TA0003-T1574-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.001"> <a href="/versions/v13/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.002"> <a href="/versions/v13/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.004"> <a href="/versions/v13/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.005"> <a href="/versions/v13/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.006"> <a href="/versions/v13/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.007"> <a href="/versions/v13/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.008"> <a href="/versions/v13/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.009"> <a href="/versions/v13/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.010"> <a href="/versions/v13/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.011"> <a href="/versions/v13/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.012"> <a href="/versions/v13/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1574-T1574.013"> <a href="/versions/v13/techniques/T1574/013/"> KernelCallbackTable </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1525"> <a href="/versions/v13/techniques/T1525/"> Implant Internal Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556"> <a href="/versions/v13/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1556-body" aria-labelledby="enterprise-TA0003-T1556-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.001"> <a href="/versions/v13/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.002"> <a href="/versions/v13/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.003"> <a href="/versions/v13/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.004"> <a href="/versions/v13/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.005"> <a href="/versions/v13/techniques/T1556/005/"> Reversible Encryption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.006"> <a href="/versions/v13/techniques/T1556/006/"> Multi-Factor Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.007"> <a href="/versions/v13/techniques/T1556/007/"> Hybrid Identity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1556-T1556.008"> <a href="/versions/v13/techniques/T1556/008/"> Network Provider DLL </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137"> <a href="/versions/v13/techniques/T1137/"> Office Application Startup </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1137-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1137-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1137-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1137-body" aria-labelledby="enterprise-TA0003-T1137-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.001"> <a href="/versions/v13/techniques/T1137/001/"> Office Template Macros </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.002"> <a href="/versions/v13/techniques/T1137/002/"> Office Test </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.003"> <a href="/versions/v13/techniques/T1137/003/"> Outlook Forms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.004"> <a href="/versions/v13/techniques/T1137/004/"> Outlook Home Page </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.005"> <a href="/versions/v13/techniques/T1137/005/"> Outlook Rules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1137-T1137.006"> <a href="/versions/v13/techniques/T1137/006/"> Add-ins </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542"> <a href="/versions/v13/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1542-body" aria-labelledby="enterprise-TA0003-T1542-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.001"> <a href="/versions/v13/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.002"> <a href="/versions/v13/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.003"> <a href="/versions/v13/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.004"> <a href="/versions/v13/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1542-T1542.005"> <a href="/versions/v13/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053"> <a href="/versions/v13/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1053-body" aria-labelledby="enterprise-TA0003-T1053-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.002"> <a href="/versions/v13/techniques/T1053/002/"> At </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.003"> <a href="/versions/v13/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.005"> <a href="/versions/v13/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.006"> <a href="/versions/v13/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1053-T1053.007"> <a href="/versions/v13/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505"> <a href="/versions/v13/techniques/T1505/"> Server Software Component </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1505-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1505-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1505-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1505-body" aria-labelledby="enterprise-TA0003-T1505-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.001"> <a href="/versions/v13/techniques/T1505/001/"> SQL Stored Procedures </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.002"> <a href="/versions/v13/techniques/T1505/002/"> Transport Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.003"> <a href="/versions/v13/techniques/T1505/003/"> Web Shell </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.004"> <a href="/versions/v13/techniques/T1505/004/"> IIS Components </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1505-T1505.005"> <a href="/versions/v13/techniques/T1505/005/"> Terminal Services DLL </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205"> <a href="/versions/v13/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1205-body" aria-labelledby="enterprise-TA0003-T1205-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205-T1205.001"> <a href="/versions/v13/techniques/T1205/001/"> Port Knocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1205-T1205.002"> <a href="/versions/v13/techniques/T1205/002/"> Socket Filters </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078"> <a href="/versions/v13/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0003-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0003-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0003-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0003-T1078-body" aria-labelledby="enterprise-TA0003-T1078-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078-T1078.001"> <a href="/versions/v13/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078-T1078.002"> <a href="/versions/v13/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078-T1078.003"> <a href="/versions/v13/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0003-T1078-T1078.004"> <a href="/versions/v13/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004"> <a href="/versions/v13/tactics/TA0004"> Privilege Escalation </a> <div class="expand-button collapsed" id="enterprise-TA0004-header" data-toggle="collapse" data-target="#enterprise-TA0004-body" aria-expanded="false" aria-controls="#enterprise-TA0004-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-body" aria-labelledby="enterprise-TA0004-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548"> <a href="/versions/v13/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1548-body" aria-labelledby="enterprise-TA0004-T1548-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548-T1548.001"> <a href="/versions/v13/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548-T1548.002"> <a href="/versions/v13/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548-T1548.003"> <a href="/versions/v13/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1548-T1548.004"> <a href="/versions/v13/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134"> <a href="/versions/v13/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1134-body" aria-labelledby="enterprise-TA0004-T1134-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.001"> <a href="/versions/v13/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.002"> <a href="/versions/v13/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.003"> <a href="/versions/v13/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.004"> <a href="/versions/v13/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1134-T1134.005"> <a href="/versions/v13/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547"> <a href="/versions/v13/techniques/T1547/"> Boot or Logon Autostart Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1547-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1547-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1547-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1547-body" aria-labelledby="enterprise-TA0004-T1547-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.001"> <a href="/versions/v13/techniques/T1547/001/"> Registry Run Keys / Startup Folder </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.002"> <a href="/versions/v13/techniques/T1547/002/"> Authentication Package </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.003"> <a href="/versions/v13/techniques/T1547/003/"> Time Providers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.004"> <a href="/versions/v13/techniques/T1547/004/"> Winlogon Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.005"> <a href="/versions/v13/techniques/T1547/005/"> Security Support Provider </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.006"> <a href="/versions/v13/techniques/T1547/006/"> Kernel Modules and Extensions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.007"> <a href="/versions/v13/techniques/T1547/007/"> Re-opened Applications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.008"> <a href="/versions/v13/techniques/T1547/008/"> LSASS Driver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.009"> <a href="/versions/v13/techniques/T1547/009/"> Shortcut Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.010"> <a href="/versions/v13/techniques/T1547/010/"> Port Monitors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.012"> <a href="/versions/v13/techniques/T1547/012/"> Print Processors </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.013"> <a href="/versions/v13/techniques/T1547/013/"> XDG Autostart Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.014"> <a href="/versions/v13/techniques/T1547/014/"> Active Setup </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1547-T1547.015"> <a href="/versions/v13/techniques/T1547/015/"> Login Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037"> <a href="/versions/v13/techniques/T1037/"> Boot or Logon Initialization Scripts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1037-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1037-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1037-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1037-body" aria-labelledby="enterprise-TA0004-T1037-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.001"> <a href="/versions/v13/techniques/T1037/001/"> Logon Script (Windows) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.002"> <a href="/versions/v13/techniques/T1037/002/"> Login Hook </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.003"> <a href="/versions/v13/techniques/T1037/003/"> Network Logon Script </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.004"> <a href="/versions/v13/techniques/T1037/004/"> RC Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1037-T1037.005"> <a href="/versions/v13/techniques/T1037/005/"> Startup Items </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543"> <a href="/versions/v13/techniques/T1543/"> Create or Modify System Process </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1543-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1543-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1543-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1543-body" aria-labelledby="enterprise-TA0004-T1543-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543-T1543.001"> <a href="/versions/v13/techniques/T1543/001/"> Launch Agent </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543-T1543.002"> <a href="/versions/v13/techniques/T1543/002/"> Systemd Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543-T1543.003"> <a href="/versions/v13/techniques/T1543/003/"> Windows Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1543-T1543.004"> <a href="/versions/v13/techniques/T1543/004/"> Launch Daemon </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484"> <a href="/versions/v13/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1484-body" aria-labelledby="enterprise-TA0004-T1484-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484-T1484.001"> <a href="/versions/v13/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1484-T1484.002"> <a href="/versions/v13/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1611"> <a href="/versions/v13/techniques/T1611/"> Escape to Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546"> <a href="/versions/v13/techniques/T1546/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1546-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1546-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1546-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1546-body" aria-labelledby="enterprise-TA0004-T1546-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.001"> <a href="/versions/v13/techniques/T1546/001/"> Change Default File Association </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.002"> <a href="/versions/v13/techniques/T1546/002/"> Screensaver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.003"> <a href="/versions/v13/techniques/T1546/003/"> Windows Management Instrumentation Event Subscription </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.004"> <a href="/versions/v13/techniques/T1546/004/"> Unix Shell Configuration Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.005"> <a href="/versions/v13/techniques/T1546/005/"> Trap </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.006"> <a href="/versions/v13/techniques/T1546/006/"> LC_LOAD_DYLIB Addition </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.007"> <a href="/versions/v13/techniques/T1546/007/"> Netsh Helper DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.008"> <a href="/versions/v13/techniques/T1546/008/"> Accessibility Features </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.009"> <a href="/versions/v13/techniques/T1546/009/"> AppCert DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.010"> <a href="/versions/v13/techniques/T1546/010/"> AppInit DLLs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.011"> <a href="/versions/v13/techniques/T1546/011/"> Application Shimming </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.012"> <a href="/versions/v13/techniques/T1546/012/"> Image File Execution Options Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.013"> <a href="/versions/v13/techniques/T1546/013/"> PowerShell Profile </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.014"> <a href="/versions/v13/techniques/T1546/014/"> Emond </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.015"> <a href="/versions/v13/techniques/T1546/015/"> Component Object Model Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1546-T1546.016"> <a href="/versions/v13/techniques/T1546/016/"> Installer Packages </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1068"> <a href="/versions/v13/techniques/T1068/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574"> <a href="/versions/v13/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1574-body" aria-labelledby="enterprise-TA0004-T1574-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.001"> <a href="/versions/v13/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.002"> <a href="/versions/v13/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.004"> <a href="/versions/v13/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.005"> <a href="/versions/v13/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.006"> <a href="/versions/v13/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.007"> <a href="/versions/v13/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.008"> <a href="/versions/v13/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.009"> <a href="/versions/v13/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.010"> <a href="/versions/v13/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.011"> <a href="/versions/v13/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.012"> <a href="/versions/v13/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1574-T1574.013"> <a href="/versions/v13/techniques/T1574/013/"> KernelCallbackTable </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055"> <a href="/versions/v13/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1055-body" aria-labelledby="enterprise-TA0004-T1055-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.001"> <a href="/versions/v13/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.002"> <a href="/versions/v13/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.003"> <a href="/versions/v13/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.004"> <a href="/versions/v13/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.005"> <a href="/versions/v13/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.008"> <a href="/versions/v13/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.009"> <a href="/versions/v13/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.011"> <a href="/versions/v13/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.012"> <a href="/versions/v13/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.013"> <a href="/versions/v13/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.014"> <a href="/versions/v13/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1055-T1055.015"> <a href="/versions/v13/techniques/T1055/015/"> ListPlanting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053"> <a href="/versions/v13/techniques/T1053/"> Scheduled Task/Job </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1053-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1053-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1053-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1053-body" aria-labelledby="enterprise-TA0004-T1053-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.002"> <a href="/versions/v13/techniques/T1053/002/"> At </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.003"> <a href="/versions/v13/techniques/T1053/003/"> Cron </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.005"> <a href="/versions/v13/techniques/T1053/005/"> Scheduled Task </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.006"> <a href="/versions/v13/techniques/T1053/006/"> Systemd Timers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1053-T1053.007"> <a href="/versions/v13/techniques/T1053/007/"> Container Orchestration Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078"> <a href="/versions/v13/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0004-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0004-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0004-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0004-T1078-body" aria-labelledby="enterprise-TA0004-T1078-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078-T1078.001"> <a href="/versions/v13/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078-T1078.002"> <a href="/versions/v13/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078-T1078.003"> <a href="/versions/v13/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0004-T1078-T1078.004"> <a href="/versions/v13/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005"> <a href="/versions/v13/tactics/TA0005"> Defense Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-header" data-toggle="collapse" data-target="#enterprise-TA0005-body" aria-expanded="false" aria-controls="#enterprise-TA0005-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-body" aria-labelledby="enterprise-TA0005-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548"> <a href="/versions/v13/techniques/T1548/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1548-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1548-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1548-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1548-body" aria-labelledby="enterprise-TA0005-T1548-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548-T1548.001"> <a href="/versions/v13/techniques/T1548/001/"> Setuid and Setgid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548-T1548.002"> <a href="/versions/v13/techniques/T1548/002/"> Bypass User Account Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548-T1548.003"> <a href="/versions/v13/techniques/T1548/003/"> Sudo and Sudo Caching </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1548-T1548.004"> <a href="/versions/v13/techniques/T1548/004/"> Elevated Execution with Prompt </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134"> <a href="/versions/v13/techniques/T1134/"> Access Token Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1134-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1134-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1134-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1134-body" aria-labelledby="enterprise-TA0005-T1134-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.001"> <a href="/versions/v13/techniques/T1134/001/"> Token Impersonation/Theft </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.002"> <a href="/versions/v13/techniques/T1134/002/"> Create Process with Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.003"> <a href="/versions/v13/techniques/T1134/003/"> Make and Impersonate Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.004"> <a href="/versions/v13/techniques/T1134/004/"> Parent PID Spoofing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1134-T1134.005"> <a href="/versions/v13/techniques/T1134/005/"> SID-History Injection </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1197"> <a href="/versions/v13/techniques/T1197/"> BITS Jobs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1612"> <a href="/versions/v13/techniques/T1612/"> Build Image on Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1622"> <a href="/versions/v13/techniques/T1622/"> Debugger Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1140"> <a href="/versions/v13/techniques/T1140/"> Deobfuscate/Decode Files or Information </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1610"> <a href="/versions/v13/techniques/T1610/"> Deploy Container </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1006"> <a href="/versions/v13/techniques/T1006/"> Direct Volume Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484"> <a href="/versions/v13/techniques/T1484/"> Domain Policy Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1484-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1484-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1484-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1484-body" aria-labelledby="enterprise-TA0005-T1484-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484-T1484.001"> <a href="/versions/v13/techniques/T1484/001/"> Group Policy Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1484-T1484.002"> <a href="/versions/v13/techniques/T1484/002/"> Domain Trust Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1480"> <a href="/versions/v13/techniques/T1480/"> Execution Guardrails </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1480-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1480-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1480-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1480-body" aria-labelledby="enterprise-TA0005-T1480-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1480-T1480.001"> <a href="/versions/v13/techniques/T1480/001/"> Environmental Keying </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1211"> <a href="/versions/v13/techniques/T1211/"> Exploitation for Defense Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222"> <a href="/versions/v13/techniques/T1222/"> File and Directory Permissions Modification </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1222-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1222-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1222-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1222-body" aria-labelledby="enterprise-TA0005-T1222-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222-T1222.001"> <a href="/versions/v13/techniques/T1222/001/"> Windows File and Directory Permissions Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1222-T1222.002"> <a href="/versions/v13/techniques/T1222/002/"> Linux and Mac File and Directory Permissions Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564"> <a href="/versions/v13/techniques/T1564/"> Hide Artifacts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1564-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1564-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1564-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1564-body" aria-labelledby="enterprise-TA0005-T1564-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.001"> <a href="/versions/v13/techniques/T1564/001/"> Hidden Files and Directories </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.002"> <a href="/versions/v13/techniques/T1564/002/"> Hidden Users </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.003"> <a href="/versions/v13/techniques/T1564/003/"> Hidden Window </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.004"> <a href="/versions/v13/techniques/T1564/004/"> NTFS File Attributes </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.005"> <a href="/versions/v13/techniques/T1564/005/"> Hidden File System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.006"> <a href="/versions/v13/techniques/T1564/006/"> Run Virtual Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.007"> <a href="/versions/v13/techniques/T1564/007/"> VBA Stomping </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.008"> <a href="/versions/v13/techniques/T1564/008/"> Email Hiding Rules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.009"> <a href="/versions/v13/techniques/T1564/009/"> Resource Forking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1564-T1564.010"> <a href="/versions/v13/techniques/T1564/010/"> Process Argument Spoofing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574"> <a href="/versions/v13/techniques/T1574/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1574-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1574-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1574-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1574-body" aria-labelledby="enterprise-TA0005-T1574-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.001"> <a href="/versions/v13/techniques/T1574/001/"> DLL Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.002"> <a href="/versions/v13/techniques/T1574/002/"> DLL Side-Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.004"> <a href="/versions/v13/techniques/T1574/004/"> Dylib Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.005"> <a href="/versions/v13/techniques/T1574/005/"> Executable Installer File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.006"> <a href="/versions/v13/techniques/T1574/006/"> Dynamic Linker Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.007"> <a href="/versions/v13/techniques/T1574/007/"> Path Interception by PATH Environment Variable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.008"> <a href="/versions/v13/techniques/T1574/008/"> Path Interception by Search Order Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.009"> <a href="/versions/v13/techniques/T1574/009/"> Path Interception by Unquoted Path </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.010"> <a href="/versions/v13/techniques/T1574/010/"> Services File Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.011"> <a href="/versions/v13/techniques/T1574/011/"> Services Registry Permissions Weakness </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.012"> <a href="/versions/v13/techniques/T1574/012/"> COR_PROFILER </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1574-T1574.013"> <a href="/versions/v13/techniques/T1574/013/"> KernelCallbackTable </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562"> <a href="/versions/v13/techniques/T1562/"> Impair Defenses </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1562-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1562-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1562-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1562-body" aria-labelledby="enterprise-TA0005-T1562-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.001"> <a href="/versions/v13/techniques/T1562/001/"> Disable or Modify Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.002"> <a href="/versions/v13/techniques/T1562/002/"> Disable Windows Event Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.003"> <a href="/versions/v13/techniques/T1562/003/"> Impair Command History Logging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.004"> <a href="/versions/v13/techniques/T1562/004/"> Disable or Modify System Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.006"> <a href="/versions/v13/techniques/T1562/006/"> Indicator Blocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.007"> <a href="/versions/v13/techniques/T1562/007/"> Disable or Modify Cloud Firewall </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.008"> <a href="/versions/v13/techniques/T1562/008/"> Disable Cloud Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.009"> <a href="/versions/v13/techniques/T1562/009/"> Safe Mode Boot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.010"> <a href="/versions/v13/techniques/T1562/010/"> Downgrade Attack </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1562-T1562.011"> <a href="/versions/v13/techniques/T1562/011/"> Spoof Security Alerting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070"> <a href="/versions/v13/techniques/T1070/"> Indicator Removal </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1070-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1070-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1070-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1070-body" aria-labelledby="enterprise-TA0005-T1070-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.001"> <a