<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v16/theme/favicon.ico" type='image/x-icon'> <title>Windows Management Instrumentation, Technique T1047 - Enterprise | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v16/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v16/"><img src="/versions/v16/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v16/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v16/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/groups">Groups</a> <a class="dropdown-item" href="/versions/v16/software">Software</a> <a class="dropdown-item" href="/versions/v16/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v16/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v16/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v16