href="/versions/v13/techniques/T1070/001/"> Clear Windows Event Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.002"> <a href="/versions/v13/techniques/T1070/002/"> Clear Linux or Mac System Logs </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.003"> <a href="/versions/v13/techniques/T1070/003/"> Clear Command History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.004"> <a href="/versions/v13/techniques/T1070/004/"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.005"> <a href="/versions/v13/techniques/T1070/005/"> Network Share Connection Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.006"> <a href="/versions/v13/techniques/T1070/006/"> Timestomp </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.007"> <a href="/versions/v13/techniques/T1070/007/"> Clear Network Connection History and Configurations </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.008"> <a href="/versions/v13/techniques/T1070/008/"> Clear Mailbox Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1070-T1070.009"> <a href="/versions/v13/techniques/T1070/009/"> Clear Persistence </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1202"> <a href="/versions/v13/techniques/T1202/"> Indirect Command Execution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036"> <a href="/versions/v13/techniques/T1036/"> Masquerading </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1036-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1036-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1036-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1036-body" aria-labelledby="enterprise-TA0005-T1036-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.001"> <a href="/versions/v13/techniques/T1036/001/"> Invalid Code Signature </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.002"> <a href="/versions/v13/techniques/T1036/002/"> Right-to-Left Override </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.003"> <a href="/versions/v13/techniques/T1036/003/"> Rename System Utilities </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.004"> <a href="/versions/v13/techniques/T1036/004/"> Masquerade Task or Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.005"> <a href="/versions/v13/techniques/T1036/005/"> Match Legitimate Name or Location </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.006"> <a href="/versions/v13/techniques/T1036/006/"> Space after Filename </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.007"> <a href="/versions/v13/techniques/T1036/007/"> Double File Extension </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1036-T1036.008"> <a href="/versions/v13/techniques/T1036/008/"> Masquerade File Type </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556"> <a href="/versions/v13/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1556-body" aria-labelledby="enterprise-TA0005-T1556-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.001"> <a href="/versions/v13/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.002"> <a href="/versions/v13/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.003"> <a href="/versions/v13/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.004"> <a href="/versions/v13/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.005"> <a href="/versions/v13/techniques/T1556/005/"> Reversible Encryption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.006"> <a href="/versions/v13/techniques/T1556/006/"> Multi-Factor Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.007"> <a href="/versions/v13/techniques/T1556/007/"> Hybrid Identity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1556-T1556.008"> <a href="/versions/v13/techniques/T1556/008/"> Network Provider DLL </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578"> <a href="/versions/v13/techniques/T1578/"> Modify Cloud Compute Infrastructure </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1578-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1578-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1578-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1578-body" aria-labelledby="enterprise-TA0005-T1578-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578-T1578.001"> <a href="/versions/v13/techniques/T1578/001/"> Create Snapshot </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578-T1578.002"> <a href="/versions/v13/techniques/T1578/002/"> Create Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578-T1578.003"> <a href="/versions/v13/techniques/T1578/003/"> Delete Cloud Instance </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1578-T1578.004"> <a href="/versions/v13/techniques/T1578/004/"> Revert Cloud Instance </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1112"> <a href="/versions/v13/techniques/T1112/"> Modify Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601"> <a href="/versions/v13/techniques/T1601/"> Modify System Image </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1601-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1601-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1601-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1601-body" aria-labelledby="enterprise-TA0005-T1601-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601-T1601.001"> <a href="/versions/v13/techniques/T1601/001/"> Patch System Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1601-T1601.002"> <a href="/versions/v13/techniques/T1601/002/"> Downgrade System Image </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1599"> <a href="/versions/v13/techniques/T1599/"> Network Boundary Bridging </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1599-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1599-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1599-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1599-body" aria-labelledby="enterprise-TA0005-T1599-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1599-T1599.001"> <a href="/versions/v13/techniques/T1599/001/"> Network Address Translation Traversal </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027"> <a href="/versions/v13/techniques/T1027/"> Obfuscated Files or Information </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1027-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1027-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1027-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1027-body" aria-labelledby="enterprise-TA0005-T1027-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.001"> <a href="/versions/v13/techniques/T1027/001/"> Binary Padding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.002"> <a href="/versions/v13/techniques/T1027/002/"> Software Packing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.003"> <a href="/versions/v13/techniques/T1027/003/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.004"> <a href="/versions/v13/techniques/T1027/004/"> Compile After Delivery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.005"> <a href="/versions/v13/techniques/T1027/005/"> Indicator Removal from Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.006"> <a href="/versions/v13/techniques/T1027/006/"> HTML Smuggling </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.007"> <a href="/versions/v13/techniques/T1027/007/"> Dynamic API Resolution </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.008"> <a href="/versions/v13/techniques/T1027/008/"> Stripped Payloads </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.009"> <a href="/versions/v13/techniques/T1027/009/"> Embedded Payloads </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.010"> <a href="/versions/v13/techniques/T1027/010/"> Command Obfuscation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1027-T1027.011"> <a href="/versions/v13/techniques/T1027/011/"> Fileless Storage </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1647"> <a href="/versions/v13/techniques/T1647/"> Plist File Modification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542"> <a href="/versions/v13/techniques/T1542/"> Pre-OS Boot </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1542-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1542-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1542-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1542-body" aria-labelledby="enterprise-TA0005-T1542-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.001"> <a href="/versions/v13/techniques/T1542/001/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.002"> <a href="/versions/v13/techniques/T1542/002/"> Component Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.003"> <a href="/versions/v13/techniques/T1542/003/"> Bootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.004"> <a href="/versions/v13/techniques/T1542/004/"> ROMMONkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1542-T1542.005"> <a href="/versions/v13/techniques/T1542/005/"> TFTP Boot </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055"> <a href="/versions/v13/techniques/T1055/"> Process Injection </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1055-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1055-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1055-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1055-body" aria-labelledby="enterprise-TA0005-T1055-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.001"> <a href="/versions/v13/techniques/T1055/001/"> Dynamic-link Library Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.002"> <a href="/versions/v13/techniques/T1055/002/"> Portable Executable Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.003"> <a href="/versions/v13/techniques/T1055/003/"> Thread Execution Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.004"> <a href="/versions/v13/techniques/T1055/004/"> Asynchronous Procedure Call </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.005"> <a href="/versions/v13/techniques/T1055/005/"> Thread Local Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.008"> <a href="/versions/v13/techniques/T1055/008/"> Ptrace System Calls </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.009"> <a href="/versions/v13/techniques/T1055/009/"> Proc Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.011"> <a href="/versions/v13/techniques/T1055/011/"> Extra Window Memory Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.012"> <a href="/versions/v13/techniques/T1055/012/"> Process Hollowing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.013"> <a href="/versions/v13/techniques/T1055/013/"> Process Doppelgänging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.014"> <a href="/versions/v13/techniques/T1055/014/"> VDSO Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1055-T1055.015"> <a href="/versions/v13/techniques/T1055/015/"> ListPlanting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1620"> <a href="/versions/v13/techniques/T1620/"> Reflective Code Loading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1207"> <a href="/versions/v13/techniques/T1207/"> Rogue Domain Controller </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1014"> <a href="/versions/v13/techniques/T1014/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553"> <a href="/versions/v13/techniques/T1553/"> Subvert Trust Controls </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1553-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1553-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1553-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1553-body" aria-labelledby="enterprise-TA0005-T1553-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.001"> <a href="/versions/v13/techniques/T1553/001/"> Gatekeeper Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.002"> <a href="/versions/v13/techniques/T1553/002/"> Code Signing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.003"> <a href="/versions/v13/techniques/T1553/003/"> SIP and Trust Provider Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.004"> <a href="/versions/v13/techniques/T1553/004/"> Install Root Certificate </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.005"> <a href="/versions/v13/techniques/T1553/005/"> Mark-of-the-Web Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1553-T1553.006"> <a href="/versions/v13/techniques/T1553/006/"> Code Signing Policy Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218"> <a href="/versions/v13/techniques/T1218/"> System Binary Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1218-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1218-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1218-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1218-body" aria-labelledby="enterprise-TA0005-T1218-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.001"> <a href="/versions/v13/techniques/T1218/001/"> Compiled HTML File </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.002"> <a href="/versions/v13/techniques/T1218/002/"> Control Panel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.003"> <a href="/versions/v13/techniques/T1218/003/"> CMSTP </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.004"> <a href="/versions/v13/techniques/T1218/004/"> InstallUtil </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.005"> <a href="/versions/v13/techniques/T1218/005/"> Mshta </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.007"> <a href="/versions/v13/techniques/T1218/007/"> Msiexec </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.008"> <a href="/versions/v13/techniques/T1218/008/"> Odbcconf </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.009"> <a href="/versions/v13/techniques/T1218/009/"> Regsvcs/Regasm </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.010"> <a href="/versions/v13/techniques/T1218/010/"> Regsvr32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.011"> <a href="/versions/v13/techniques/T1218/011/"> Rundll32 </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.012"> <a href="/versions/v13/techniques/T1218/012/"> Verclsid </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.013"> <a href="/versions/v13/techniques/T1218/013/"> Mavinject </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1218-T1218.014"> <a href="/versions/v13/techniques/T1218/014/"> MMC </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1216"> <a href="/versions/v13/techniques/T1216/"> System Script Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1216-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1216-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1216-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1216-body" aria-labelledby="enterprise-TA0005-T1216-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1216-T1216.001"> <a href="/versions/v13/techniques/T1216/001/"> PubPrn </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1221"> <a href="/versions/v13/techniques/T1221/"> Template Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205"> <a href="/versions/v13/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1205-body" aria-labelledby="enterprise-TA0005-T1205-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205-T1205.001"> <a href="/versions/v13/techniques/T1205/001/"> Port Knocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1205-T1205.002"> <a href="/versions/v13/techniques/T1205/002/"> Socket Filters </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1127"> <a href="/versions/v13/techniques/T1127/"> Trusted Developer Utilities Proxy Execution </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1127-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1127-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1127-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1127-body" aria-labelledby="enterprise-TA0005-T1127-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1127-T1127.001"> <a href="/versions/v13/techniques/T1127/001/"> MSBuild </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1535"> <a href="/versions/v13/techniques/T1535/"> Unused/Unsupported Cloud Regions </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550"> <a href="/versions/v13/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1550-body" aria-labelledby="enterprise-TA0005-T1550-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550-T1550.001"> <a href="/versions/v13/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550-T1550.002"> <a href="/versions/v13/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550-T1550.003"> <a href="/versions/v13/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1550-T1550.004"> <a href="/versions/v13/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078"> <a href="/versions/v13/techniques/T1078/"> Valid Accounts </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1078-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1078-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1078-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1078-body" aria-labelledby="enterprise-TA0005-T1078-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078-T1078.001"> <a href="/versions/v13/techniques/T1078/001/"> Default Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078-T1078.002"> <a href="/versions/v13/techniques/T1078/002/"> Domain Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078-T1078.003"> <a href="/versions/v13/techniques/T1078/003/"> Local Accounts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1078-T1078.004"> <a href="/versions/v13/techniques/T1078/004/"> Cloud Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497"> <a href="/versions/v13/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1497-body" aria-labelledby="enterprise-TA0005-T1497-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497-T1497.001"> <a href="/versions/v13/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497-T1497.002"> <a href="/versions/v13/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1497-T1497.003"> <a href="/versions/v13/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600"> <a href="/versions/v13/techniques/T1600/"> Weaken Encryption </a> <div class="expand-button collapsed" id="enterprise-TA0005-T1600-header" data-toggle="collapse" data-target="#enterprise-TA0005-T1600-body" aria-expanded="false" aria-controls="#enterprise-TA0005-T1600-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0005-T1600-body" aria-labelledby="enterprise-TA0005-T1600-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600-T1600.001"> <a href="/versions/v13/techniques/T1600/001/"> Reduce Key Space </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1600-T1600.002"> <a href="/versions/v13/techniques/T1600/002/"> Disable Crypto Hardware </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0005-T1220"> <a href="/versions/v13/techniques/T1220/"> XSL Script Processing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006"> <a href="/versions/v13/tactics/TA0006"> Credential Access </a> <div class="expand-button collapsed" id="enterprise-TA0006-header" data-toggle="collapse" data-target="#enterprise-TA0006-body" aria-expanded="false" aria-controls="#enterprise-TA0006-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-body" aria-labelledby="enterprise-TA0006-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557"> <a href="/versions/v13/techniques/T1557/"> Adversary-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1557-body" aria-labelledby="enterprise-TA0006-T1557-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557-T1557.001"> <a href="/versions/v13/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557-T1557.002"> <a href="/versions/v13/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1557-T1557.003"> <a href="/versions/v13/techniques/T1557/003/"> DHCP Spoofing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110"> <a href="/versions/v13/techniques/T1110/"> Brute Force </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1110-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1110-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1110-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1110-body" aria-labelledby="enterprise-TA0006-T1110-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110-T1110.001"> <a href="/versions/v13/techniques/T1110/001/"> Password Guessing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110-T1110.002"> <a href="/versions/v13/techniques/T1110/002/"> Password Cracking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110-T1110.003"> <a href="/versions/v13/techniques/T1110/003/"> Password Spraying </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1110-T1110.004"> <a href="/versions/v13/techniques/T1110/004/"> Credential Stuffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555"> <a href="/versions/v13/techniques/T1555/"> Credentials from Password Stores </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1555-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1555-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1555-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1555-body" aria-labelledby="enterprise-TA0006-T1555-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.001"> <a href="/versions/v13/techniques/T1555/001/"> Keychain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.002"> <a href="/versions/v13/techniques/T1555/002/"> Securityd Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.003"> <a href="/versions/v13/techniques/T1555/003/"> Credentials from Web Browsers </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.004"> <a href="/versions/v13/techniques/T1555/004/"> Windows Credential Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1555-T1555.005"> <a href="/versions/v13/techniques/T1555/005/"> Password Managers </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1212"> <a href="/versions/v13/techniques/T1212/"> Exploitation for Credential Access </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1187"> <a href="/versions/v13/techniques/T1187/"> Forced Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606"> <a href="/versions/v13/techniques/T1606/"> Forge Web Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1606-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1606-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1606-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1606-body" aria-labelledby="enterprise-TA0006-T1606-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606-T1606.001"> <a href="/versions/v13/techniques/T1606/001/"> Web Cookies </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1606-T1606.002"> <a href="/versions/v13/techniques/T1606/002/"> SAML Tokens </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056"> <a href="/versions/v13/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1056-body" aria-labelledby="enterprise-TA0006-T1056-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056-T1056.001"> <a href="/versions/v13/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056-T1056.002"> <a href="/versions/v13/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056-T1056.003"> <a href="/versions/v13/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1056-T1056.004"> <a href="/versions/v13/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556"> <a href="/versions/v13/techniques/T1556/"> Modify Authentication Process </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1556-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1556-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1556-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1556-body" aria-labelledby="enterprise-TA0006-T1556-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.001"> <a href="/versions/v13/techniques/T1556/001/"> Domain Controller Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.002"> <a href="/versions/v13/techniques/T1556/002/"> Password Filter DLL </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.003"> <a href="/versions/v13/techniques/T1556/003/"> Pluggable Authentication Modules </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.004"> <a href="/versions/v13/techniques/T1556/004/"> Network Device Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.005"> <a href="/versions/v13/techniques/T1556/005/"> Reversible Encryption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.006"> <a href="/versions/v13/techniques/T1556/006/"> Multi-Factor Authentication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.007"> <a href="/versions/v13/techniques/T1556/007/"> Hybrid Identity </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1556-T1556.008"> <a href="/versions/v13/techniques/T1556/008/"> Network Provider DLL </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1111"> <a href="/versions/v13/techniques/T1111/"> Multi-Factor Authentication Interception </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1621"> <a href="/versions/v13/techniques/T1621/"> Multi-Factor Authentication Request Generation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1040"> <a href="/versions/v13/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003"> <a href="/versions/v13/techniques/T1003/"> OS Credential Dumping </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1003-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1003-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1003-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1003-body" aria-labelledby="enterprise-TA0006-T1003-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.001"> <a href="/versions/v13/techniques/T1003/001/"> LSASS Memory </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.002"> <a href="/versions/v13/techniques/T1003/002/"> Security Account Manager </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.003"> <a href="/versions/v13/techniques/T1003/003/"> NTDS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.004"> <a href="/versions/v13/techniques/T1003/004/"> LSA Secrets </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.005"> <a href="/versions/v13/techniques/T1003/005/"> Cached Domain Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.006"> <a href="/versions/v13/techniques/T1003/006/"> DCSync </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.007"> <a href="/versions/v13/techniques/T1003/007/"> Proc Filesystem </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1003-T1003.008"> <a href="/versions/v13/techniques/T1003/008/"> /etc/passwd and /etc/shadow </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1528"> <a href="/versions/v13/techniques/T1528/"> Steal Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1649"> <a href="/versions/v13/techniques/T1649/"> Steal or Forge Authentication Certificates </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558"> <a href="/versions/v13/techniques/T1558/"> Steal or Forge Kerberos Tickets </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1558-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1558-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1558-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1558-body" aria-labelledby="enterprise-TA0006-T1558-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558-T1558.001"> <a href="/versions/v13/techniques/T1558/001/"> Golden Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558-T1558.002"> <a href="/versions/v13/techniques/T1558/002/"> Silver Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558-T1558.003"> <a href="/versions/v13/techniques/T1558/003/"> Kerberoasting </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1558-T1558.004"> <a href="/versions/v13/techniques/T1558/004/"> AS-REP Roasting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1539"> <a href="/versions/v13/techniques/T1539/"> Steal Web Session Cookie </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552"> <a href="/versions/v13/techniques/T1552/"> Unsecured Credentials </a> <div class="expand-button collapsed" id="enterprise-TA0006-T1552-header" data-toggle="collapse" data-target="#enterprise-TA0006-T1552-body" aria-expanded="false" aria-controls="#enterprise-TA0006-T1552-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0006-T1552-body" aria-labelledby="enterprise-TA0006-T1552-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.001"> <a href="/versions/v13/techniques/T1552/001/"> Credentials In Files </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.002"> <a href="/versions/v13/techniques/T1552/002/"> Credentials in Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.003"> <a href="/versions/v13/techniques/T1552/003/"> Bash History </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.004"> <a href="/versions/v13/techniques/T1552/004/"> Private Keys </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.005"> <a href="/versions/v13/techniques/T1552/005/"> Cloud Instance Metadata API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.006"> <a href="/versions/v13/techniques/T1552/006/"> Group Policy Preferences </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.007"> <a href="/versions/v13/techniques/T1552/007/"> Container API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0006-T1552-T1552.008"> <a href="/versions/v13/techniques/T1552/008/"> Chat Messages </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007"> <a href="/versions/v13/tactics/TA0007"> Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-header" data-toggle="collapse" data-target="#enterprise-TA0007-body" aria-expanded="false" aria-controls="#enterprise-TA0007-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-body" aria-labelledby="enterprise-TA0007-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087"> <a href="/versions/v13/techniques/T1087/"> Account Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1087-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1087-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1087-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1087-body" aria-labelledby="enterprise-TA0007-T1087-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087-T1087.001"> <a href="/versions/v13/techniques/T1087/001/"> Local Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087-T1087.002"> <a href="/versions/v13/techniques/T1087/002/"> Domain Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087-T1087.003"> <a href="/versions/v13/techniques/T1087/003/"> Email Account </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1087-T1087.004"> <a href="/versions/v13/techniques/T1087/004/"> Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1010"> <a href="/versions/v13/techniques/T1010/"> Application Window Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1217"> <a href="/versions/v13/techniques/T1217/"> Browser Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1580"> <a href="/versions/v13/techniques/T1580/"> Cloud Infrastructure Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1538"> <a href="/versions/v13/techniques/T1538/"> Cloud Service Dashboard </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1526"> <a href="/versions/v13/techniques/T1526/"> Cloud Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1619"> <a href="/versions/v13/techniques/T1619/"> Cloud Storage Object Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1613"> <a href="/versions/v13/techniques/T1613/"> Container and Resource Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1622"> <a href="/versions/v13/techniques/T1622/"> Debugger Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1652"> <a href="/versions/v13/techniques/T1652/"> Device Driver Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1482"> <a href="/versions/v13/techniques/T1482/"> Domain Trust Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1083"> <a href="/versions/v13/techniques/T1083/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1615"> <a href="/versions/v13/techniques/T1615/"> Group Policy Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1046"> <a href="/versions/v13/techniques/T1046/"> Network Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1135"> <a href="/versions/v13/techniques/T1135/"> Network Share Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1040"> <a href="/versions/v13/techniques/T1040/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1201"> <a href="/versions/v13/techniques/T1201/"> Password Policy Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1120"> <a href="/versions/v13/techniques/T1120/"> Peripheral Device Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069"> <a href="/versions/v13/techniques/T1069/"> Permission Groups Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1069-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1069-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1069-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1069-body" aria-labelledby="enterprise-TA0007-T1069-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069-T1069.001"> <a href="/versions/v13/techniques/T1069/001/"> Local Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069-T1069.002"> <a href="/versions/v13/techniques/T1069/002/"> Domain Groups </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1069-T1069.003"> <a href="/versions/v13/techniques/T1069/003/"> Cloud Groups </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1057"> <a href="/versions/v13/techniques/T1057/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1012"> <a href="/versions/v13/techniques/T1012/"> Query Registry </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1018"> <a href="/versions/v13/techniques/T1018/"> Remote System Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1518"> <a href="/versions/v13/techniques/T1518/"> Software Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1518-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1518-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1518-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1518-body" aria-labelledby="enterprise-TA0007-T1518-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1518-T1518.001"> <a href="/versions/v13/techniques/T1518/001/"> Security Software Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1082"> <a href="/versions/v13/techniques/T1082/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1614"> <a href="/versions/v13/techniques/T1614/"> System Location Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1614-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1614-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1614-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1614-body" aria-labelledby="enterprise-TA0007-T1614-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1614-T1614.001"> <a href="/versions/v13/techniques/T1614/001/"> System Language Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1016"> <a href="/versions/v13/techniques/T1016/"> System Network Configuration Discovery </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1016-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1016-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1016-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1016-body" aria-labelledby="enterprise-TA0007-T1016-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1016-T1016.001"> <a href="/versions/v13/techniques/T1016/001/"> Internet Connection Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1049"> <a href="/versions/v13/techniques/T1049/"> System Network Connections Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1033"> <a href="/versions/v13/techniques/T1033/"> System Owner/User Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1007"> <a href="/versions/v13/techniques/T1007/"> System Service Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1124"> <a href="/versions/v13/techniques/T1124/"> System Time Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497"> <a href="/versions/v13/techniques/T1497/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="enterprise-TA0007-T1497-header" data-toggle="collapse" data-target="#enterprise-TA0007-T1497-body" aria-expanded="false" aria-controls="#enterprise-TA0007-T1497-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0007-T1497-body" aria-labelledby="enterprise-TA0007-T1497-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497-T1497.001"> <a href="/versions/v13/techniques/T1497/001/"> System Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497-T1497.002"> <a href="/versions/v13/techniques/T1497/002/"> User Activity Based Checks </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0007-T1497-T1497.003"> <a href="/versions/v13/techniques/T1497/003/"> Time Based Evasion </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008"> <a href="/versions/v13/tactics/TA0008"> Lateral Movement </a> <div class="expand-button collapsed" id="enterprise-TA0008-header" data-toggle="collapse" data-target="#enterprise-TA0008-body" aria-expanded="false" aria-controls="#enterprise-TA0008-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-body" aria-labelledby="enterprise-TA0008-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1210"> <a href="/versions/v13/techniques/T1210/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1534"> <a href="/versions/v13/techniques/T1534/"> Internal Spearphishing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1570"> <a href="/versions/v13/techniques/T1570/"> Lateral Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563"> <a href="/versions/v13/techniques/T1563/"> Remote Service Session Hijacking </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1563-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1563-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1563-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1563-body" aria-labelledby="enterprise-TA0008-T1563-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563-T1563.001"> <a href="/versions/v13/techniques/T1563/001/"> SSH Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1563-T1563.002"> <a href="/versions/v13/techniques/T1563/002/"> RDP Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021"> <a href="/versions/v13/techniques/T1021/"> Remote Services </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1021-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1021-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1021-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1021-body" aria-labelledby="enterprise-TA0008-T1021-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.001"> <a href="/versions/v13/techniques/T1021/001/"> Remote Desktop Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.002"> <a href="/versions/v13/techniques/T1021/002/"> SMB/Windows Admin Shares </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.003"> <a href="/versions/v13/techniques/T1021/003/"> Distributed Component Object Model </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.004"> <a href="/versions/v13/techniques/T1021/004/"> SSH </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.005"> <a href="/versions/v13/techniques/T1021/005/"> VNC </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.006"> <a href="/versions/v13/techniques/T1021/006/"> Windows Remote Management </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1021-T1021.007"> <a href="/versions/v13/techniques/T1021/007/"> Cloud Services </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1091"> <a href="/versions/v13/techniques/T1091/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1072"> <a href="/versions/v13/techniques/T1072/"> Software Deployment Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1080"> <a href="/versions/v13/techniques/T1080/"> Taint Shared Content </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550"> <a href="/versions/v13/techniques/T1550/"> Use Alternate Authentication Material </a> <div class="expand-button collapsed" id="enterprise-TA0008-T1550-header" data-toggle="collapse" data-target="#enterprise-TA0008-T1550-body" aria-expanded="false" aria-controls="#enterprise-TA0008-T1550-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0008-T1550-body" aria-labelledby="enterprise-TA0008-T1550-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550-T1550.001"> <a href="/versions/v13/techniques/T1550/001/"> Application Access Token </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550-T1550.002"> <a href="/versions/v13/techniques/T1550/002/"> Pass the Hash </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550-T1550.003"> <a href="/versions/v13/techniques/T1550/003/"> Pass the Ticket </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0008-T1550-T1550.004"> <a href="/versions/v13/techniques/T1550/004/"> Web Session Cookie </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009"> <a href="/versions/v13/tactics/TA0009"> Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-header" data-toggle="collapse" data-target="#enterprise-TA0009-body" aria-expanded="false" aria-controls="#enterprise-TA0009-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-body" aria-labelledby="enterprise-TA0009-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557"> <a href="/versions/v13/techniques/T1557/"> Adversary-in-the-Middle </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1557-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1557-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1557-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1557-body" aria-labelledby="enterprise-TA0009-T1557-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557-T1557.001"> <a href="/versions/v13/techniques/T1557/001/"> LLMNR/NBT-NS Poisoning and SMB Relay </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557-T1557.002"> <a href="/versions/v13/techniques/T1557/002/"> ARP Cache Poisoning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1557-T1557.003"> <a href="/versions/v13/techniques/T1557/003/"> DHCP Spoofing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560"> <a href="/versions/v13/techniques/T1560/"> Archive Collected Data </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1560-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1560-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1560-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1560-body" aria-labelledby="enterprise-TA0009-T1560-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560-T1560.001"> <a href="/versions/v13/techniques/T1560/001/"> Archive via Utility </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560-T1560.002"> <a href="/versions/v13/techniques/T1560/002/"> Archive via Library </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1560-T1560.003"> <a href="/versions/v13/techniques/T1560/003/"> Archive via Custom Method </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1123"> <a href="/versions/v13/techniques/T1123/"> Audio Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1119"> <a href="/versions/v13/techniques/T1119/"> Automated Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1185"> <a href="/versions/v13/techniques/T1185/"> Browser Session Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1115"> <a href="/versions/v13/techniques/T1115/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1530"> <a href="/versions/v13/techniques/T1530/"> Data from Cloud Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602"> <a href="/versions/v13/techniques/T1602/"> Data from Configuration Repository </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1602-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1602-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1602-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1602-body" aria-labelledby="enterprise-TA0009-T1602-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602-T1602.001"> <a href="/versions/v13/techniques/T1602/001/"> SNMP (MIB Dump) </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1602-T1602.002"> <a href="/versions/v13/techniques/T1602/002/"> Network Device Configuration Dump </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213"> <a href="/versions/v13/techniques/T1213/"> Data from Information Repositories </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1213-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1213-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1213-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1213-body" aria-labelledby="enterprise-TA0009-T1213-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213-T1213.001"> <a href="/versions/v13/techniques/T1213/001/"> Confluence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213-T1213.002"> <a href="/versions/v13/techniques/T1213/002/"> Sharepoint </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1213-T1213.003"> <a href="/versions/v13/techniques/T1213/003/"> Code Repositories </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1005"> <a href="/versions/v13/techniques/T1005/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1039"> <a href="/versions/v13/techniques/T1039/"> Data from Network Shared Drive </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1025"> <a href="/versions/v13/techniques/T1025/"> Data from Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074"> <a href="/versions/v13/techniques/T1074/"> Data Staged </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1074-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1074-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1074-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1074-body" aria-labelledby="enterprise-TA0009-T1074-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074-T1074.001"> <a href="/versions/v13/techniques/T1074/001/"> Local Data Staging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1074-T1074.002"> <a href="/versions/v13/techniques/T1074/002/"> Remote Data Staging </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114"> <a href="/versions/v13/techniques/T1114/"> Email Collection </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1114-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1114-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1114-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1114-body" aria-labelledby="enterprise-TA0009-T1114-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114-T1114.001"> <a href="/versions/v13/techniques/T1114/001/"> Local Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114-T1114.002"> <a href="/versions/v13/techniques/T1114/002/"> Remote Email Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1114-T1114.003"> <a href="/versions/v13/techniques/T1114/003/"> Email Forwarding Rule </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056"> <a href="/versions/v13/techniques/T1056/"> Input Capture </a> <div class="expand-button collapsed" id="enterprise-TA0009-T1056-header" data-toggle="collapse" data-target="#enterprise-TA0009-T1056-body" aria-expanded="false" aria-controls="#enterprise-TA0009-T1056-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0009-T1056-body" aria-labelledby="enterprise-TA0009-T1056-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056-T1056.001"> <a href="/versions/v13/techniques/T1056/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056-T1056.002"> <a href="/versions/v13/techniques/T1056/002/"> GUI Input Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056-T1056.003"> <a href="/versions/v13/techniques/T1056/003/"> Web Portal Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1056-T1056.004"> <a href="/versions/v13/techniques/T1056/004/"> Credential API Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1113"> <a href="/versions/v13/techniques/T1113/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0009-T1125"> <a href="/versions/v13/techniques/T1125/"> Video Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011"> <a href="/versions/v13/tactics/TA0011"> Command and Control </a> <div class="expand-button collapsed" id="enterprise-TA0011-header" data-toggle="collapse" data-target="#enterprise-TA0011-body" aria-expanded="false" aria-controls="#enterprise-TA0011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-body" aria-labelledby="enterprise-TA0011-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071"> <a href="/versions/v13/techniques/T1071/"> Application Layer Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1071-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1071-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1071-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1071-body" aria-labelledby="enterprise-TA0011-T1071-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071-T1071.001"> <a href="/versions/v13/techniques/T1071/001/"> Web Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071-T1071.002"> <a href="/versions/v13/techniques/T1071/002/"> File Transfer Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071-T1071.003"> <a href="/versions/v13/techniques/T1071/003/"> Mail Protocols </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1071-T1071.004"> <a href="/versions/v13/techniques/T1071/004/"> DNS </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1092"> <a href="/versions/v13/techniques/T1092/"> Communication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132"> <a href="/versions/v13/techniques/T1132/"> Data Encoding </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1132-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1132-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1132-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1132-body" aria-labelledby="enterprise-TA0011-T1132-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132-T1132.001"> <a href="/versions/v13/techniques/T1132/001/"> Standard Encoding </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1132-T1132.002"> <a href="/versions/v13/techniques/T1132/002/"> Non-Standard Encoding </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001"> <a href="/versions/v13/techniques/T1001/"> Data Obfuscation </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1001-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1001-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1001-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1001-body" aria-labelledby="enterprise-TA0011-T1001-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001-T1001.001"> <a href="/versions/v13/techniques/T1001/001/"> Junk Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001-T1001.002"> <a href="/versions/v13/techniques/T1001/002/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1001-T1001.003"> <a href="/versions/v13/techniques/T1001/003/"> Protocol Impersonation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568"> <a href="/versions/v13/techniques/T1568/"> Dynamic Resolution </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1568-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1568-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1568-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1568-body" aria-labelledby="enterprise-TA0011-T1568-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568-T1568.001"> <a href="/versions/v13/techniques/T1568/001/"> Fast Flux DNS </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568-T1568.002"> <a href="/versions/v13/techniques/T1568/002/"> Domain Generation Algorithms </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1568-T1568.003"> <a href="/versions/v13/techniques/T1568/003/"> DNS Calculation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573"> <a href="/versions/v13/techniques/T1573/"> Encrypted Channel </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1573-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1573-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1573-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1573-body" aria-labelledby="enterprise-TA0011-T1573-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573-T1573.001"> <a href="/versions/v13/techniques/T1573/001/"> Symmetric Cryptography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1573-T1573.002"> <a href="/versions/v13/techniques/T1573/002/"> Asymmetric Cryptography </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1008"> <a href="/versions/v13/techniques/T1008/"> Fallback Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1105"> <a href="/versions/v13/techniques/T1105/"> Ingress Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1104"> <a href="/versions/v13/techniques/T1104/"> Multi-Stage Channels </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1095"> <a href="/versions/v13/techniques/T1095/"> Non-Application Layer Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1571"> <a href="/versions/v13/techniques/T1571/"> Non-Standard Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1572"> <a href="/versions/v13/techniques/T1572/"> Protocol Tunneling </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090"> <a href="/versions/v13/techniques/T1090/"> Proxy </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1090-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1090-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1090-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1090-body" aria-labelledby="enterprise-TA0011-T1090-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090-T1090.001"> <a href="/versions/v13/techniques/T1090/001/"> Internal Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090-T1090.002"> <a href="/versions/v13/techniques/T1090/002/"> External Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090-T1090.003"> <a href="/versions/v13/techniques/T1090/003/"> Multi-hop Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1090-T1090.004"> <a href="/versions/v13/techniques/T1090/004/"> Domain Fronting </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1219"> <a href="/versions/v13/techniques/T1219/"> Remote Access Software </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205"> <a href="/versions/v13/techniques/T1205/"> Traffic Signaling </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1205-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1205-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1205-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1205-body" aria-labelledby="enterprise-TA0011-T1205-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205-T1205.001"> <a href="/versions/v13/techniques/T1205/001/"> Port Knocking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1205-T1205.002"> <a href="/versions/v13/techniques/T1205/002/"> Socket Filters </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102"> <a href="/versions/v13/techniques/T1102/"> Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0011-T1102-header" data-toggle="collapse" data-target="#enterprise-TA0011-T1102-body" aria-expanded="false" aria-controls="#enterprise-TA0011-T1102-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0011-T1102-body" aria-labelledby="enterprise-TA0011-T1102-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102-T1102.001"> <a href="/versions/v13/techniques/T1102/001/"> Dead Drop Resolver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102-T1102.002"> <a href="/versions/v13/techniques/T1102/002/"> Bidirectional Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0011-T1102-T1102.003"> <a href="/versions/v13/techniques/T1102/003/"> One-Way Communication </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010"> <a href="/versions/v13/tactics/TA0010"> Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-header" data-toggle="collapse" data-target="#enterprise-TA0010-body" aria-expanded="false" aria-controls="#enterprise-TA0010-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-body" aria-labelledby="enterprise-TA0010-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1020"> <a href="/versions/v13/techniques/T1020/"> Automated Exfiltration </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1020-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1020-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1020-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1020-body" aria-labelledby="enterprise-TA0010-T1020-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1020-T1020.001"> <a href="/versions/v13/techniques/T1020/001/"> Traffic Duplication </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1030"> <a href="/versions/v13/techniques/T1030/"> Data Transfer Size Limits </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048"> <a href="/versions/v13/techniques/T1048/"> Exfiltration Over Alternative Protocol </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1048-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1048-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1048-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1048-body" aria-labelledby="enterprise-TA0010-T1048-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048-T1048.001"> <a href="/versions/v13/techniques/T1048/001/"> Exfiltration Over Symmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048-T1048.002"> <a href="/versions/v13/techniques/T1048/002/"> Exfiltration Over Asymmetric Encrypted Non-C2 Protocol </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1048-T1048.003"> <a href="/versions/v13/techniques/T1048/003/"> Exfiltration Over Unencrypted Non-C2 Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head active " id="enterprise-TA0010-T1041"> <a href="/versions/v13/techniques/T1041/"> Exfiltration Over C2 Channel </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1011"> <a href="/versions/v13/techniques/T1011/"> Exfiltration Over Other Network Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1011-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1011-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1011-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1011-body" aria-labelledby="enterprise-TA0010-T1011-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1011-T1011.001"> <a href="/versions/v13/techniques/T1011/001/"> Exfiltration Over Bluetooth </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1052"> <a href="/versions/v13/techniques/T1052/"> Exfiltration Over Physical Medium </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1052-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1052-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1052-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1052-body" aria-labelledby="enterprise-TA0010-T1052-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1052-T1052.001"> <a href="/versions/v13/techniques/T1052/001/"> Exfiltration over USB </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567"> <a href="/versions/v13/techniques/T1567/"> Exfiltration Over Web Service </a> <div class="expand-button collapsed" id="enterprise-TA0010-T1567-header" data-toggle="collapse" data-target="#enterprise-TA0010-T1567-body" aria-expanded="false" aria-controls="#enterprise-TA0010-T1567-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0010-T1567-body" aria-labelledby="enterprise-TA0010-T1567-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567-T1567.001"> <a href="/versions/v13/techniques/T1567/001/"> Exfiltration to Code Repository </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567-T1567.002"> <a href="/versions/v13/techniques/T1567/002/"> Exfiltration to Cloud Storage </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1567-T1567.003"> <a href="/versions/v13/techniques/T1567/003/"> Exfiltration to Text Storage Sites </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1029"> <a href="/versions/v13/techniques/T1029/"> Scheduled Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0010-T1537"> <a href="/versions/v13/techniques/T1537/"> Transfer Data to Cloud Account </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040"> <a href="/versions/v13/tactics/TA0040"> Impact </a> <div class="expand-button collapsed" id="enterprise-TA0040-header" data-toggle="collapse" data-target="#enterprise-TA0040-body" aria-expanded="false" aria-controls="#enterprise-TA0040-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-body" aria-labelledby="enterprise-TA0040-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1531"> <a href="/versions/v13/techniques/T1531/"> Account Access Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1485"> <a href="/versions/v13/techniques/T1485/"> Data Destruction </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1486"> <a href="/versions/v13/techniques/T1486/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565"> <a href="/versions/v13/techniques/T1565/"> Data Manipulation </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1565-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1565-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1565-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1565-body" aria-labelledby="enterprise-TA0040-T1565-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565-T1565.001"> <a href="/versions/v13/techniques/T1565/001/"> Stored Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565-T1565.002"> <a href="/versions/v13/techniques/T1565/002/"> Transmitted Data Manipulation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1565-T1565.003"> <a href="/versions/v13/techniques/T1565/003/"> Runtime Data Manipulation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491"> <a href="/versions/v13/techniques/T1491/"> Defacement </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1491-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1491-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1491-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1491-body" aria-labelledby="enterprise-TA0040-T1491-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491-T1491.001"> <a href="/versions/v13/techniques/T1491/001/"> Internal Defacement </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1491-T1491.002"> <a href="/versions/v13/techniques/T1491/002/"> External Defacement </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561"> <a href="/versions/v13/techniques/T1561/"> Disk Wipe </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1561-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1561-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1561-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1561-body" aria-labelledby="enterprise-TA0040-T1561-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561-T1561.001"> <a href="/versions/v13/techniques/T1561/001/"> Disk Content Wipe </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1561-T1561.002"> <a href="/versions/v13/techniques/T1561/002/"> Disk Structure Wipe </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499"> <a href="/versions/v13/techniques/T1499/"> Endpoint Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1499-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1499-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1499-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1499-body" aria-labelledby="enterprise-TA0040-T1499-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499-T1499.001"> <a href="/versions/v13/techniques/T1499/001/"> OS Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499-T1499.002"> <a href="/versions/v13/techniques/T1499/002/"> Service Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499-T1499.003"> <a href="/versions/v13/techniques/T1499/003/"> Application Exhaustion Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1499-T1499.004"> <a href="/versions/v13/techniques/T1499/004/"> Application or System Exploitation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1495"> <a href="/versions/v13/techniques/T1495/"> Firmware Corruption </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1490"> <a href="/versions/v13/techniques/T1490/"> Inhibit System Recovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498"> <a href="/versions/v13/techniques/T1498/"> Network Denial of Service </a> <div class="expand-button collapsed" id="enterprise-TA0040-T1498-header" data-toggle="collapse" data-target="#enterprise-TA0040-T1498-body" aria-expanded="false" aria-controls="#enterprise-TA0040-T1498-body"></div> </div> <div class="sidenav-body collapse" id="enterprise-TA0040-T1498-body" aria-labelledby="enterprise-TA0040-T1498-header"> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498-T1498.001"> <a href="/versions/v13/techniques/T1498/001/"> Direct Network Flood </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1498-T1498.002"> <a href="/versions/v13/techniques/T1498/002/"> Reflection Amplification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1496"> <a href="/versions/v13/techniques/T1496/"> Resource Hijacking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1489"> <a href="/versions/v13/techniques/T1489/"> Service Stop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="enterprise-TA0040-T1529"> <a href="/versions/v13/techniques/T1529/"> System Shutdown/Reboot </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile"> <a href="/versions/v13/techniques/mobile/"> Mobile </a> <div class="expand-button collapsed" id="mobile-header" data-toggle="collapse" data-target="#mobile-body" aria-expanded="false" aria-controls="#mobile-body"></div> </div> <div class="sidenav-body collapse" id="mobile-body" aria-labelledby="mobile-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027"> <a href="/versions/v13/tactics/TA0027"> Initial Access </a> <div class="expand-button collapsed" id="mobile-TA0027-header" data-toggle="collapse" data-target="#mobile-TA0027-body" aria-expanded="false" aria-controls="#mobile-TA0027-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0027-body" aria-labelledby="mobile-TA0027-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1456"> <a href="/versions/v13/techniques/T1456/"> Drive-By Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1461"> <a href="/versions/v13/techniques/T1461/"> Lockscreen Bypass </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1458"> <a href="/versions/v13/techniques/T1458/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1474"> <a href="/versions/v13/techniques/T1474/"> Supply Chain Compromise </a> <div class="expand-button collapsed" id="mobile-TA0027-T1474-header" data-toggle="collapse" data-target="#mobile-TA0027-T1474-body" aria-expanded="false" aria-controls="#mobile-TA0027-T1474-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0027-T1474-body" aria-labelledby="mobile-TA0027-T1474-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1474-T1474.001"> <a href="/versions/v13/techniques/T1474/001/"> Compromise Software Dependencies and Development Tools </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1474-T1474.002"> <a href="/versions/v13/techniques/T1474/002/"> Compromise Hardware Supply Chain </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0027-T1474-T1474.003"> <a href="/versions/v13/techniques/T1474/003/"> Compromise Software Supply Chain </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041"> <a href="/versions/v13/tactics/TA0041"> Execution </a> <div class="expand-button collapsed" id="mobile-TA0041-header" data-toggle="collapse" data-target="#mobile-TA0041-body" aria-expanded="false" aria-controls="#mobile-TA0041-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0041-body" aria-labelledby="mobile-TA0041-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041-T1623"> <a href="/versions/v13/techniques/T1623/"> Command and Scripting Interpreter </a> <div class="expand-button collapsed" id="mobile-TA0041-T1623-header" data-toggle="collapse" data-target="#mobile-TA0041-T1623-body" aria-expanded="false" aria-controls="#mobile-TA0041-T1623-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0041-T1623-body" aria-labelledby="mobile-TA0041-T1623-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041-T1623-T1623.001"> <a href="/versions/v13/techniques/T1623/001/"> Unix Shell </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041-T1575"> <a href="/versions/v13/techniques/T1575/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0041-T1603"> <a href="/versions/v13/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028"> <a href="/versions/v13/tactics/TA0028"> Persistence </a> <div class="expand-button collapsed" id="mobile-TA0028-header" data-toggle="collapse" data-target="#mobile-TA0028-body" aria-expanded="false" aria-controls="#mobile-TA0028-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-body" aria-labelledby="mobile-TA0028-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1398"> <a href="/versions/v13/techniques/T1398/"> Boot or Logon Initialization Scripts </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1577"> <a href="/versions/v13/techniques/T1577/"> Compromise Application Executable </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1645"> <a href="/versions/v13/techniques/T1645/"> Compromise Client Software Binary </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1624"> <a href="/versions/v13/techniques/T1624/"> Event Triggered Execution </a> <div class="expand-button collapsed" id="mobile-TA0028-T1624-header" data-toggle="collapse" data-target="#mobile-TA0028-T1624-body" aria-expanded="false" aria-controls="#mobile-TA0028-T1624-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-T1624-body" aria-labelledby="mobile-TA0028-T1624-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1624-T1624.001"> <a href="/versions/v13/techniques/T1624/001/"> Broadcast Receivers </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1541"> <a href="/versions/v13/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1625"> <a href="/versions/v13/techniques/T1625/"> Hijack Execution Flow </a> <div class="expand-button collapsed" id="mobile-TA0028-T1625-header" data-toggle="collapse" data-target="#mobile-TA0028-T1625-body" aria-expanded="false" aria-controls="#mobile-TA0028-T1625-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0028-T1625-body" aria-labelledby="mobile-TA0028-T1625-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1625-T1625.001"> <a href="/versions/v13/techniques/T1625/001/"> System Runtime API Hijacking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0028-T1603"> <a href="/versions/v13/techniques/T1603/"> Scheduled Task/Job </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029"> <a href="/versions/v13/tactics/TA0029"> Privilege Escalation </a> <div class="expand-button collapsed" id="mobile-TA0029-header" data-toggle="collapse" data-target="#mobile-TA0029-body" aria-expanded="false" aria-controls="#mobile-TA0029-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-body" aria-labelledby="mobile-TA0029-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1626"> <a href="/versions/v13/techniques/T1626/"> Abuse Elevation Control Mechanism </a> <div class="expand-button collapsed" id="mobile-TA0029-T1626-header" data-toggle="collapse" data-target="#mobile-TA0029-T1626-body" aria-expanded="false" aria-controls="#mobile-TA0029-T1626-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-T1626-body" aria-labelledby="mobile-TA0029-T1626-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1626-T1626.001"> <a href="/versions/v13/techniques/T1626/001/"> Device Administrator Permissions </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1404"> <a href="/versions/v13/techniques/T1404/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1631"> <a href="/versions/v13/techniques/T1631/"> Process Injection </a> <div class="expand-button collapsed" id="mobile-TA0029-T1631-header" data-toggle="collapse" data-target="#mobile-TA0029-T1631-body" aria-expanded="false" aria-controls="#mobile-TA0029-T1631-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0029-T1631-body" aria-labelledby="mobile-TA0029-T1631-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0029-T1631-T1631.001"> <a href="/versions/v13/techniques/T1631/001/"> Ptrace System Calls </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030"> <a href="/versions/v13/tactics/TA0030"> Defense Evasion </a> <div class="expand-button collapsed" id="mobile-TA0030-header" data-toggle="collapse" data-target="#mobile-TA0030-body" aria-expanded="false" aria-controls="#mobile-TA0030-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-body" aria-labelledby="mobile-TA0030-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1407"> <a href="/versions/v13/techniques/T1407/"> Download New Code at Runtime </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1627"> <a href="/versions/v13/techniques/T1627/"> Execution Guardrails </a> <div class="expand-button collapsed" id="mobile-TA0030-T1627-header" data-toggle="collapse" data-target="#mobile-TA0030-T1627-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1627-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1627-body" aria-labelledby="mobile-TA0030-T1627-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1627-T1627.001"> <a href="/versions/v13/techniques/T1627/001/"> Geofencing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1541"> <a href="/versions/v13/techniques/T1541/"> Foreground Persistence </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1628"> <a href="/versions/v13/techniques/T1628/"> Hide Artifacts </a> <div class="expand-button collapsed" id="mobile-TA0030-T1628-header" data-toggle="collapse" data-target="#mobile-TA0030-T1628-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1628-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1628-body" aria-labelledby="mobile-TA0030-T1628-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1628-T1628.001"> <a href="/versions/v13/techniques/T1628/001/"> Suppress Application Icon </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1628-T1628.002"> <a href="/versions/v13/techniques/T1628/002/"> User Evasion </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1617"> <a href="/versions/v13/techniques/T1617/"> Hooking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1629"> <a href="/versions/v13/techniques/T1629/"> Impair Defenses </a> <div class="expand-button collapsed" id="mobile-TA0030-T1629-header" data-toggle="collapse" data-target="#mobile-TA0030-T1629-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1629-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1629-body" aria-labelledby="mobile-TA0030-T1629-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1629-T1629.001"> <a href="/versions/v13/techniques/T1629/001/"> Prevent Application Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1629-T1629.002"> <a href="/versions/v13/techniques/T1629/002/"> Device Lockout </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1629-T1629.003"> <a href="/versions/v13/techniques/T1629/003/"> Disable or Modify Tools </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1630"> <a href="/versions/v13/techniques/T1630/"> Indicator Removal on Host </a> <div class="expand-button collapsed" id="mobile-TA0030-T1630-header" data-toggle="collapse" data-target="#mobile-TA0030-T1630-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1630-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1630-body" aria-labelledby="mobile-TA0030-T1630-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1630-T1630.001"> <a href="/versions/v13/techniques/T1630/001/"> Uninstall Malicious Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1630-T1630.002"> <a href="/versions/v13/techniques/T1630/002/"> File Deletion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1630-T1630.003"> <a href="/versions/v13/techniques/T1630/003/"> Disguise Root/Jailbreak Indicators </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1516"> <a href="/versions/v13/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1575"> <a href="/versions/v13/techniques/T1575/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1406"> <a href="/versions/v13/techniques/T1406/"> Obfuscated Files or Information </a> <div class="expand-button collapsed" id="mobile-TA0030-T1406-header" data-toggle="collapse" data-target="#mobile-TA0030-T1406-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1406-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1406-body" aria-labelledby="mobile-TA0030-T1406-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1406-T1406.001"> <a href="/versions/v13/techniques/T1406/001/"> Steganography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1406-T1406.002"> <a href="/versions/v13/techniques/T1406/002/"> Software Packing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1631"> <a href="/versions/v13/techniques/T1631/"> Process Injection </a> <div class="expand-button collapsed" id="mobile-TA0030-T1631-header" data-toggle="collapse" data-target="#mobile-TA0030-T1631-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1631-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1631-body" aria-labelledby="mobile-TA0030-T1631-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1631-T1631.001"> <a href="/versions/v13/techniques/T1631/001/"> Ptrace System Calls </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1604"> <a href="/versions/v13/techniques/T1604/"> Proxy Through Victim </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1632"> <a href="/versions/v13/techniques/T1632/"> Subvert Trust Controls </a> <div class="expand-button collapsed" id="mobile-TA0030-T1632-header" data-toggle="collapse" data-target="#mobile-TA0030-T1632-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1632-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1632-body" aria-labelledby="mobile-TA0030-T1632-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1632-T1632.001"> <a href="/versions/v13/techniques/T1632/001/"> Code Signing Policy Modification </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1633"> <a href="/versions/v13/techniques/T1633/"> Virtualization/Sandbox Evasion </a> <div class="expand-button collapsed" id="mobile-TA0030-T1633-header" data-toggle="collapse" data-target="#mobile-TA0030-T1633-body" aria-expanded="false" aria-controls="#mobile-TA0030-T1633-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0030-T1633-body" aria-labelledby="mobile-TA0030-T1633-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0030-T1633-T1633.001"> <a href="/versions/v13/techniques/T1633/001/"> System Checks </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031"> <a href="/versions/v13/tactics/TA0031"> Credential Access </a> <div class="expand-button collapsed" id="mobile-TA0031-header" data-toggle="collapse" data-target="#mobile-TA0031-body" aria-expanded="false" aria-controls="#mobile-TA0031-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-body" aria-labelledby="mobile-TA0031-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1517"> <a href="/versions/v13/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1414"> <a href="/versions/v13/techniques/T1414/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1634"> <a href="/versions/v13/techniques/T1634/"> Credentials from Password Store </a> <div class="expand-button collapsed" id="mobile-TA0031-T1634-header" data-toggle="collapse" data-target="#mobile-TA0031-T1634-body" aria-expanded="false" aria-controls="#mobile-TA0031-T1634-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-T1634-body" aria-labelledby="mobile-TA0031-T1634-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1634-T1634.001"> <a href="/versions/v13/techniques/T1634/001/"> Keychain </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1417"> <a href="/versions/v13/techniques/T1417/"> Input Capture </a> <div class="expand-button collapsed" id="mobile-TA0031-T1417-header" data-toggle="collapse" data-target="#mobile-TA0031-T1417-body" aria-expanded="false" aria-controls="#mobile-TA0031-T1417-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-T1417-body" aria-labelledby="mobile-TA0031-T1417-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1417-T1417.001"> <a href="/versions/v13/techniques/T1417/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1417-T1417.002"> <a href="/versions/v13/techniques/T1417/002/"> GUI Input Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1635"> <a href="/versions/v13/techniques/T1635/"> Steal Application Access Token </a> <div class="expand-button collapsed" id="mobile-TA0031-T1635-header" data-toggle="collapse" data-target="#mobile-TA0031-T1635-body" aria-expanded="false" aria-controls="#mobile-TA0031-T1635-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0031-T1635-body" aria-labelledby="mobile-TA0031-T1635-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0031-T1635-T1635.001"> <a href="/versions/v13/techniques/T1635/001/"> URI Hijacking </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032"> <a href="/versions/v13/tactics/TA0032"> Discovery </a> <div class="expand-button collapsed" id="mobile-TA0032-header" data-toggle="collapse" data-target="#mobile-TA0032-body" aria-expanded="false" aria-controls="#mobile-TA0032-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-body" aria-labelledby="mobile-TA0032-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1420"> <a href="/versions/v13/techniques/T1420/"> File and Directory Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1430"> <a href="/versions/v13/techniques/T1430/"> Location Tracking </a> <div class="expand-button collapsed" id="mobile-TA0032-T1430-header" data-toggle="collapse" data-target="#mobile-TA0032-T1430-body" aria-expanded="false" aria-controls="#mobile-TA0032-T1430-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-T1430-body" aria-labelledby="mobile-TA0032-T1430-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1430-T1430.001"> <a href="/versions/v13/techniques/T1430/001/"> Remote Device Management Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1430-T1430.002"> <a href="/versions/v13/techniques/T1430/002/"> Impersonate SS7 Nodes </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1423"> <a href="/versions/v13/techniques/T1423/"> Network Service Scanning </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1424"> <a href="/versions/v13/techniques/T1424/"> Process Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1418"> <a href="/versions/v13/techniques/T1418/"> Software Discovery </a> <div class="expand-button collapsed" id="mobile-TA0032-T1418-header" data-toggle="collapse" data-target="#mobile-TA0032-T1418-body" aria-expanded="false" aria-controls="#mobile-TA0032-T1418-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0032-T1418-body" aria-labelledby="mobile-TA0032-T1418-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1418-T1418.001"> <a href="/versions/v13/techniques/T1418/001/"> Security Software Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1426"> <a href="/versions/v13/techniques/T1426/"> System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1422"> <a href="/versions/v13/techniques/T1422/"> System Network Configuration Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0032-T1421"> <a href="/versions/v13/techniques/T1421/"> System Network Connections Discovery </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033"> <a href="/versions/v13/tactics/TA0033"> Lateral Movement </a> <div class="expand-button collapsed" id="mobile-TA0033-header" data-toggle="collapse" data-target="#mobile-TA0033-body" aria-expanded="false" aria-controls="#mobile-TA0033-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0033-body" aria-labelledby="mobile-TA0033-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033-T1428"> <a href="/versions/v13/techniques/T1428/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0033-T1458"> <a href="/versions/v13/techniques/T1458/"> Replication Through Removable Media </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035"> <a href="/versions/v13/tactics/TA0035"> Collection </a> <div class="expand-button collapsed" id="mobile-TA0035-header" data-toggle="collapse" data-target="#mobile-TA0035-body" aria-expanded="false" aria-controls="#mobile-TA0035-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-body" aria-labelledby="mobile-TA0035-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1517"> <a href="/versions/v13/techniques/T1517/"> Access Notifications </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1638"> <a href="/versions/v13/techniques/T1638/"> Adversary-in-the-Middle </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1532"> <a href="/versions/v13/techniques/T1532/"> Archive Collected Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1429"> <a href="/versions/v13/techniques/T1429/"> Audio Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1616"> <a href="/versions/v13/techniques/T1616/"> Call Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1414"> <a href="/versions/v13/techniques/T1414/"> Clipboard Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1533"> <a href="/versions/v13/techniques/T1533/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1417"> <a href="/versions/v13/techniques/T1417/"> Input Capture </a> <div class="expand-button collapsed" id="mobile-TA0035-T1417-header" data-toggle="collapse" data-target="#mobile-TA0035-T1417-body" aria-expanded="false" aria-controls="#mobile-TA0035-T1417-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-T1417-body" aria-labelledby="mobile-TA0035-T1417-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1417-T1417.001"> <a href="/versions/v13/techniques/T1417/001/"> Keylogging </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1417-T1417.002"> <a href="/versions/v13/techniques/T1417/002/"> GUI Input Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1430"> <a href="/versions/v13/techniques/T1430/"> Location Tracking </a> <div class="expand-button collapsed" id="mobile-TA0035-T1430-header" data-toggle="collapse" data-target="#mobile-TA0035-T1430-body" aria-expanded="false" aria-controls="#mobile-TA0035-T1430-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-T1430-body" aria-labelledby="mobile-TA0035-T1430-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1430-T1430.001"> <a href="/versions/v13/techniques/T1430/001/"> Remote Device Management Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1430-T1430.002"> <a href="/versions/v13/techniques/T1430/002/"> Impersonate SS7 Nodes </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636"> <a href="/versions/v13/techniques/T1636/"> Protected User Data </a> <div class="expand-button collapsed" id="mobile-TA0035-T1636-header" data-toggle="collapse" data-target="#mobile-TA0035-T1636-body" aria-expanded="false" aria-controls="#mobile-TA0035-T1636-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0035-T1636-body" aria-labelledby="mobile-TA0035-T1636-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636-T1636.001"> <a href="/versions/v13/techniques/T1636/001/"> Calendar Entries </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636-T1636.002"> <a href="/versions/v13/techniques/T1636/002/"> Call Log </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636-T1636.003"> <a href="/versions/v13/techniques/T1636/003/"> Contact List </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1636-T1636.004"> <a href="/versions/v13/techniques/T1636/004/"> SMS Messages </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1513"> <a href="/versions/v13/techniques/T1513/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1409"> <a href="/versions/v13/techniques/T1409/"> Stored Application Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0035-T1512"> <a href="/versions/v13/techniques/T1512/"> Video Capture </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037"> <a href="/versions/v13/tactics/TA0037"> Command and Control </a> <div class="expand-button collapsed" id="mobile-TA0037-header" data-toggle="collapse" data-target="#mobile-TA0037-body" aria-expanded="false" aria-controls="#mobile-TA0037-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-body" aria-labelledby="mobile-TA0037-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1437"> <a href="/versions/v13/techniques/T1437/"> Application Layer Protocol </a> <div class="expand-button collapsed" id="mobile-TA0037-T1437-header" data-toggle="collapse" data-target="#mobile-TA0037-T1437-body" aria-expanded="false" aria-controls="#mobile-TA0037-T1437-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-T1437-body" aria-labelledby="mobile-TA0037-T1437-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1437-T1437.001"> <a href="/versions/v13/techniques/T1437/001/"> Web Protocols </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1616"> <a href="/versions/v13/techniques/T1616/"> Call Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1637"> <a href="/versions/v13/techniques/T1637/"> Dynamic Resolution </a> <div class="expand-button collapsed" id="mobile-TA0037-T1637-header" data-toggle="collapse" data-target="#mobile-TA0037-T1637-body" aria-expanded="false" aria-controls="#mobile-TA0037-T1637-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-T1637-body" aria-labelledby="mobile-TA0037-T1637-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1637-T1637.001"> <a href="/versions/v13/techniques/T1637/001/"> Domain Generation Algorithms </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1521"> <a href="/versions/v13/techniques/T1521/"> Encrypted Channel </a> <div class="expand-button collapsed" id="mobile-TA0037-T1521-header" data-toggle="collapse" data-target="#mobile-TA0037-T1521-body" aria-expanded="false" aria-controls="#mobile-TA0037-T1521-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-T1521-body" aria-labelledby="mobile-TA0037-T1521-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1521-T1521.001"> <a href="/versions/v13/techniques/T1521/001/"> Symmetric Cryptography </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1521-T1521.002"> <a href="/versions/v13/techniques/T1521/002/"> Asymmetric Cryptography </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1544"> <a href="/versions/v13/techniques/T1544/"> Ingress Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1509"> <a href="/versions/v13/techniques/T1509/"> Non-Standard Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1644"> <a href="/versions/v13/techniques/T1644/"> Out of Band Data </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1481"> <a href="/versions/v13/techniques/T1481/"> Web Service </a> <div class="expand-button collapsed" id="mobile-TA0037-T1481-header" data-toggle="collapse" data-target="#mobile-TA0037-T1481-body" aria-expanded="false" aria-controls="#mobile-TA0037-T1481-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0037-T1481-body" aria-labelledby="mobile-TA0037-T1481-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1481-T1481.001"> <a href="/versions/v13/techniques/T1481/001/"> Dead Drop Resolver </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1481-T1481.002"> <a href="/versions/v13/techniques/T1481/002/"> Bidirectional Communication </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0037-T1481-T1481.003"> <a href="/versions/v13/techniques/T1481/003/"> One-Way Communication </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036"> <a href="/versions/v13/tactics/TA0036"> Exfiltration </a> <div class="expand-button collapsed" id="mobile-TA0036-header" data-toggle="collapse" data-target="#mobile-TA0036-body" aria-expanded="false" aria-controls="#mobile-TA0036-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0036-body" aria-labelledby="mobile-TA0036-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036-T1639"> <a href="/versions/v13/techniques/T1639/"> Exfiltration Over Alternative Protocol </a> <div class="expand-button collapsed" id="mobile-TA0036-T1639-header" data-toggle="collapse" data-target="#mobile-TA0036-T1639-body" aria-expanded="false" aria-controls="#mobile-TA0036-T1639-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0036-T1639-body" aria-labelledby="mobile-TA0036-T1639-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036-T1639-T1639.001"> <a href="/versions/v13/techniques/T1639/001/"> Exfiltration Over Unencrypted Non-C2 Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0036-T1646"> <a href="/versions/v13/techniques/T1646/"> Exfiltration Over C2 Channel </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034"> <a href="/versions/v13/tactics/TA0034"> Impact </a> <div class="expand-button collapsed" id="mobile-TA0034-header" data-toggle="collapse" data-target="#mobile-TA0034-body" aria-expanded="false" aria-controls="#mobile-TA0034-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0034-body" aria-labelledby="mobile-TA0034-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1640"> <a href="/versions/v13/techniques/T1640/"> Account Access Removal </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1616"> <a href="/versions/v13/techniques/T1616/"> Call Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1471"> <a href="/versions/v13/techniques/T1471/"> Data Encrypted for Impact </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1641"> <a href="/versions/v13/techniques/T1641/"> Data Manipulation </a> <div class="expand-button collapsed" id="mobile-TA0034-T1641-header" data-toggle="collapse" data-target="#mobile-TA0034-T1641-body" aria-expanded="false" aria-controls="#mobile-TA0034-T1641-body"></div> </div> <div class="sidenav-body collapse" id="mobile-TA0034-T1641-body" aria-labelledby="mobile-TA0034-T1641-header"> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1641-T1641.001"> <a href="/versions/v13/techniques/T1641/001/"> Transmitted Data Manipulation </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1642"> <a href="/versions/v13/techniques/T1642/"> Endpoint Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1643"> <a href="/versions/v13/techniques/T1643/"> Generate Traffic from Victim </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1516"> <a href="/versions/v13/techniques/T1516/"> Input Injection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1464"> <a href="/versions/v13/techniques/T1464/"> Network Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="mobile-TA0034-T1582"> <a href="/versions/v13/techniques/T1582/"> SMS Control </a> </div> </div> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics"> <a href="/versions/v13/techniques/ics/"> ICS </a> <div class="expand-button collapsed" id="ics-header" data-toggle="collapse" data-target="#ics-body" aria-expanded="false" aria-controls="#ics-body"></div> </div> <div class="sidenav-body collapse" id="ics-body" aria-labelledby="ics-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108"> <a href="/versions/v13/tactics/TA0108"> Initial Access </a> <div class="expand-button collapsed" id="ics-TA0108-header" data-toggle="collapse" data-target="#ics-TA0108-body" aria-expanded="false" aria-controls="#ics-TA0108-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0108-body" aria-labelledby="ics-TA0108-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0817"> <a href="/versions/v13/techniques/T0817/"> Drive-by Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0819"> <a href="/versions/v13/techniques/T0819/"> Exploit Public-Facing Application </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0866"> <a href="/versions/v13/techniques/T0866/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0822"> <a href="/versions/v13/techniques/T0822/"> External Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0883"> <a href="/versions/v13/techniques/T0883/"> Internet Accessible Device </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0886"> <a href="/versions/v13/techniques/T0886/"> Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0847"> <a href="/versions/v13/techniques/T0847/"> Replication Through Removable Media </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0848"> <a href="/versions/v13/techniques/T0848/"> Rogue Master </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0865"> <a href="/versions/v13/techniques/T0865/"> Spearphishing Attachment </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0862"> <a href="/versions/v13/techniques/T0862/"> Supply Chain Compromise </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0864"> <a href="/versions/v13/techniques/T0864/"> Transient Cyber Asset </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0108-T0860"> <a href="/versions/v13/techniques/T0860/"> Wireless Compromise </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104"> <a href="/versions/v13/tactics/TA0104"> Execution </a> <div class="expand-button collapsed" id="ics-TA0104-header" data-toggle="collapse" data-target="#ics-TA0104-body" aria-expanded="false" aria-controls="#ics-TA0104-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0104-body" aria-labelledby="ics-TA0104-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0858"> <a href="/versions/v13/techniques/T0858/"> Change Operating Mode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0807"> <a href="/versions/v13/techniques/T0807/"> Command-Line Interface </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0871"> <a href="/versions/v13/techniques/T0871/"> Execution through API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0823"> <a href="/versions/v13/techniques/T0823/"> Graphical User Interface </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0874"> <a href="/versions/v13/techniques/T0874/"> Hooking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0821"> <a href="/versions/v13/techniques/T0821/"> Modify Controller Tasking </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0834"> <a href="/versions/v13/techniques/T0834/"> Native API </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0853"> <a href="/versions/v13/techniques/T0853/"> Scripting </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0104-T0863"> <a href="/versions/v13/techniques/T0863/"> User Execution </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110"> <a href="/versions/v13/tactics/TA0110"> Persistence </a> <div class="expand-button collapsed" id="ics-TA0110-header" data-toggle="collapse" data-target="#ics-TA0110-body" aria-expanded="false" aria-controls="#ics-TA0110-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0110-body" aria-labelledby="ics-TA0110-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0891"> <a href="/versions/v13/techniques/T0891/"> Hardcoded Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0889"> <a href="/versions/v13/techniques/T0889/"> Modify Program </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0839"> <a href="/versions/v13/techniques/T0839/"> Module Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0873"> <a href="/versions/v13/techniques/T0873/"> Project File Infection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0857"> <a href="/versions/v13/techniques/T0857/"> System Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0110-T0859"> <a href="/versions/v13/techniques/T0859/"> Valid Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0111"> <a href="/versions/v13/tactics/TA0111"> Privilege Escalation </a> <div class="expand-button collapsed" id="ics-TA0111-header" data-toggle="collapse" data-target="#ics-TA0111-body" aria-expanded="false" aria-controls="#ics-TA0111-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0111-body" aria-labelledby="ics-TA0111-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0111-T0890"> <a href="/versions/v13/techniques/T0890/"> Exploitation for Privilege Escalation </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0111-T0874"> <a href="/versions/v13/techniques/T0874/"> Hooking </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103"> <a href="/versions/v13/tactics/TA0103"> Evasion </a> <div class="expand-button collapsed" id="ics-TA0103-header" data-toggle="collapse" data-target="#ics-TA0103-body" aria-expanded="false" aria-controls="#ics-TA0103-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0103-body" aria-labelledby="ics-TA0103-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0858"> <a href="/versions/v13/techniques/T0858/"> Change Operating Mode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0820"> <a href="/versions/v13/techniques/T0820/"> Exploitation for Evasion </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0872"> <a href="/versions/v13/techniques/T0872/"> Indicator Removal on Host </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0849"> <a href="/versions/v13/techniques/T0849/"> Masquerading </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0851"> <a href="/versions/v13/techniques/T0851/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0103-T0856"> <a href="/versions/v13/techniques/T0856/"> Spoof Reporting Message </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102"> <a href="/versions/v13/tactics/TA0102"> Discovery </a> <div class="expand-button collapsed" id="ics-TA0102-header" data-toggle="collapse" data-target="#ics-TA0102-body" aria-expanded="false" aria-controls="#ics-TA0102-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0102-body" aria-labelledby="ics-TA0102-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0840"> <a href="/versions/v13/techniques/T0840/"> Network Connection Enumeration </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0842"> <a href="/versions/v13/techniques/T0842/"> Network Sniffing </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0846"> <a href="/versions/v13/techniques/T0846/"> Remote System Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0888"> <a href="/versions/v13/techniques/T0888/"> Remote System Information Discovery </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0102-T0887"> <a href="/versions/v13/techniques/T0887/"> Wireless Sniffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109"> <a href="/versions/v13/tactics/TA0109"> Lateral Movement </a> <div class="expand-button collapsed" id="ics-TA0109-header" data-toggle="collapse" data-target="#ics-TA0109-body" aria-expanded="false" aria-controls="#ics-TA0109-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0109-body" aria-labelledby="ics-TA0109-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0812"> <a href="/versions/v13/techniques/T0812/"> Default Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0866"> <a href="/versions/v13/techniques/T0866/"> Exploitation of Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0891"> <a href="/versions/v13/techniques/T0891/"> Hardcoded Credentials </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0867"> <a href="/versions/v13/techniques/T0867/"> Lateral Tool Transfer </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0843"> <a href="/versions/v13/techniques/T0843/"> Program Download </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0886"> <a href="/versions/v13/techniques/T0886/"> Remote Services </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0109-T0859"> <a href="/versions/v13/techniques/T0859/"> Valid Accounts </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100"> <a href="/versions/v13/tactics/TA0100"> Collection </a> <div class="expand-button collapsed" id="ics-TA0100-header" data-toggle="collapse" data-target="#ics-TA0100-body" aria-expanded="false" aria-controls="#ics-TA0100-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0100-body" aria-labelledby="ics-TA0100-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0830"> <a href="/versions/v13/techniques/T0830/"> Adversary-in-the-Middle </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0802"> <a href="/versions/v13/techniques/T0802/"> Automated Collection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0811"> <a href="/versions/v13/techniques/T0811/"> Data from Information Repositories </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0893"> <a href="/versions/v13/techniques/T0893/"> Data from Local System </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0868"> <a href="/versions/v13/techniques/T0868/"> Detect Operating Mode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0877"> <a href="/versions/v13/techniques/T0877/"> I/O Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0801"> <a href="/versions/v13/techniques/T0801/"> Monitor Process State </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0861"> <a href="/versions/v13/techniques/T0861/"> Point & Tag Identification </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0845"> <a href="/versions/v13/techniques/T0845/"> Program Upload </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0852"> <a href="/versions/v13/techniques/T0852/"> Screen Capture </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0100-T0887"> <a href="/versions/v13/techniques/T0887/"> Wireless Sniffing </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0101"> <a href="/versions/v13/tactics/TA0101"> Command and Control </a> <div class="expand-button collapsed" id="ics-TA0101-header" data-toggle="collapse" data-target="#ics-TA0101-body" aria-expanded="false" aria-controls="#ics-TA0101-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0101-body" aria-labelledby="ics-TA0101-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0101-T0885"> <a href="/versions/v13/techniques/T0885/"> Commonly Used Port </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0101-T0884"> <a href="/versions/v13/techniques/T0884/"> Connection Proxy </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0101-T0869"> <a href="/versions/v13/techniques/T0869/"> Standard Application Layer Protocol </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107"> <a href="/versions/v13/tactics/TA0107"> Inhibit Response Function </a> <div class="expand-button collapsed" id="ics-TA0107-header" data-toggle="collapse" data-target="#ics-TA0107-body" aria-expanded="false" aria-controls="#ics-TA0107-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0107-body" aria-labelledby="ics-TA0107-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0800"> <a href="/versions/v13/techniques/T0800/"> Activate Firmware Update Mode </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0878"> <a href="/versions/v13/techniques/T0878/"> Alarm Suppression </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0803"> <a href="/versions/v13/techniques/T0803/"> Block Command Message </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0804"> <a href="/versions/v13/techniques/T0804/"> Block Reporting Message </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0805"> <a href="/versions/v13/techniques/T0805/"> Block Serial COM </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0892"> <a href="/versions/v13/techniques/T0892/"> Change Credential </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0809"> <a href="/versions/v13/techniques/T0809/"> Data Destruction </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0814"> <a href="/versions/v13/techniques/T0814/"> Denial of Service </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0816"> <a href="/versions/v13/techniques/T0816/"> Device Restart/Shutdown </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0835"> <a href="/versions/v13/techniques/T0835/"> Manipulate I/O Image </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0838"> <a href="/versions/v13/techniques/T0838/"> Modify Alarm Settings </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0851"> <a href="/versions/v13/techniques/T0851/"> Rootkit </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0881"> <a href="/versions/v13/techniques/T0881/"> Service Stop </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0107-T0857"> <a href="/versions/v13/techniques/T0857/"> System Firmware </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106"> <a href="/versions/v13/tactics/TA0106"> Impair Process Control </a> <div class="expand-button collapsed" id="ics-TA0106-header" data-toggle="collapse" data-target="#ics-TA0106-body" aria-expanded="false" aria-controls="#ics-TA0106-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0106-body" aria-labelledby="ics-TA0106-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0806"> <a href="/versions/v13/techniques/T0806/"> Brute Force I/O </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0836"> <a href="/versions/v13/techniques/T0836/"> Modify Parameter </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0839"> <a href="/versions/v13/techniques/T0839/"> Module Firmware </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0856"> <a href="/versions/v13/techniques/T0856/"> Spoof Reporting Message </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0106-T0855"> <a href="/versions/v13/techniques/T0855/"> Unauthorized Command Message </a> </div> </div> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105"> <a href="/versions/v13/tactics/TA0105"> Impact </a> <div class="expand-button collapsed" id="ics-TA0105-header" data-toggle="collapse" data-target="#ics-TA0105-body" aria-expanded="false" aria-controls="#ics-TA0105-body"></div> </div> <div class="sidenav-body collapse" id="ics-TA0105-body" aria-labelledby="ics-TA0105-header"> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0879"> <a href="/versions/v13/techniques/T0879/"> Damage to Property </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0813"> <a href="/versions/v13/techniques/T0813/"> Denial of Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0815"> <a href="/versions/v13/techniques/T0815/"> Denial of View </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0826"> <a href="/versions/v13/techniques/T0826/"> Loss of Availability </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0827"> <a href="/versions/v13/techniques/T0827/"> Loss of Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0828"> <a href="/versions/v13/techniques/T0828/"> Loss of Productivity and Revenue </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0837"> <a href="/versions/v13/techniques/T0837/"> Loss of Protection </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0880"> <a href="/versions/v13/techniques/T0880/"> Loss of Safety </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0829"> <a href="/versions/v13/techniques/T0829/"> Loss of View </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0831"> <a href="/versions/v13/techniques/T0831/"> Manipulation of Control </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0832"> <a href="/versions/v13/techniques/T0832/"> Manipulation of View </a> </div> </div> <div class="sidenav"> <div class="sidenav-head " id="ics-TA0105-T0882"> <a href="/versions/v13/techniques/T0882/"> Theft of Operational Information </a> </div> </div> </div> </div> </div> </div> </div> </div> </div> </div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 col-lg-9 col-md-8 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v13/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v13/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v13/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Exfiltration Over C2 Channel</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Exfiltration Over C2 Channel </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Adversaries may steal data by exfiltrating it over an existing command and control channel. Stolen data is encoded into the normal communications channel using the same protocol as command and control communications.</p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1041 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-techniques:&nbsp;</span> No sub-techniques </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/versions/v13/tactics/TA0010">Exfiltration</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Linux, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors:&nbsp;</span>William Cain </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>2.2 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>07 April 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1041" href="/versions/v13/techniques/T1041/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1041" href="/techniques/T1041/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v13/software/S0045"> S0045 </a> </td> <td> <a href="/versions/v13/software/S0045"> ADVSTORESHELL </a> </td> <td> <p><a href="/versions/v13/software/S0045">ADVSTORESHELL</a> exfiltrates data over the same channel used for C2.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" data-reference="ESET Sednit Part 2"><sup><a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1025"> S1025 </a> </td> <td> <a href="/versions/v13/software/S1025"> Amadey </a> </td> <td> <p><a href="/versions/v13/software/S1025">Amadey</a> has sent victim data to its C2 servers.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" data-reference="BlackBerry Amadey 2020"><sup><a href="https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0584"> S0584 </a> </td> <td> <a href="/versions/v13/software/S0584"> AppleJeus </a> </td> <td> <p><a href="/versions/v13/software/S0584">AppleJeus</a> has exfiltrated collected host information to a C2 server.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" data-reference="CISA AppleJeus Feb 2021"><sup><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0622"> S0622 </a> </td> <td> <a href="/versions/v13/software/S0622"> AppleSeed </a> </td> <td> <p><a href="/versions/v13/software/S0622">AppleSeed</a> can exfiltrate files via the C2 channel.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" data-reference="Malwarebytes Kimsuky June 2021"><sup><a href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0022"> G0022 </a> </td> <td> <a href="/versions/v13/groups/G0022"> APT3 </a> </td> <td> <p><a href="/versions/v13/groups/G0022">APT3</a> has a tool that exfiltrates data over the C2 channel.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" data-reference="FireEye Clandestine Fox"><sup><a href="https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0050"> G0050 </a> </td> <td> <a href="/versions/v13/groups/G0050"> APT32 </a> </td> <td> <p><a href="/versions/v13/groups/G0050">APT32</a>'s backdoor has exfiltrated data using the already opened channel with its C&amp;C server.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" data-reference="ESET OceanLotus Mar 2019"><sup><a href="https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0087"> G0087 </a> </td> <td> <a href="/versions/v13/groups/G0087"> APT39 </a> </td> <td> <p><a href="/versions/v13/groups/G0087">APT39</a> has exfiltrated stolen victim data through C2 communications.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" data-reference="FBI FLASH APT39 September 2020"><sup><a href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0373"> S0373 </a> </td> <td> <a href="/versions/v13/software/S0373"> Astaroth </a> </td> <td> <p><a href="/versions/v13/software/S0373">Astaroth</a> exfiltrates collected information from its r1.log file to the external C2 server. <span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" data-reference="Cybereason Astaroth Feb 2019"><sup><a href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0438"> S0438 </a> </td> <td> <a href="/versions/v13/software/S0438"> Attor </a> </td> <td> <p><a href="/versions/v13/software/S0438">Attor</a> has exfiltrated data over the C2 channel.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" data-reference="ESET Attor Oct 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1029"> S1029 </a> </td> <td> <a href="/versions/v13/software/S1029"> AuTo Stealer </a> </td> <td> <p><a href="/versions/v13/software/S1029">AuTo Stealer</a> can exfiltrate data over actor-controlled C2 servers via HTTP or TCP.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" data-reference="MalwareBytes SideCopy Dec 2021"><sup><a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0031"> S0031 </a> </td> <td> <a href="/versions/v13/software/S0031"> BACKSPACE </a> </td> <td> <p>Adversaries can direct <a href="/versions/v13/software/S0031">BACKSPACE</a> to upload files to the C2 Server.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="FireEye APT30"><sup><a href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0234"> S0234 </a> </td> <td> <a href="/versions/v13/software/S0234"> Bandook </a> </td> <td> <p><a href="/versions/v13/software/S0234">Bandook</a> can upload files from a victim's machine over the C2 channel.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" data-reference="CheckPoint Bandook Nov 2020"><sup><a href="https://research.checkpoint.com/2020/bandook-signed-delivered/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0239"> S0239 </a> </td> <td> <a href="/versions/v13/software/S0239"> Bankshot </a> </td> <td> <p><a href="/versions/v13/software/S0239">Bankshot</a> exfiltrates data over its C2 channel.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" data-reference="McAfee Bankshot"><sup><a href="https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0268"> S0268 </a> </td> <td> <a href="/versions/v13/software/S0268"> Bisonal </a> </td> <td> <p><a href="/versions/v13/software/S0268">Bisonal</a> has added the exfiltrated data to the URL over the C2 channel.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" data-reference="Talos Bisonal Mar 2020"><sup><a href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0520"> S0520 </a> </td> <td> <a href="/versions/v13/software/S0520"> BLINDINGCAN </a> </td> <td> <p><a href="/versions/v13/software/S0520">BLINDINGCAN</a> has sent user and system information to a C2 server via HTTP POST requests.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" data-reference="NHS UK BLINDINGCAN Aug 2020"><sup><a href="https://digital.nhs.uk/cyber-alerts/2020/cc-3603" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a></sup></span><span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" data-reference="US-CERT BLINDINGCAN Aug 2020"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0657"> S0657 </a> </td> <td> <a href="/versions/v13/software/S0657"> BLUELIGHT </a> </td> <td> <p><a href="/versions/v13/software/S0657">BLUELIGHT</a> has exfiltrated data over its C2 channel.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" data-reference="Volexity InkySquid BLUELIGHT August 2021"><sup><a href="https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0651"> S0651 </a> </td> <td> <a href="/versions/v13/software/S0651"> BoxCaon </a> </td> <td> <p><a href="/versions/v13/software/S0651">BoxCaon</a> uploads files and data from a compromised host over the existing C2 channel.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" data-reference="Checkpoint IndigoZebra July 2021"><sup><a href="https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1039"> S1039 </a> </td> <td> <a href="/versions/v13/software/S1039"> Bumblebee </a> </td> <td> <p><a href="/versions/v13/software/S1039">Bumblebee</a> can send collected data in JSON format to C2.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" data-reference="Google EXOTIC LILY March 2022"><sup><a href="https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/campaigns/C0017"> C0017 </a> </td> <td> <a href="/versions/v13/campaigns/C0017"> C0017 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0017">C0017</a>, <a href="/versions/v13/groups/G0096">APT41</a> used its Cloudflare services C2 channels for data exfiltration.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" data-reference="Mandiant APT41"><sup><a href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0077"> S0077 </a> </td> <td> <a href="/versions/v13/software/S0077"> CallMe </a> </td> <td> <p><a href="/versions/v13/software/S0077">CallMe</a> exfiltrates data to its C2 server over the same protocol as C2 communications.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" data-reference="Scarlet Mimic Jan 2016"><sup><a href="http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0351"> S0351 </a> </td> <td> <a href="/versions/v13/software/S0351"> Cannon </a> </td> <td> <p><a href="/versions/v13/software/S0351">Cannon</a> exfiltrates collected data over email via SMTP/S and POP3/S C2 channels.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" data-reference="Unit42 Cannon Nov 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0484"> S0484 </a> </td> <td> <a href="/versions/v13/software/S0484"> Carberp </a> </td> <td> <p><a href="/versions/v13/software/S0484">Carberp</a> has exfiltrated data via HTTP to already established C2 servers.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" data-reference="Prevx Carberp March 2011"><sup><a href="http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a></sup></span><span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" data-reference="Trusteer Carberp October 2010"><sup><a href="https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0572"> S0572 </a> </td> <td> <a href="/versions/v13/software/S0572"> Caterpillar WebShell </a> </td> <td> <p><a href="/versions/v13/software/S0572">Caterpillar WebShell</a> can upload files over the C2 channel.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" data-reference="ClearSky Lebanese Cedar Jan 2021"><sup><a href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0674"> S0674 </a> </td> <td> <a href="/versions/v13/software/S0674"> CharmPower </a> </td> <td> <p><a href="/versions/v13/software/S0674">CharmPower</a> can exfiltrate gathered data to a hardcoded C2 URL via HTTP POST.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" data-reference="Check Point APT35 CharmPower January 2022"><sup><a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0114"> G0114 </a> </td> <td> <a href="/versions/v13/groups/G0114"> Chimera </a> </td> <td> <p><a href="/versions/v13/groups/G0114">Chimera</a> has used <a href="/versions/v13/software/S0154">Cobalt Strike</a> C2 beacons for data exfiltration.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" data-reference="NCC Group Chimera January 2021"><sup><a href="https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0667"> S0667 </a> </td> <td> <a href="/versions/v13/software/S0667"> Chrommme </a> </td> <td> <p><a href="/versions/v13/software/S0667">Chrommme</a> can exfiltrate collected data via C2.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" data-reference="ESET Gelsemium June 2021"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0142"> G0142 </a> </td> <td> <a href="/versions/v13/groups/G0142"> Confucius </a> </td> <td> <p><a href="/versions/v13/groups/G0142">Confucius</a> has exfiltrated stolen files to its C2 server.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" data-reference="TrendMicro Confucius APT Aug 2021"><sup><a href="https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1024"> S1024 </a> </td> <td> <a href="/versions/v13/software/S1024"> CreepySnail </a> </td> <td> <p><a href="/versions/v13/software/S1024">CreepySnail</a> can connect to C2 for data exfiltration.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" data-reference="Microsoft POLONIUM June 2022"><sup><a href="https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0115"> S0115 </a> </td> <td> <a href="/versions/v13/software/S0115"> Crimson </a> </td> <td> <p><a href="/versions/v13/software/S0115">Crimson</a> can exfiltrate stolen information over its C2.<span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" data-reference="Cisco Talos Transparent Tribe Education Campaign July 2022"><sup><a href="https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0538"> S0538 </a> </td> <td> <a href="/versions/v13/software/S0538"> Crutch </a> </td> <td> <p><a href="/versions/v13/software/S0538">Crutch</a> can exfiltrate data over the primary C2 channel (Dropbox HTTP API).<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" data-reference="ESET Crutch December 2020"><sup><a href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0687"> S0687 </a> </td> <td> <a href="/versions/v13/software/S0687"> Cyclops Blink </a> </td> <td> <p><a href="/versions/v13/software/S0687">Cyclops Blink</a> has the ability to upload exfiltrated files to a C2 server.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" data-reference="NCSC Cyclops Blink February 2022"><sup><a href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1021"> S1021 </a> </td> <td> <a href="/versions/v13/software/S1021"> DnsSystem </a> </td> <td> <p><a href="/versions/v13/software/S1021">DnsSystem</a> can exfiltrate collected data to its C2 server.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" data-reference="Zscaler Lyceum DnsSystem June 2022"><sup><a href="https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0600"> S0600 </a> </td> <td> <a href="/versions/v13/software/S0600"> Doki </a> </td> <td> <p><a href="/versions/v13/software/S0600">Doki</a> has used Ngrok to establish C2 and exfiltrate data.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" data-reference="Intezer Doki July 20"><sup><a href="https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0502"> S0502 </a> </td> <td> <a href="/versions/v13/software/S0502"> Drovorub </a> </td> <td> <p><a href="/versions/v13/software/S0502">Drovorub</a> can exfiltrate files over C2 infrastructure.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" data-reference="NSA/FBI Drovorub August 2020"><sup><a href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0062"> S0062 </a> </td> <td> <a href="/versions/v13/software/S0062"> DustySky </a> </td> <td> <p><a href="/versions/v13/software/S0062">DustySky</a> has exfiltrated data to the C2 server.<span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" data-reference="Kaspersky MoleRATs April 2019"><sup><a href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0024"> S0024 </a> </td> <td> <a href="/versions/v13/software/S0024"> Dyre </a> </td> <td> <p><a href="/versions/v13/software/S0024">Dyre</a> has the ability to send information staged on a compromised host externally to C2.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" data-reference="Malwarebytes Dyreza November 2015"><sup><a href="https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0377"> S0377 </a> </td> <td> <a href="/versions/v13/software/S0377"> Ebury </a> </td> <td> <p><a href="/versions/v13/software/S0377">Ebury</a> can exfiltrate SSH credentials through custom DNS queries.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" data-reference="ESET Windigo Mar 2014"><sup><a href="https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0367"> S0367 </a> </td> <td> <a href="/versions/v13/software/S0367"> Emotet </a> </td> <td> <p><a href="/versions/v13/software/S0367">Emotet</a> has been seen exfiltrating system information stored within cookies sent within an HTTP GET request back to its C2 servers. <span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" data-reference="Trend Micro Emotet Jan 2019"><sup><a href="https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0363"> S0363 </a> </td> <td> <a href="/versions/v13/software/S0363"> Empire </a> </td> <td> <p><a href="/versions/v13/software/S0363">Empire</a> can send data gathered from a target through the command and control channel.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" data-reference="Github PowerShell Empire"><sup><a href="https://github.com/PowerShellEmpire/Empire" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a></sup></span><span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" data-reference="Talos Frankenstein June 2019"><sup><a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0568"> S0568 </a> </td> <td> <a href="/versions/v13/software/S0568"> EVILNUM </a> </td> <td> <p><a href="/versions/v13/software/S0568">EVILNUM</a> can upload files over the C2 channel from the infected host.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" data-reference="Prevailion EvilNum May 2020"><sup><a href="https://www.prevailion.com/phantom-in-the-command-shell-2/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0696"> S0696 </a> </td> <td> <a href="/versions/v13/software/S0696"> Flagpro </a> </td> <td> <p><a href="/versions/v13/software/S0696">Flagpro</a> has exfiltrated data to the C2 server.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" data-reference="NTT Security Flagpro new December 2021"><sup><a href="https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0381"> S0381 </a> </td> <td> <a href="/versions/v13/software/S0381"> FlawedAmmyy </a> </td> <td> <p><a href="/versions/v13/software/S0381">FlawedAmmyy</a> has sent data collected from a compromised host to its C2 servers.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" data-reference="Korean FSI TA505 2020"><sup><a href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0661"> S0661 </a> </td> <td> <a href="/versions/v13/software/S0661"> FoggyWeb </a> </td> <td> <p><a href="/versions/v13/software/S0661">FoggyWeb</a> can remotely exfiltrate sensitive information from a compromised AD FS server.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" data-reference="MSTIC FoggyWeb September 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/campaigns/C0001"> C0001 </a> </td> <td> <a href="/versions/v13/campaigns/C0001"> Frankenstein </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0001">Frankenstein</a>, the threat actors collected information via <a href="/versions/v13/software/S0363">Empire</a>, which sent the data back to the adversary's C2.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" data-reference="Talos Frankenstein June 2019"><sup><a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1044"> S1044 </a> </td> <td> <a href="/versions/v13/software/S1044"> FunnyDream </a> </td> <td> <p><a href="/versions/v13/software/S1044">FunnyDream</a> can execute commands, including gathering user information, and send the results to C2.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" data-reference="Bitdefender FunnyDream Campaign November 2020"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0093"> G0093 </a> </td> <td> <a href="/versions/v13/groups/G0093"> GALLIUM </a> </td> <td> <p><a href="/versions/v13/groups/G0093">GALLIUM</a> used Web shells and <a href="/versions/v13/software/S0040">HTRAN</a> for C2 and to exfiltrate data.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" data-reference="Cybereason Soft Cell June 2019"><sup><a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0047"> G0047 </a> </td> <td> <a href="/versions/v13/groups/G0047"> Gamaredon Group </a> </td> <td> <p>A <a href="/versions/v13/groups/G0047">Gamaredon Group</a> file stealer can transfer collected files to a hardcoded C2 server.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" data-reference="Palo Alto Gamaredon Feb 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0493"> S0493 </a> </td> <td> <a href="/versions/v13/software/S0493"> GoldenSpy </a> </td> <td> <p><a href="/versions/v13/software/S0493">GoldenSpy</a> has exfiltrated host environment information to an external C2 domain via port 9006.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" data-reference="Trustwave GoldenSpy June 2020"><sup><a href="https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0588"> S0588 </a> </td> <td> <a href="/versions/v13/software/S0588"> GoldMax </a> </td> <td> <p><a href="/versions/v13/software/S0588">GoldMax</a> can exfiltrate files over the existing C2 channel.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" data-reference="MSTIC NOBELIUM Mar 2021"><sup><a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a></sup></span><span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" data-reference="FireEye SUNSHUTTLE Mar 2021"><sup><a href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0477"> S0477 </a> </td> <td> <a href="/versions/v13/software/S0477"> Goopy </a> </td> <td> <p><a href="/versions/v13/software/S0477">Goopy</a> has the ability to exfiltrate data over the Microsoft Outlook C2 channel.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" data-reference="Cybereason Cobalt Kitty 2017"><sup><a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0531"> S0531 </a> </td> <td> <a href="/versions/v13/software/S0531"> Grandoreiro </a> </td> <td> <p><a href="/versions/v13/software/S0531">Grandoreiro</a> can send data it retrieves to the C2 server.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" data-reference="ESET Grandoreiro April 2020"><sup><a href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0632"> S0632 </a> </td> <td> <a href="/versions/v13/software/S0632"> GrimAgent </a> </td> <td> <p><a href="/versions/v13/software/S0632">GrimAgent</a> has sent data related to a compromise host over its C2 channel.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" data-reference="Group IB GrimAgent July 2021"><sup><a href="https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0391"> S0391 </a> </td> <td> <a href="/versions/v13/software/S0391"> HAWKBALL </a> </td> <td> <p><a href="/versions/v13/software/S0391">HAWKBALL</a> has sent system information and files over the C2 channel.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" data-reference="FireEye HAWKBALL Jun 2019"><sup><a href="https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0126"> G0126 </a> </td> <td> <a href="/versions/v13/groups/G0126"> Higaisa </a> </td> <td> <p><a href="/versions/v13/groups/G0126">Higaisa</a> exfiltrated data over its C2 channel.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" data-reference="Zscaler Higaisa 2020"><sup><a href="https://www.zscaler.com/blogs/security-research/return-higaisa-apt" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0376"> S0376 </a> </td> <td> <a href="/versions/v13/software/S0376"> HOPLIGHT </a> </td> <td> <p><a href="/versions/v13/software/S0376">HOPLIGHT</a> has used its C2 channel to exfiltrate data.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" data-reference="US-CERT HOPLIGHT Apr 2019"><sup><a href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0431"> S0431 </a> </td> <td> <a href="/versions/v13/software/S0431"> HotCroissant </a> </td> <td> <p><a href="/versions/v13/software/S0431">HotCroissant</a> has the ability to download files from the infected host to the command and control (C2) server.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" data-reference="Carbon Black HotCroissant April 2020"><sup><a href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1022"> S1022 </a> </td> <td> <a href="/versions/v13/software/S1022"> IceApple </a> </td> <td> <p><a href="/versions/v13/software/S1022">IceApple</a>'s Multi File Exfiltrator module can exfiltrate multiple files from a compromised host as an HTTP response over C2.<span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" data-reference="CrowdStrike IceApple May 2022"><sup><a href="https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0434"> S0434 </a> </td> <td> <a href="/versions/v13/software/S0434"> Imminent Monitor </a> </td> <td> <p><a href="/versions/v13/software/S0434">Imminent Monitor</a> has uploaded a file containing debugger logs, network information and system information to the C2.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" data-reference="QiAnXin APT-C-36 Feb2019"><sup><a href="https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0604"> S0604 </a> </td> <td> <a href="/versions/v13/software/S0604"> Industroyer </a> </td> <td> <p><a href="/versions/v13/software/S0604">Industroyer</a> sends information about hardware profiles and previously-received commands back to the C2 server in a POST-request.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" data-reference="ESET Industroyer"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0004"> G0004 </a> </td> <td> <a href="/versions/v13/groups/G0004"> Ke3chang </a> </td> <td> <p><a href="/versions/v13/groups/G0004">Ke3chang</a> transferred compressed and encrypted RAR files containing exfiltration through the established backdoor command and control channel during operations.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" data-reference="Mandiant Operation Ke3chang November 2014"><sup><a href="https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0487"> S0487 </a> </td> <td> <a href="/versions/v13/software/S0487"> Kessel </a> </td> <td> <p><a href="/versions/v13/software/S0487">Kessel</a> has exfiltrated information gathered from the infected system to the C2 server.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" data-reference="ESET ForSSHe December 2018"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1020"> S1020 </a> </td> <td> <a href="/versions/v13/software/S1020"> Kevin </a> </td> <td> <p><a href="/versions/v13/software/S1020">Kevin</a> can send data from the victim host through a DNS C2 channel.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" data-reference="Kaspersky Lyceum October 2021"><sup><a href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0526"> S0526 </a> </td> <td> <a href="/versions/v13/software/S0526"> KGH_SPY </a> </td> <td> <p><a href="/versions/v13/software/S0526">KGH_SPY</a> can exfiltrate collected information from the host to the C2 server.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" data-reference="Cybereason Kimsuky November 2020"><sup><a href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0094"> G0094 </a> </td> <td> <a href="/versions/v13/groups/G0094"> Kimsuky </a> </td> <td> <p><a href="/versions/v13/groups/G0094">Kimsuky</a> has exfiltrated data over its C2 channel.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" data-reference="Securelist Kimsuky Sept 2013"><sup><a href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a></sup></span><span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" data-reference="Talos Kimsuky Nov 2021"><sup><a href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0356"> S0356 </a> </td> <td> <a href="/versions/v13/software/S0356"> KONNI </a> </td> <td> <p><a href="/versions/v13/software/S0356">KONNI</a> has sent data and files to its C2 server.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" data-reference="Talos Konni May 2017"><sup><a href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a></sup></span><span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" data-reference="Malwarebytes Konni Aug 2021"><sup><a href="https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a></sup></span><span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" data-reference="Malwarebytes KONNI Evolves Jan 2022"><sup><a href="https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0032"> G0032 </a> </td> <td> <a href="/versions/v13/groups/G0032"> Lazarus Group </a> </td> <td> <p><a href="/versions/v13/groups/G0032">Lazarus Group</a> has exfiltrated data and files over a C2 channel through its various tools and malware.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" data-reference="Novetta Blockbuster"><sup><a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a></sup></span><span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" data-reference="Novetta Blockbuster Loaders"><sup><a href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a></sup></span><span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" data-reference="McAfee Lazarus Resurfaces Feb 2018"><sup><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0065"> G0065 </a> </td> <td> <a href="/versions/v13/groups/G0065"> Leviathan </a> </td> <td> <p><a href="/versions/v13/groups/G0065">Leviathan</a> has exfiltrated data over its C2 channel.<span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" data-reference="CISA AA21-200A APT40 July 2021"><sup><a href="https://us-cert.cisa.gov/ncas/alerts/aa21-200a" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0395"> S0395 </a> </td> <td> <a href="/versions/v13/software/S0395"> LightNeuron </a> </td> <td> <p><a href="/versions/v13/software/S0395">LightNeuron</a> exfiltrates data over its email C2 channel.<span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" data-reference="ESET LightNeuron May 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0680"> S0680 </a> </td> <td> <a href="/versions/v13/software/S0680"> LitePower </a> </td> <td> <p><a href="/versions/v13/software/S0680">LitePower</a> can send collected data, including screenshots, over its C2 channel.<span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" data-reference="Kaspersky WIRTE November 2021"><sup><a href="https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0447"> S0447 </a> </td> <td> <a href="/versions/v13/software/S0447"> Lokibot </a> </td> <td> <p><a href="/versions/v13/software/S0447">Lokibot</a> has the ability to initiate contact with command and control (C2) to exfiltrate stolen data.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" data-reference="FSecure Lokibot November 2019"><sup><a href="https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G1014"> G1014 </a> </td> <td> <a href="/versions/v13/groups/G1014"> LuminousMoth </a> </td> <td> <p><a href="/versions/v13/groups/G1014">LuminousMoth</a> has used malware that exfiltrates stolen data to its C2 server.<span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" data-reference="Kaspersky LuminousMoth July 2021"><sup><a href="https://securelist.com/apt-luminousmoth/103332/" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0409"> S0409 </a> </td> <td> <a href="/versions/v13/software/S0409"> Machete </a> </td> <td> <p><a href="/versions/v13/software/S0409">Machete</a>'s collected data is exfiltrated over the same channel used for C2.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" data-reference="ESET Machete July 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1016"> S1016 </a> </td> <td> <a href="/versions/v13/software/S1016"> MacMa </a> </td> <td> <p><a href="/versions/v13/software/S1016">MacMa</a> exfiltrates data from a supplied path over its C2 channel.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" data-reference="ESET DazzleSpy Jan 2022"><sup><a href="https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1060"> S1060 </a> </td> <td> <a href="/versions/v13/software/S1060"> Mafalda </a> </td> <td> <p><a href="/versions/v13/software/S1060">Mafalda</a> can send network system data and files to its C2 server.<span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" data-reference="SentinelLabs Metador Sept 2022"><sup><a href="https://assets.sentinelone.com/sentinellabs22/metador#page=1" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0652"> S0652 </a> </td> <td> <a href="/versions/v13/software/S0652"> MarkiRAT </a> </td> <td> <p><a href="/versions/v13/software/S0652">MarkiRAT</a> can exfiltrate locally stored data via its C2.<span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" data-reference="Kaspersky Ferocious Kitten Jun 2021"><sup><a href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0459"> S0459 </a> </td> <td> <a href="/versions/v13/software/S0459"> MechaFlounder </a> </td> <td> <p><a href="/versions/v13/software/S0459">MechaFlounder</a> has the ability to send the compromised user's account name and hostname within a URL to C2.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" data-reference="Unit 42 MechaFlounder March 2019"><sup><a href="https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1059"> S1059 </a> </td> <td> <a href="/versions/v13/software/S1059"> metaMain </a> </td> <td> <p><a href="/versions/v13/software/S1059">metaMain</a> can upload collected files and data to its C2 server.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" data-reference="SentinelLabs Metador Technical Appendix Sept 2022"><sup><a href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0455"> S0455 </a> </td> <td> <a href="/versions/v13/software/S0455"> Metamorfo </a> </td> <td> <p><a href="/versions/v13/software/S0455">Metamorfo</a> can send the data it collects to the C2 server.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" data-reference="ESET Casbaneiro Oct 2019"><sup><a href="https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0084"> S0084 </a> </td> <td> <a href="/versions/v13/software/S0084"> Mis-Type </a> </td> <td> <p><a href="/versions/v13/software/S0084">Mis-Type</a> has transmitted collected files and data to its C2 server.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" data-reference="Cylance Dust Storm"><sup><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0083"> S0083 </a> </td> <td> <a href="/versions/v13/software/S0083"> Misdat </a> </td> <td> <p><a href="/versions/v13/software/S0083">Misdat</a> has uploaded files and data to its C2 servers.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" data-reference="Cylance Dust Storm"><sup><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0079"> S0079 </a> </td> <td> <a href="/versions/v13/software/S0079"> MobileOrder </a> </td> <td> <p><a href="/versions/v13/software/S0079">MobileOrder</a> exfiltrates data to its C2 server over the same protocol as C2 communications.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" data-reference="Scarlet Mimic Jan 2016"><sup><a href="http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1026"> S1026 </a> </td> <td> <a href="/versions/v13/software/S1026"> Mongall </a> </td> <td> <p><a href="/versions/v13/software/S1026">Mongall</a> can upload files and information from a compromised host to its C2 server.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" data-reference="SentinelOne Aoqin Dragon June 2022"><sup><a href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0069"> G0069 </a> </td> <td> <a href="/versions/v13/groups/G0069"> MuddyWater </a> </td> <td> <p><a href="/versions/v13/groups/G0069">MuddyWater</a> has used C2 infrastructure to receive exfiltrated data.<span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" data-reference="Reaqta MuddyWater November 2017"><sup><a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0034"> S0034 </a> </td> <td> <a href="/versions/v13/software/S0034"> NETEAGLE </a> </td> <td> <p><a href="/versions/v13/software/S0034">NETEAGLE</a> is capable of reading files over the C2 channel.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" data-reference="FireEye APT30"><sup><a href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0385"> S0385 </a> </td> <td> <a href="/versions/v13/software/S0385"> njRAT </a> </td> <td> <p><a href="/versions/v13/software/S0385">njRAT</a> has used HTTP to receive stolen information from the infected machine.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" data-reference="Trend Micro njRAT 2018"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0340"> S0340 </a> </td> <td> <a href="/versions/v13/software/S0340"> Octopus </a> </td> <td> <p><a href="/versions/v13/software/S0340">Octopus</a> has uploaded stolen files and data from a victim's machine over its C2 channel.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" data-reference="Securelist Octopus Oct 2018"><sup><a href="https://securelist.com/octopus-infested-seas-of-central-asia/88200/" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0439"> S0439 </a> </td> <td> <a href="/versions/v13/software/S0439"> Okrum </a> </td> <td> <p>Data exfiltration is done by <a href="/versions/v13/software/S0439">Okrum</a> using the already opened channel with the C2 server.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" data-reference="ESET Okrum July 2019"><sup><a href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0264"> S0264 </a> </td> <td> <a href="/versions/v13/software/S0264"> OopsIE </a> </td> <td> <p><a href="/versions/v13/software/S0264">OopsIE</a> can upload files from the victim's machine to its C2 server.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" data-reference="Unit 42 OopsIE! Feb 2018"><sup><a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/campaigns/C0022"> C0022 </a> </td> <td> <a href="/versions/v13/campaigns/C0022"> Operation Dream Job </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0022">Operation Dream Job</a>, <a href="/versions/v13/groups/G0032">Lazarus Group</a> exfiltrated data from a compromised host to actor-controlled C2 servers.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" data-reference="ClearSky Lazarus Aug 2020"><sup><a href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/campaigns/C0006"> C0006 </a> </td> <td> <a href="/versions/v13/campaigns/C0006"> Operation Honeybee </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0006">Operation Honeybee</a>, the threat actors uploaded stolen files to their C2 servers.<span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" data-reference="McAfee Honeybee"><sup><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/campaigns/C0014"> C0014 </a> </td> <td> <a href="/versions/v13/campaigns/C0014"> Operation Wocao </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a>, threat actors used the XServer backdoor to exfiltrate data.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" data-reference="FoxIT Wocao December 2019"><sup><a href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1017"> S1017 </a> </td> <td> <a href="/versions/v13/software/S1017"> OutSteel </a> </td> <td> <p><a href="/versions/v13/software/S1017">OutSteel</a> can upload files from a compromised host over its C2 channel.<span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" data-reference="Palo Alto Unit 42 OutSteel SaintBot February 2022 "><sup><a href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1050"> S1050 </a> </td> <td> <a href="/versions/v13/software/S1050"> PcShare </a> </td> <td> <p><a href="/versions/v13/software/S1050">PcShare</a> can upload files and information from a compromised host to its C2 servers.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" data-reference="Bitdefender FunnyDream Campaign November 2020"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0587"> S0587 </a> </td> <td> <a href="/versions/v13/software/S0587"> Penquin </a> </td> <td> <p><a href="/versions/v13/software/S0587">Penquin</a> can execute the command code <code>do_upload</code> to send files to C2.<span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" data-reference="Leonardo Turla Penquin May 2020"><sup><a href="https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1031"> S1031 </a> </td> <td> <a href="/versions/v13/software/S1031"> PingPull </a> </td> <td> <p><a href="/versions/v13/software/S1031">PingPull</a> has the ability to exfiltrate stolen victim data through its C2 channel.<span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" data-reference="Unit 42 PingPull Jun 2022"><sup><a href="https://unit42.paloaltonetworks.com/pingpull-gallium/" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0428"> S0428 </a> </td> <td> <a href="/versions/v13/software/S0428"> PoetRAT </a> </td> <td> <p><a href="/versions/v13/software/S0428">PoetRAT</a> has exfiltrated data over the C2 channel.<span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" data-reference="Talos PoetRAT October 2020"><sup><a href="https://blog.talosintelligence.com/2020/10/poetrat-update.html" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0441"> S0441 </a> </td> <td> <a href="/versions/v13/software/S0441"> PowerShower </a> </td> <td> <p><a href="/versions/v13/software/S0441">PowerShower</a> has used a PowerShell document stealer module to pack and exfiltrate .txt, .pdf, .xls or .doc files smaller than 5MB that were modified during the past two days.<span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" data-reference="Kaspersky Cloud Atlas August 2019"><sup><a href="https://securelist.com/recent-cloud-atlas-activity/92016/" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0238"> S0238 </a> </td> <td> <a href="/versions/v13/software/S0238"> Proxysvc </a> </td> <td> <p><a href="/versions/v13/software/S0238">Proxysvc</a> performs data exfiltration over the control server channel using a custom protocol.<span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" data-reference="McAfee GhostSecret"><sup><a href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0078"> S0078 </a> </td> <td> <a href="/versions/v13/software/S0078"> Psylo </a> </td> <td> <p><a href="/versions/v13/software/S0078">Psylo</a> exfiltrates data to its C2 server over the same protocol as C2 communications.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" data-reference="Scarlet Mimic Jan 2016"><sup><a href="http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0147"> S0147 </a> </td> <td> <a href="/versions/v13/software/S0147"> Pteranodon </a> </td> <td> <p><a href="/versions/v13/software/S0147">Pteranodon</a> exfiltrates screenshot files to its C2 server.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" data-reference="Palo Alto Gamaredon Feb 2017"><sup><a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0192"> S0192 </a> </td> <td> <a href="/versions/v13/software/S0192"> Pupy </a> </td> <td> <p><a href="/versions/v13/software/S0192">Pupy</a> can send screenshots files, keylogger data, files, and recorded audio back to the C2 server.<span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" data-reference="GitHub Pupy"><sup><a href="https://github.com/n1nj4sec/pupy" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0650"> S0650 </a> </td> <td> <a href="/versions/v13/software/S0650"> QakBot </a> </td> <td> <p><a href="/versions/v13/software/S0650">QakBot</a> can send stolen information to C2 nodes including passwords, accounts, and emails.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" data-reference="Kaspersky QakBot September 2021"><sup><a href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0495"> S0495 </a> </td> <td> <a href="/versions/v13/software/S0495"> RDAT </a> </td> <td> <p><a href="/versions/v13/software/S0495">RDAT</a> can exfiltrate data gathered from the infected system via the established Exchange Web Services API C2 channel.<span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" data-reference="Unit42 RDAT July 2020"><sup><a href="https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0375"> S0375 </a> </td> <td> <a href="/versions/v13/software/S0375"> Remexi </a> </td> <td> <p><a href="/versions/v13/software/S0375">Remexi</a> performs exfiltration over <a href="/versions/v13/software/S0190">BITSAdmin</a>, which is also used for the C2 channel.<span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" data-reference="Securelist Remexi Jan 2019"><sup><a href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0496"> S0496 </a> </td> <td> <a href="/versions/v13/software/S0496"> REvil </a> </td> <td> <p><a href="/versions/v13/software/S0496">REvil</a> can exfiltrate host and malware information to C2 servers.<span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" data-reference="Secureworks REvil September 2019"><sup><a href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0448"> S0448 </a> </td> <td> <a href="/versions/v13/software/S0448"> Rising Sun </a> </td> <td> <p><a href="/versions/v13/software/S0448">Rising Sun</a> can send data gathered from the infected machine via HTTP POST request to the C2.<span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" data-reference="McAfee Sharpshooter December 2018"><sup><a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0240"> S0240 </a> </td> <td> <a href="/versions/v13/software/S0240"> ROKRAT </a> </td> <td> <p><a href="/versions/v13/software/S0240">ROKRAT</a> can send collected files back over same C2 channel.<span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" data-reference="Talos ROKRAT"><sup><a href="https://blog.talosintelligence.com/2017/04/introducing-rokrat.html" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0085"> S0085 </a> </td> <td> <a href="/versions/v13/software/S0085"> S-Type </a> </td> <td> <p><a href="/versions/v13/software/S0085">S-Type</a> has uploaded data and files from a compromised host to its C2 servers.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" data-reference="Cylance Dust Storm"><sup><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0034"> G0034 </a> </td> <td> <a href="/versions/v13/groups/G0034"> Sandworm Team </a> </td> <td> <p><a href="/versions/v13/groups/G0034">Sandworm Team</a> has sent system information to its C2 server using HTTP.<span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" data-reference="ESET Telebots Dec 2016"><sup><a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0461"> S0461 </a> </td> <td> <a href="/versions/v13/software/S0461"> SDBbot </a> </td> <td> <p><a href="/versions/v13/software/S0461">SDBbot</a> has sent collected data from a compromised host to its C2 servers.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" data-reference="Korean FSI TA505 2020"><sup><a href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1019"> S1019 </a> </td> <td> <a href="/versions/v13/software/S1019"> Shark </a> </td> <td> <p><a href="/versions/v13/software/S1019">Shark</a> has the ability to upload files from the compromised host over a DNS or HTTP C2 channel.<span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" data-reference="ClearSky Siamesekitten August 2021"><sup><a href="https://www.clearskysec.com/siamesekitten/" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0445"> S0445 </a> </td> <td> <a href="/versions/v13/software/S0445"> ShimRatReporter </a> </td> <td> <p><a href="/versions/v13/software/S0445">ShimRatReporter</a> sent generated reports to the C2 via HTTP POST requests.<span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" data-reference="FOX-IT May 2016 Mofang"><sup><a href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0610"> S0610 </a> </td> <td> <a href="/versions/v13/software/S0610"> SideTwist </a> </td> <td> <p><a href="/versions/v13/software/S0610">SideTwist</a> has exfiltrated data over its C2 channel.<span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" data-reference="Check Point APT34 April 2021"><sup><a href="https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0692"> S0692 </a> </td> <td> <a href="/versions/v13/software/S0692"> SILENTTRINITY </a> </td> <td> <p><a href="/versions/v13/software/S0692">SILENTTRINITY</a> can transfer files from an infected host to the C2 server.<span onclick=scrollToRef('scite-114') id="scite-ref-114-a" class="scite-citeref-number" data-reference="GitHub SILENTTRINITY Modules July 2019"><sup><a href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0633"> S0633 </a> </td> <td> <a href="/versions/v13/software/S0633"> Sliver </a> </td> <td> <p><a href="/versions/v13/software/S0633">Sliver</a> can exfiltrate files from the victim using the <code>download</code> command.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" data-reference="GitHub Sliver Download"><sup><a href="https://github.com/BishopFox/sliver/blob/7489c69962b52b09ed377d73d142266564845297/client/command/filesystem/download.go" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0533"> S0533 </a> </td> <td> <a href="/versions/v13/software/S0533"> SLOTHFULMEDIA </a> </td> <td> <p><a href="/versions/v13/software/S0533">SLOTHFULMEDIA</a> has sent system information to a C2 server via HTTP and HTTPS POST requests.<span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" data-reference="CISA MAR SLOTHFULMEDIA October 2020"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0649"> S0649 </a> </td> <td> <a href="/versions/v13/software/S0649"> SMOKEDHAM </a> </td> <td> <p><a href="/versions/v13/software/S0649">SMOKEDHAM</a> has exfiltrated data to its C2 server.<span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" data-reference="FireEye SMOKEDHAM June 2021"><sup><a href="https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0615"> S0615 </a> </td> <td> <a href="/versions/v13/software/S0615"> SombRAT </a> </td> <td> <p><a href="/versions/v13/software/S0615">SombRAT</a> has uploaded collected data and files from a compromised host to its C2 server.<span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" data-reference="BlackBerry CostaRicto November 2020"><sup><a href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0543"> S0543 </a> </td> <td> <a href="/versions/v13/software/S0543"> Spark </a> </td> <td> <p><a href="/versions/v13/software/S0543">Spark</a> has exfiltrated data over the C2 channel.<span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" data-reference="Unit42 Molerat Mar 2020"><sup><a href="https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1030"> S1030 </a> </td> <td> <a href="/versions/v13/software/S1030"> Squirrelwaffle </a> </td> <td> <p><a href="/versions/v13/software/S1030">Squirrelwaffle</a> has exfiltrated victim data using HTTP POST requests to its C2 servers.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" data-reference="ZScaler Squirrelwaffle Sep 2021"><sup><a href="https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1037"> S1037 </a> </td> <td> <a href="/versions/v13/software/S1037"> STARWHALE </a> </td> <td> <p><a href="/versions/v13/software/S1037">STARWHALE</a> can exfiltrate collected data to its C2 servers.<span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" data-reference="DHS CISA AA22-055A MuddyWater February 2022"><sup><a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0038"> G0038 </a> </td> <td> <a href="/versions/v13/groups/G0038"> Stealth Falcon </a> </td> <td> <p>After data is collected by <a href="/versions/v13/groups/G0038">Stealth Falcon</a> malware, it is exfiltrated over the existing C2 channel.<span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" data-reference="Citizen Lab Stealth Falcon May 2016"><sup><a href="https://citizenlab.org/2016/05/stealth-falcon/" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1034"> S1034 </a> </td> <td> <a href="/versions/v13/software/S1034"> StrifeWater </a> </td> <td> <p><a href="/versions/v13/software/S1034">StrifeWater</a> can send data and files from a compromised host to its C2 server.<span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" data-reference="Cybereason StrifeWater Feb 2022"><sup><a href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0491"> S0491 </a> </td> <td> <a href="/versions/v13/software/S0491"> StrongPity </a> </td> <td> <p><a href="/versions/v13/software/S0491">StrongPity</a> can exfiltrate collected documents through C2 channels.<span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" data-reference="Talos Promethium June 2020"><sup><a href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a></sup></span><span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" data-reference="Bitdefender StrongPity June 2020"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0603"> S0603 </a> </td> <td> <a href="/versions/v13/software/S0603"> Stuxnet </a> </td> <td> <p><a href="/versions/v13/software/S0603">Stuxnet</a> sends compromised victim information via HTTP.<span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" data-reference="Nicolas Falliere, Liam O Murchu, Eric Chien February 2011"><sup><a href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1042"> S1042 </a> </td> <td> <a href="/versions/v13/software/S1042"> SUGARDUMP </a> </td> <td> <p><a href="/versions/v13/software/S1042">SUGARDUMP</a> has sent stolen credentials and other data to its C2 server.<span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" data-reference="Mandiant UNC3890 Aug 2022"><sup><a href="https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1064"> S1064 </a> </td> <td> <a href="/versions/v13/software/S1064"> SVCReady </a> </td> <td> <p><a href="/versions/v13/software/S1064">SVCReady</a> can send collected data in JSON format to its C2 server.<span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" data-reference="HP SVCReady Jun 2022"><sup><a href="https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0663"> S0663 </a> </td> <td> <a href="/versions/v13/software/S0663"> SysUpdate </a> </td> <td> <p><a href="/versions/v13/software/S0663">SysUpdate</a> has exfiltrated data over its C2 channel.<span onclick=scrollToRef('scite-129') id="scite-ref-129-a" class="scite-citeref-number" data-reference="Lunghi Iron Tiger Linux"><sup><a href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" target="_blank" data-hasqtip="128" aria-describedby="qtip-128">[129]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0467"> S0467 </a> </td> <td> <a href="/versions/v13/software/S0467"> TajMahal </a> </td> <td> <p><a href="/versions/v13/software/S0467">TajMahal</a> has the ability to send collected files over its C2.<span onclick=scrollToRef('scite-130') id="scite-ref-130-a" class="scite-citeref-number" data-reference="Kaspersky TajMahal April 2019"><sup><a href="https://securelist.com/project-tajmahal/90240/" target="_blank" data-hasqtip="129" aria-describedby="qtip-129">[130]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0595"> S0595 </a> </td> <td> <a href="/versions/v13/software/S0595"> ThiefQuest </a> </td> <td> <p><a href="/versions/v13/software/S0595">ThiefQuest</a> exfiltrates targeted file extensions in the <code>/Users/</code> folder to the command and control server via unencrypted HTTP. Network packets contain a string with two pieces of information: a file path and the contents of the file in a base64 encoded string.<span onclick=scrollToRef('scite-131') id="scite-ref-131-a" class="scite-citeref-number" data-reference="wardle evilquest partii"><sup><a href="https://objective-see.com/blog/blog_0x60.html" target="_blank" data-hasqtip="130" aria-describedby="qtip-130">[131]</a></sup></span><span onclick=scrollToRef('scite-132') id="scite-ref-132-a" class="scite-citeref-number" data-reference="reed thiefquest ransomware analysis"><sup><a href="https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0671"> S0671 </a> </td> <td> <a href="/versions/v13/software/S0671"> Tomiris </a> </td> <td> <p><a href="/versions/v13/software/S0671">Tomiris</a> can upload files matching a hardcoded set of extensions, such as .doc, .docx, .pdf, and .rar, to its C2 server.<span onclick=scrollToRef('scite-133') id="scite-ref-133-a" class="scite-citeref-number" data-reference="Kaspersky Tomiris Sep 2021"><sup><a href="https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" target="_blank" data-hasqtip="132" aria-describedby="qtip-132">[133]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0678"> S0678 </a> </td> <td> <a href="/versions/v13/software/S0678"> Torisma </a> </td> <td> <p><a href="/versions/v13/software/S0678">Torisma</a> can send victim data to an actor-controlled C2 server.<span onclick=scrollToRef('scite-134') id="scite-ref-134-a" class="scite-citeref-number" data-reference="McAfee Lazarus Nov 2020"><sup><a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank" data-hasqtip="133" aria-describedby="qtip-133">[134]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0266"> S0266 </a> </td> <td> <a href="/versions/v13/software/S0266"> TrickBot </a> </td> <td> <p><a href="/versions/v13/software/S0266">TrickBot</a> can send information about the compromised host and upload data to a hardcoded C2 server.<span onclick=scrollToRef('scite-135') id="scite-ref-135-a" class="scite-citeref-number" data-reference="Cyberreason Anchor December 2019"><sup><a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank" data-hasqtip="134" aria-describedby="qtip-134">[135]</a></sup></span><span onclick=scrollToRef('scite-136') id="scite-ref-136-a" class="scite-citeref-number" data-reference="Bitdefender Trickbot VNC module Whitepaper 2021"><sup><a href="https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf" target="_blank" data-hasqtip="135" aria-describedby="qtip-135">[136]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0386"> S0386 </a> </td> <td> <a href="/versions/v13/software/S0386"> Ursnif </a> </td> <td> <p><a href="/versions/v13/software/S0386">Ursnif</a> has used HTTP POSTs to exfil gathered information.<span onclick=scrollToRef('scite-137') id="scite-ref-137-a" class="scite-citeref-number" data-reference="TrendMicro Ursnif Mar 2015"><sup><a href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank" data-hasqtip="136" aria-describedby="qtip-136">[137]</a></sup></span><span onclick=scrollToRef('scite-138') id="scite-ref-138-a" class="scite-citeref-number" data-reference="FireEye Ursnif Nov 2017"><sup><a href="https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" target="_blank" data-hasqtip="137" aria-describedby="qtip-137">[138]</a></sup></span><span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" data-reference="ProofPoint Ursnif Aug 2016"><sup><a href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0476"> S0476 </a> </td> <td> <a href="/versions/v13/software/S0476"> Valak </a> </td> <td> <p><a href="/versions/v13/software/S0476">Valak</a> has the ability to exfiltrate data over the C2 channel.<span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" data-reference="Cybereason Valak May 2020"><sup><a href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a></sup></span><span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" data-reference="Unit 42 Valak July 2020"><sup><a href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a></sup></span><span onclick=scrollToRef('scite-142') id="scite-ref-142-a" class="scite-citeref-number" data-reference="SentinelOne Valak June 2020"><sup><a href="https://assets.sentinelone.com/labs/sentinel-one-valak-i" target="_blank" data-hasqtip="141" aria-describedby="qtip-141">[142]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0670"> S0670 </a> </td> <td> <a href="/versions/v13/software/S0670"> WarzoneRAT </a> </td> <td> <p><a href="/versions/v13/software/S0670">WarzoneRAT</a> can send collected victim data to its C2 server.<span onclick=scrollToRef('scite-143') id="scite-ref-143-a" class="scite-citeref-number" data-reference="Check Point Warzone Feb 2020"><sup><a href="https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" target="_blank" data-hasqtip="142" aria-describedby="qtip-142">[143]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0102"> G0102 </a> </td> <td> <a href="/versions/v13/groups/G0102"> Wizard Spider </a> </td> <td> <p><a href="/versions/v13/groups/G0102">Wizard Spider</a> has exfiltrated domain credentials and network enumeration information over command and control (C2) channels.<span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" data-reference="CrowdStrike Grim Spider May 2019"><sup><a href="https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S1065"> S1065 </a> </td> <td> <a href="/versions/v13/software/S1065"> Woody RAT </a> </td> <td> <p><a href="/versions/v13/software/S1065">Woody RAT</a> can exfiltrate files from an infected machine to its C2 server.<span onclick=scrollToRef('scite-145') id="scite-ref-145-a" class="scite-citeref-number" data-reference="MalwareBytes WoodyRAT Aug 2022"><sup><a href="https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild" target="_blank" data-hasqtip="144" aria-describedby="qtip-144">[145]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0658"> S0658 </a> </td> <td> <a href="/versions/v13/software/S0658"> XCSSET </a> </td> <td> <p><a href="/versions/v13/software/S0658">XCSSET</a> exfiltrates data stolen from a system over its C2 channel.<span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" data-reference="trendmicro xcsset xcode project 2020"><sup><a href="https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0251"> S0251 </a> </td> <td> <a href="/versions/v13/software/S0251"> Zebrocy </a> </td> <td> <p><a href="/versions/v13/software/S0251">Zebrocy</a> has exfiltrated data to the designated C2 server using HTTP POST requests.<span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" data-reference="Accenture SNAKEMACKEREL Nov 2018"><sup><a href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a></sup></span><span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" data-reference="CISA Zebrocy Oct 2020"><sup><a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a></sup></span> </p> </td> </tr> <tr> <td> <a href="/versions/v13/groups/G0128"> G0128 </a> </td> <td> <a href="/versions/v13/groups/G0128"> ZIRCONIUM </a> </td> <td> <p><a href="/versions/v13/groups/G0128">ZIRCONIUM</a> has exfiltrated files via the Dropbox API C2.<span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" data-reference="Zscaler APT31 Covid-19 October 2020"><sup><a href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a></sup></span></p> </td> </tr> <tr> <td> <a href="/versions/v13/software/S0086"> S0086 </a> </td> <td> <a href="/versions/v13/software/S0086"> ZLib </a> </td> <td> <p><a href="/versions/v13/software/S0086">ZLib</a> has sent data and files from a compromised host to its C2 servers.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" data-reference="Cylance Dust Storm"><sup><a href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a></sup></span></p> </td> </tr> </tbody> </table> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v13/mitigations/M1057"> M1057 </a> </td> <td> <a href="/versions/v13/mitigations/M1057"> Data Loss Prevention </a> </td> <td> <p>Data loss prevention can detect and block sensitive data being sent over unencrypted protocols.</p> </td> </tr> <tr> <td> <a href="/versions/v13/mitigations/M1031"> M1031 </a> </td> <td> <a href="/versions/v13/mitigations/M1031"> Network Intrusion Prevention </a> </td> <td> <p>Network intrusion detection and prevention systems that use network signatures to identify traffic for specific adversary malware can be used to mitigate activity at the network level. Signatures are often for unique indicators within protocols and may be based on the specific obfuscation technique used by a particular adversary or tool, and will likely be different across various malware families and versions. Adversaries will likely change tool command and control signatures over time or construct protocols in such a way to avoid detection by common defensive tools. <span onclick=scrollToRef('scite-150') id="scite-ref-150-a" class="scite-citeref-number" data-reference="University of Birmingham C2"><sup><a href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank" data-hasqtip="149" aria-describedby="qtip-149">[150]</a></sup></span></p> </td> </tr> </tbody> </table> <h2 class="pt-3" id="detection">Detection</h2> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/versions/v13/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/versions/v13/datasources/DS0017">Command</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments that may steal data by exfiltrating it over an existing command and control channel.</p> </td> </tr> <tr class="datasource" id="uses-DS0022"> <td> <a href="/versions/v13/datasources/DS0022">DS0022</a> </td> <td class="nowrap"> <a href="/versions/v13/datasources/DS0022">File</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0022/#File%20Access">File Access</a> </td> <td> <p>Monitor for suspicious files (i.e. .pdf, .docx, .jpg, etc.) viewed in isolation that may steal data by exfiltrating it over an existing command and control channel.</p> </td> </tr> <tr class="datasource" id="uses-DS0029"> <td> <a href="/versions/v13/datasources/DS0029">DS0029</a> </td> <td class="nowrap"> <a href="/versions/v13/datasources/DS0029">Network Traffic</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0029/#Network%20Connection%20Creation">Network Connection Creation</a> </td> <td> <p>Monitor for newly constructed network connections that are sent or received by untrusted hosts. </p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0029-Network Traffic Content"> <td></td> <td></td> <td> <a href="/datasources/DS0029/#Network%20Traffic%20Content">Network Traffic Content</a> </td> <td> <p>Monitor and analyze traffic patterns and packet inspection associated to protocol(s) that do not follow the expected protocol standards and traffic flows (e.g extraneous packets that do not belong to established flows, gratuitous or anomalous traffic patterns, anomalous syntax, or structure). Consider correlation with process monitoring and command line to detect anomalous processes execution and command line arguments associated to traffic patterns (e.g. monitor anomalies in use of files that do not normally initiate connections for respective protocol(s)).</p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0029-Network Traffic Flow"> <td></td> <td></td> <td> <a href="/datasources/DS0029/#Network%20Traffic%20Flow">Network Traffic Flow</a> </td> <td> <p>Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious.</p> </td> </tr> </tbody> </table> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part-2.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 2: Observing the Comings and Goings. Retrieved November 21, 2016. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://blogs.blackberry.com/en/2020/01/threat-spotlight-amadey-bot" target="_blank"> Kasuya, M. (2020, January 8). Threat Spotlight: Amadey Bot Targets Non-Russian Users. Retrieved July 14, 2022. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank"> Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://blog.malwarebytes.com/threat-analysis/2021/06/kimsuky-apt-continues-to-target-south-korean-government-using-appleseed-backdoor/" target="_blank"> Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.fireeye.com/blog/threat-research/2014/04/new-zero-day-exploit-targeting-internet-explorer-versions-9-through-11-identified-in-targeted-attacks.html" target="_blank"> Chen, X., Scott, M., Caselden, D.. (2014, April 26). New Zero-Day Exploit targeting Internet Explorer Versions 9 through 11 Identified in Targeted Attacks. Retrieved January 14, 2016. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" target="_blank"> Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank"> FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank"> Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank"> Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank"> Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www2.fireeye.com/rs/fireye/images/rpt-apt30.pdf" target="_blank"> FireEye Labs. (2015, April). APT30 AND THE MECHANICS OF A LONG-RUNNING CYBER ESPIONAGE OPERATION. Retrieved May 1, 2015. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://research.checkpoint.com/2020/bandook-signed-delivered/" target="_blank"> Check Point. (2020, November 26). Bandook: Signed & Delivered. Retrieved May 31, 2021. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://securingtomorrow.mcafee.com/mcafee-labs/hidden-cobra-targets-turkish-financial-sector-new-bankshot-implant/" target="_blank"> Sherstobitoff, R. (2018, March 08). Hidden Cobra Targets Turkish Financial Sector With New Bankshot Implant. Retrieved May 18, 2018. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://blog.talosintelligence.com/2020/03/bisonal-10-years-of-play.html" target="_blank"> Mercer, W., et al. (2020, March 5). Bisonal: 10 years of play. Retrieved January 26, 2022. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://digital.nhs.uk/cyber-alerts/2020/cc-3603" target="_blank"> NHS Digital . (2020, August 20). BLINDINGCAN Remote Access Trojan. Retrieved August 20, 2020. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-232a" target="_blank"> US-CERT. (2020, August 19). MAR-10295134-1.v1 – North Korean Remote Access Trojan: BLINDINGCAN. Retrieved August 19, 2020. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.volexity.com/blog/2021/08/17/north-korean-apt-inkysquid-infects-victims-using-browser-exploits/" target="_blank"> Cash, D., Grunzweig, J., Meltzer, M., Adair, S., Lancaster, T. (2021, August 17). North Korean APT InkySquid Infects Victims Using Browser Exploits. Retrieved September 30, 2021. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://research.checkpoint.com/2021/indigozebra-apt-continues-to-attack-central-asia-with-evolving-tools/" target="_blank"> CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" target="_blank"> Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank"> Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="http://researchcenter.paloaltonetworks.com/2016/01/scarlet-mimic-years-long-espionage-targets-minority-activists/" target="_blank"> Falcone, R. and Miller-Osborn, J.. (2016, January 24). Scarlet Mimic: Years-Long Espionage Campaign Targets Minority Activists. Retrieved February 10, 2016. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://researchcenter.paloaltonetworks.com/2018/11/unit42-sofacy-continues-global-attacks-wheels-new-cannon-trojan/" target="_blank"> Falcone, R., Lee, B. (2018, November 20). Sofacy Continues Global Attacks and Wheels Out New ‘Cannon’ Trojan. Retrieved November 26, 2018. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="http://pxnow.prevx.com/content/blog/carberp-a_modular_information_stealing_trojan.pdf" target="_blank"> Giuliani, M., Allievi, A. (2011, February 28). Carberp - a modular information stealing trojan. Retrieved July 15, 2020. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://web.archive.org/web/20111004014029/http://www.trusteer.com/sites/default/files/Carberp_Analysis.pdf" target="_blank"> Trusteer Fraud Prevention Center. (2010, October 7). Carberp Under the Hood of Carberp: Malware & Configuration Analysis. Retrieved July 15, 2020. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www.clearskysec.com/wp-content/uploads/2021/01/Lebanese-Cedar-APT.pdf" target="_blank"> ClearSky Cyber Security. (2021, January). “Lebanese Cedar” APT Global Lebanese Espionage Campaign Leveraging Web Servers. Retrieved February 10, 2021. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank"> Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank"> Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.welivesecurity.com/wp-content/uploads/2021/06/eset_gelsemium.pdf" target="_blank"> Dupuy, T. and Faou, M. (2021, June). Gelsemium. Retrieved November 30, 2021. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" target="_blank"> Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www.microsoft.com/security/blog/2022/06/02/exposing-polonium-activity-and-infrastructure-targeting-israeli-organizations/" target="_blank"> Microsoft. (2022, June 2). Exposing POLONIUM activity and infrastructure targeting Israeli organizations. Retrieved July 1, 2022. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://blog.talosintelligence.com/2022/07/transparent-tribe-targets-education.html" target="_blank"> N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank"> Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www.ncsc.gov.uk/files/Cyclops-Blink-Malware-Analysis-Report.pdf" target="_blank"> NCSC. (2022, February 23). Cyclops Blink Malware Analysis Report. Retrieved March 3, 2022. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://www.zscaler.com/blogs/security-research/lyceum-net-dns-backdoor" target="_blank"> Shivtarkar, N. and Kumar, A. (2022, June 9). Lyceum .NET DNS Backdoor. Retrieved June 23, 2022. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://www.intezer.com/blog/cloud-security/watch-your-containers-doki-infecting-docker-servers-in-the-cloud/" target="_blank"> Fishbein, N., Kajiloti, M.. (2020, July 28). Watch Your Containers: Doki Infecting Docker Servers in the Cloud. Retrieved March 30, 2021. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://media.defense.gov/2020/Aug/13/2002476465/-1/-1/0/CSA_DROVORUB_RUSSIAN_GRU_MALWARE_AUG_2020.PDF" target="_blank"> NSA/FBI. (2020, August). Russian GRU 85th GTsSS Deploys Previously Undisclosed Drovorub Malware. Retrieved August 25, 2020. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://securelist.com/gaza-cybergang-group1-operation-sneakypastes/90068/" target="_blank"> GReAT. (2019, April 10). Gaza Cybergang Group1, operation SneakyPastes. Retrieved May 13, 2020. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" target="_blank"> hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.welivesecurity.com/2014/03/18/operation-windigo-the-vivisection-of-a-large-linux-server-side-credential-stealing-malware-campaign/" target="_blank"> Bilodeau, O., Bureau, M., Calvet, J., Dorais-Joncas, A., Léveillé, M., Vanheuverzwijn, B. (2014, March 18). Operation Windigo – the vivisection of a large Linux server‑side credential‑stealing malware campaign. Retrieved February 10, 2021. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" target="_blank"> Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://github.com/PowerShellEmpire/Empire" target="_blank"> Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank"> Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://www.prevailion.com/phantom-in-the-command-shell-2/" target="_blank"> Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://insight-jp.nttsecurity.com/post/102hf3q/flagpro-the-new-malware-used-by-blacktech" target="_blank"> Hada, H. (2021, December 28). Flagpro The new malware used by BlackTech. Retrieved March 25, 2022. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.fsec.or.kr/user/bbs/fsec/163/344/bbsDataView/1382.do?page=1&column=&search=&searchSDate=&searchEDate=&bbsDataCategory=" target="_blank"> Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.microsoft.com/security/blog/2021/09/27/foggyweb-targeted-nobelium-malware-leads-to-persistent-backdoor/" target="_blank"> Ramin Nafisi. (2021, September 27). FoggyWeb: Targeted NOBELIUM malware leads to persistent backdoor. Retrieved October 4, 2021. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank"> Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"> Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank"> Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.trustwave.com/en-us/resources/library/documents/the-golden-tax-department-and-the-emergence-of-goldenspy-malware/" target="_blank"> Trustwave SpiderLabs. (2020, June 25). The Golden Tax Department and Emergence of GoldenSpy Malware. Retrieved July 23, 2020. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank"> Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://www.fireeye.com/blog/threat-research/2021/03/sunshuttle-second-stage-backdoor-targeting-us-based-entity.html" target="_blank"> Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://www.welivesecurity.com/2020/04/28/grandoreiro-how-engorged-can-exe-get/" target="_blank"> ESET. (2020, April 28). Grandoreiro: How engorged can an EXE get?. Retrieved November 13, 2020. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer" target="_blank"> Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://www.fireeye.com/blog/threat-research/2019/06/government-in-central-asia-targeted-with-hawkball-backdoor.html" target="_blank"> Patil, S. and Williams, M.. (2019, June 5). Government Sector in Central Asia Targeted With New HAWKBALL Backdoor Delivered via Microsoft Office Vulnerabilities. Retrieved June 20, 2019. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://www.zscaler.com/blogs/security-research/return-higaisa-apt" target="_blank"> Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank"> US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank"> Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf" target="_blank"> CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" target="_blank"> QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://www.welivesecurity.com/wp-content/uploads/2017/06/Win32_Industroyer.pdf" target="_blank"> Anton Cherepanov. (2017, June 12). Win32/Industroyer: A new threat for industrial controls systems. Retrieved December 18, 2020. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://www.mandiant.com/resources/operation-ke3chang-targeted-attacks-against-ministries-of-foreign-affairs" target="_blank"> Villeneuve, N., Bennett, J. T., Moran, N., Haq, T., Scott, M., & Geers, K. (2014). OPERATION “KE3CHANG”: Targeted Attacks Against Ministries of Foreign Affairs. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://www.welivesecurity.com/wp-content/uploads/2018/12/ESET-The_Dark_Side_of_the_ForSSHe.pdf" target="_blank"> Dumont, R., M.Léveillé, M., Porcher, H. (2018, December 1). THE DARK SIDE OF THE FORSSHE A landscape of OpenSSH backdoors. Retrieved July 16, 2020. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank"> Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank"> Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://securelist.com/the-kimsuky-operation-a-north-korean-apt/57915/" target="_blank"> Tarakanov , D.. (2013, September 11). The “Kimsuky” Operation: A North Korean APT?. Retrieved August 13, 2019. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://blog.talosintelligence.com/2021/11/kimsuky-abuses-blogs-delivers-malware.html" target="_blank"> An, J and Malhotra, A. (2021, November 10). North Korean attackers use malicious blogs to deliver malware to high-profile South Korean targets. Retrieved December 29, 2021. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://blog.talosintelligence.com/2017/05/konni-malware-under-radar-for-years.html" target="_blank"> Rascagneres, P. (2017, May 03). KONNI: A Malware Under The Radar For Years. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://blog.malwarebytes.com/threat-intelligence/2021/08/new-variant-of-konni-malware-used-in-campaign-targetting-russia/" target="_blank"> Threat Intelligence Team. (2021, August 23). New variant of Konni malware used in campaign targetting Russia. Retrieved January 5, 2022. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://blog.malwarebytes.com/threat-intelligence/2022/01/konni-evolves-into-stealthier-rat/" target="_blank"> Santos, R. (2022, January 26). KONNI evolves into stealthier RAT. Retrieved April 13, 2022. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Loaders-Installers-and-Uninstallers-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Loaders, Installers and Uninstallers Report. Retrieved March 2, 2016. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/lazarus-resurfaces-targets-global-banks-bitcoin-users/" target="_blank"> Sherstobitoff, R. (2018, February 12). Lazarus Resurfaces, Targets Global Banks and Bitcoin Users. Retrieved February 19, 2018. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="https://us-cert.cisa.gov/ncas/alerts/aa21-200a" target="_blank"> CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="76.0"> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href="https://www.welivesecurity.com/wp-content/uploads/2019/05/ESET-LightNeuron.pdf" target="_blank"> Faou, M. (2019, May). Turla LightNeuron: One email away from remote code execution. Retrieved June 24, 2019. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" target="_blank"> Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. </a> </span> </span> </li> <li> <span id="scite-78" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-78" href="https://www.f-secure.com/v-descs/trojan_w32_lokibot.shtml" target="_blank"> Kazem, M. (2019, November 25). Trojan:W32/Lokibot. Retrieved May 15, 2020. </a> </span> </span> </li> <li> <span id="scite-79" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-79" href="https://securelist.com/apt-luminousmoth/103332/" target="_blank"> Lechtik, M, and etl. (2021, July 14). LuminousMoth APT: Sweeping attacks for the chosen few. Retrieved October 20, 2022. </a> </span> </span> </li> <li> <span id="scite-80" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-80" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-81" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-81" href="https://www.welivesecurity.com/2022/01/25/watering-hole-deploys-new-macos-malware-dazzlespy-asia/" target="_blank"> M.Léveillé, M., Cherepanov, A.. (2022, January 25). Watering hole deploys new macOS malware, DazzleSpy, in Asia. Retrieved May 6, 2022. </a> </span> </span> </li> <li> <span id="scite-82" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-82" href="https://assets.sentinelone.com/sentinellabs22/metador#page=1" target="_blank"> Ehrlich, A., et al. (2022, September). THE MYSTERY OF METADOR | AN UNATTRIBUTED THREAT HIDING IN TELCOS, ISPS, AND UNIVERSITIES. Retrieved January 23, 2023. </a> </span> </span> </li> <li> <span id="scite-83" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-83" href="https://securelist.com/ferocious-kitten-6-years-of-covert-surveillance-in-iran/102806/" target="_blank"> GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. </a> </span> </span> </li> <li> <span id="scite-84" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-84" href="https://unit42.paloaltonetworks.com/new-python-based-payload-mechaflounder-used-by-chafer/" target="_blank"> Falcone, R. (2019, March 4). New Python-Based Payload MechaFlounder Used by Chafer. Retrieved May 27, 2020. </a> </span> </span> </li> <li> <span id="scite-85" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-85" href="https://docs.google.com/document/d/1e9ZTW9b71YwFWS_18ZwDAxa-cYbV8q1wUefmKZLYVsA/edit#heading=h.lmnbtht1ikzm" target="_blank"> SentinelLabs. (2022, September 22). Metador Technical Appendix. Retrieved April 4, 2023. </a> </span> </span> </li> <li> <span id="scite-86" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-86" href="https://www.welivesecurity.com/2019/10/03/casbaneiro-trojan-dangerous-cooking/" target="_blank"> ESET Research. (2019, October 3). Casbaneiro: peculiarities of this banking Trojan that affects Brazil and Mexico. Retrieved September 23, 2021. </a> </span> </span> </li> <li> <span id="scite-87" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-87" href="https://s7d2.scene7.com/is/content/cylance/prod/cylance-web/en-us/resources/knowledge-center/resource-library/reports/Op_Dust_Storm_Report.pdf" target="_blank"> Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. </a> </span> </span> </li> <li> <span id="scite-88" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-88" href="https://www.sentinelone.com/labs/aoqin-dragon-newly-discovered-chinese-linked-apt-has-been-quietly-spying-on-organizations-for-10-years/" target="_blank"> Chen, Joey. (2022, June 9). Aoqin Dragon | Newly-Discovered Chinese-linked APT Has Been Quietly Spying On Organizations For 10 Years. Retrieved July 14, 2022. </a> </span> </span> </li> <li> <span id="scite-89" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-89" href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank"> Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. </a> </span> </span> </li> <li> <span id="scite-90" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-90" href="https://blog.trendmicro.com/trendlabs-security-intelligence/autoit-compiled-worm-affecting-removable-media-delivers-fileless-version-of-bladabindi-njrat-backdoor/" target="_blank"> Pascual, C. (2018, November 27). AutoIt-Compiled Worm Affecting Removable Media Delivers Fileless Version of BLADABINDI/njRAT Backdoor. Retrieved June 4, 2019. </a> </span> </span> </li> <li> <span id="scite-91" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-91" href="https://securelist.com/octopus-infested-seas-of-central-asia/88200/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. </a> </span> </span> </li> <li> <span id="scite-92" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-92" href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank"> Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-93" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-93" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank"> Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-94" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-94" href="https://www.clearskysec.com/wp-content/uploads/2020/08/Dream-Job-Campaign.pdf" target="_blank"> ClearSky Research Team. (2020, August 13). Operation 'Dream Job' Widespread North Korean Espionage Campaign. Retrieved December 20, 2021. </a> </span> </span> </li> <li> <span id="scite-95" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-95" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/mcafee-uncovers-operation-honeybee-malicious-document-campaign-targeting-humanitarian-aid-groups/" target="_blank"> Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-96" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-96" href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </span> </span> </li> <li> <span id="scite-97" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-97" href="https://unit42.paloaltonetworks.com/ukraine-targeted-outsteel-saintbot/" target="_blank"> Unit 42. (2022, February 25). Spear Phishing Attacks Target Organizations in Ukraine, Payloads Include the Document Stealer OutSteel and the Downloader SaintBot. Retrieved June 9, 2022. </a> </span> </span> </li> <li> <span id="scite-98" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-98" href="https://www.leonardo.com/documents/20142/10868623/Malware+Technical+Insight+_Turla+%E2%80%9CPenquin_x64%E2%80%9D.pdf" target="_blank"> Leonardo. (2020, May 29). MALWARE TECHNICAL INSIGHT TURLA “Penquin_x64”. Retrieved March 11, 2021. </a> </span> </span> </li> <li> <span id="scite-99" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-99" href="https://unit42.paloaltonetworks.com/pingpull-gallium/" target="_blank"> Unit 42. (2022, June 13). GALLIUM Expands Targeting Across Telecommunications, Government and Finance Sectors With New PingPull Tool. Retrieved August 7, 2022. </a> </span> </span> </li> <li> <span id="scite-100" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-100" href="https://blog.talosintelligence.com/2020/10/poetrat-update.html" target="_blank"> Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. </a> </span> </span> </li> <li> <span id="scite-101" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-101" href="https://securelist.com/recent-cloud-atlas-activity/92016/" target="_blank"> GReAT. (2019, August 12). Recent Cloud Atlas activity. Retrieved May 8, 2020. </a> </span> </span> </li> <li> <span id="scite-102" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-102" href="https://securingtomorrow.mcafee.com/mcafee-labs/analyzing-operation-ghostsecret-attack-seeks-to-steal-data-worldwide/" target="_blank"> Sherstobitoff, R., Malhotra, A. (2018, April 24). Analyzing Operation GhostSecret: Attack Seeks to Steal Data Worldwide. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-103" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-103" href="https://github.com/n1nj4sec/pupy" target="_blank"> Nicolas Verdier. (n.d.). Retrieved January 29, 2018. </a> </span> </span> </li> <li> <span id="scite-104" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-104" href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank"> Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-105" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-105" href="https://unit42.paloaltonetworks.com/oilrig-novel-c2-channel-steganography/" target="_blank"> Falcone, R. (2020, July 22). OilRig Targets Middle Eastern Telecommunications Organization and Adds Novel C2 Channel with Steganography to Its Inventory. Retrieved July 28, 2020. </a> </span> </span> </li> <li> <span id="scite-106" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-106" href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank"> Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-107" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-107" href="https://www.secureworks.com/research/revil-sodinokibi-ransomware" target="_blank"> Counter Threat Unit Research Team. (2019, September 24). REvil/Sodinokibi Ransomware. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-108" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-108" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-sharpshooter.pdf" target="_blank"> Sherstobitoff, R., Malhotra, A., et. al.. (2018, December 18). Operation Sharpshooter Campaign Targets Global Defense, Critical Infrastructure. Retrieved May 14, 2020. </a> </span> </span> </li> <li> <span id="scite-109" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-109" href="https://blog.talosintelligence.com/2017/04/introducing-rokrat.html" target="_blank"> Mercer, W., Rascagneres, P. (2017, April 03). Introducing ROKRAT. Retrieved May 21, 2018. </a> </span> </span> </li> <li> <span id="scite-110" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-110" href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank"> Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-111" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-111" href="https://www.clearskysec.com/siamesekitten/" target="_blank"> ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. </a> </span> </span> </li> <li> <span id="scite-112" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-112" href="https://foxitsecurity.files.wordpress.com/2016/06/fox-it_mofang_threatreport_tlp-white.pdf" target="_blank"> Yonathan Klijnsma. (2016, May 17). Mofang: A politically motivated information stealing adversary. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-113" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-113" href="https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" target="_blank"> Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. </a> </span> </span> </li> <li> <span id="scite-114" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-114" href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank"> Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. </a> </span> </span> </li> <li> <span id="scite-115" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-115" href="https://github.com/BishopFox/sliver/blob/7489c69962b52b09ed377d73d142266564845297/client/command/filesystem/download.go" target="_blank"> BishopFox. (n.d.). Sliver Download. Retrieved September 16, 2021. </a> </span> </span> </li> <li> <span id="scite-116" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-116" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-275a" target="_blank"> DHS/CISA, Cyber National Mission Force. (2020, October 1). Malware Analysis Report (MAR) MAR-10303705-1.v1 – Remote Access Trojan: SLOTHFULMEDIA. Retrieved October 2, 2020. </a> </span> </span> </li> <li> <span id="scite-117" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-117" href="https://www.fireeye.com/blog/threat-research/2021/06/darkside-affiliate-supply-chain-software-compromise.html" target="_blank"> FireEye. (2021, June 16). Smoking Out a DARKSIDE Affiliate’s Supply Chain Software Compromise. Retrieved September 22, 2021. </a> </span> </span> </li> <li> <span id="scite-118" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-118" href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank"> The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. </a> </span> </span> </li> <li> <span id="scite-119" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-119" href="https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" target="_blank"> Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. </a> </span> </span> </li> <li> <span id="scite-120" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-120" href="https://www.zscaler.com/blogs/security-research/squirrelwaffle-new-loader-delivering-cobalt-strike" target="_blank"> Kumar, A., Stone-Gross, Brett. (2021, September 28). Squirrelwaffle: New Loader Delivering Cobalt Strike. Retrieved August 9, 2022. </a> </span> </span> </li> <li> <span id="scite-121" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-121" href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank"> FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. </a> </span> </span> </li> <li> <span id="scite-122" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-122" href="https://citizenlab.org/2016/05/stealth-falcon/" target="_blank"> Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. </a> </span> </span> </li> <li> <span id="scite-123" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-123" href="https://www.cybereason.com/blog/research/strifewater-rat-iranian-apt-moses-staff-adds-new-trojan-to-ransomware-operations" target="_blank"> Cybereason Nocturnus. (2022, February 1). StrifeWater RAT: Iranian APT Moses Staff Adds New Trojan to Ransomware Operations. Retrieved August 15, 2022. </a> </span> </span> </li> <li> <span id="scite-124" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-124" href="https://blog.talosintelligence.com/2020/06/promethium-extends-with-strongpity3.html" target="_blank"> Mercer, W. et al. (2020, June 29). PROMETHIUM extends global reach with StrongPity3 APT. Retrieved July 20, 2020. </a> </span> </span> </li> <li> <span id="scite-125" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-125" href="https://www.bitdefender.com/files/News/CaseStudies/study/353/Bitdefender-Whitepaper-StrongPity-APT.pdf" target="_blank"> Tudorica, R. et al. (2020, June 30). StrongPity APT - Revealing Trojanized Tools, Working Hours and Infrastructure. Retrieved July 20, 2020. </a> </span> </span> </li> <li> <span id="scite-126" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-126" href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank"> Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 </a> </span> </span> </li> <li> <span id="scite-127" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-127" href="https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" target="_blank"> Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. </a> </span> </span> </li> <li> <span id="scite-128" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-128" href="https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" target="_blank"> Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. </a> </span> </span> </li> <li> <span id="scite-129" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-129" href="https://www.trendmicro.com/en_us/research/23/c/iron-tiger-sysupdate-adds-linux-targeting.html" target="_blank"> Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. </a> </span> </span> </li> <li> <span id="scite-130" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-130" href="https://securelist.com/project-tajmahal/90240/" target="_blank"> GReAT. (2019, April 10). Project TajMahal – a sophisticated new APT framework. Retrieved October 14, 2019. </a> </span> </span> </li> <li> <span id="scite-131" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-131" href="https://objective-see.com/blog/blog_0x60.html" target="_blank"> Patrick Wardle. (2020, July 3). OSX.EvilQuest Uncovered part ii: insidious capabilities. Retrieved March 21, 2021. </a> </span> </span> </li> <li> <span id="scite-132" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-132" href="https://blog.malwarebytes.com/mac/2020/07/mac-thiefquest-malware-may-not-be-ransomware-after-all/" target="_blank"> Thomas Reed. (2020, July 7). Mac ThiefQuest malware may not be ransomware after all. Retrieved March 22, 2021. </a> </span> </span> </li> <li> <span id="scite-133" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-133" href="https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" target="_blank"> Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021. </a> </span> </span> </li> <li> <span id="scite-134" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-134" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/operation-north-star-behind-the-scenes/" target="_blank"> Beek, C. (2020, November 5). Operation North Star: Behind The Scenes. Retrieved December 20, 2021. </a> </span> </span> </li> <li> <span id="scite-135" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-135" href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank"> Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. </a> </span> </span> </li> <li> <span id="scite-136" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-136" href="https://www.bitdefender.com/files/News/CaseStudies/study/399/Bitdefender-PR-Whitepaper-Trickbot-creat5515-en-EN.pdf" target="_blank"> Radu Tudorica. (2021, July 12). A Fresh Look at Trickbot’s Ever-Improving VNC Module. Retrieved September 28, 2021. </a> </span> </span> </li> <li> <span id="scite-137" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-137" href="https://blog.trendmicro.com/trendlabs-security-intelligence/ursnif-the-multifaceted-malware/?_ga=2.165628854.808042651.1508120821-744063452.1505819992" target="_blank"> Caragay, R. (2015, March 26). URSNIF: The Multifaceted Malware. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-138" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-138" href="https://www.fireeye.com/blog/threat-research/2017/11/ursnif-variant-malicious-tls-callback-technique.html" target="_blank"> Vaish, A. & Nemes, S. (2017, November 28). Newly Observed Ursnif Variant Employs Malicious TLS Callback Technique to Achieve Process Injection. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-139" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-139" href="https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-tor-functionality" target="_blank"> Proofpoint Staff. (2016, August 25). Nightmare on Tor Street: Ursnif variant Dreambot adds Tor functionality. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-140" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-140" href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank"> Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. </a> </span> </span> </li> <li> <span id="scite-141" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-141" href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank"> Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. </a> </span> </span> </li> <li> <span id="scite-142" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-142" href="https://assets.sentinelone.com/labs/sentinel-one-valak-i" target="_blank"> Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. </a> </span> </span> </li> <li> <span id="scite-143" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-143" href="https://research.checkpoint.com/2020/warzone-behind-the-enemy-lines/" target="_blank"> Harakhavik, Y. (2020, February 3). Warzone: Behind the enemy lines. Retrieved December 17, 2021. </a> </span> </span> </li> <li> <span id="scite-144" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-144" href="https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" target="_blank"> John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-145" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-145" href="https://www.malwarebytes.com/blog/threat-intelligence/2022/08/woody-rat-a-new-feature-rich-malware-spotted-in-the-wild" target="_blank"> MalwareBytes Threat Intelligence Team. (2022, August 3). Woody RAT: A new feature-rich malware spotted in the wild. Retrieved December 6, 2022. </a> </span> </span> </li> <li> <span id="scite-146" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-146" href="https://documents.trendmicro.com/assets/pdf/XCSSET_Technical_Brief.pdf" target="_blank"> Mac Threat Response, Mobile Research Team. (2020, August 13). The XCSSET Malware: Inserts Malicious Code Into Xcode Projects, Performs UXSS Backdoor Planting in Safari, and Leverages Two Zero-day Exploits. Retrieved October 5, 2021. </a> </span> </span> </li> <li> <span id="scite-147" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-147" href="https://www.accenture.com/t20181129T203820Z__w__/us-en/_acnmedia/PDF-90/Accenture-snakemackerel-delivers-zekapab-malware.pdf#zoom=50" target="_blank"> Accenture Security. (2018, November 29). SNAKEMACKEREL. Retrieved April 15, 2019. </a> </span> </span> </li> <li> <span id="scite-148" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-148" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b" target="_blank"> CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. </a> </span> </span> </li> <li> <span id="scite-149" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-149" href="https://www.zscaler.com/blogs/security-research/apt-31-leverages-covid-19-vaccine-theme-and-abuses-legitimate-online" target="_blank"> Singh, S. and Antil, S. (2020, October 27). APT-31 Leverages COVID-19 Vaccine Theme and Abuses Legitimate Online Services. Retrieved March 24, 2021. </a> </span> </span> </li> <li> <span id="scite-150" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-150" href="https://arxiv.org/ftp/arxiv/papers/1408/1408.1136.pdf" target="_blank"> Gardiner, J., Cova, M., Nagaraja, S. (2014, February). Command & Control Understanding, Denying and Detecting. Retrieved April 20, 2016. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer p-3"> <div class="container-fluid"> <div class="row"> <div class="col-4 col-sm-4 col-md-3"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v13/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="col-6 col-sm-6 text-center"> <p> © 2015-2023, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </p> <div class="row"> <div class="col text-right"> <small> <a href="/versions/v13/resources/privacy" class="footer-link">Privacy Policy</a> </small> </div> <div class="col text-center"> <small> <a href="/versions/v13/resources/terms-of-use" class="footer-link">Terms of Use</a> </small> </div> <div class="col text-left "> <small> <a href="/versions/v13/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v13.1&#013;Website v4.0.5">ATT&CK v13.1</a> </small> </div> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col"> <div class="footer-float-right-responsive-brand"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-primary w-100"> <!-- <i class="fa fa-twitter"></i> --> <img src="/versions/v13/theme/images/twitter.png" class="mr-1 twitter-icon"> <b>@MITREattack</b> </a> </div> <div class=""> <a href="/versions/v13/contact" class="btn btn-primary w-100"> Contact </a> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v13/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v13/theme/scripts/popper.min.js"></script> <script src="/versions/v13/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v13/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v13/theme/scripts/site.js?4308"></script> <script src="/versions/v13/theme/scripts/settings.js?3386"></script> <script src="/versions/v13/theme/scripts/search_bundle.js"></script> <script src="/versions/v13/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v13/theme/scripts/navigation.js"></script> <script src="/versions/v13/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v13/theme/scripts/settings.js"></script> <script src="/versions/v13/theme/scripts/tour/tour-techniques.js"></script> </body> </html>

Pages: 1 2 3 4 5 6 7 8 9 10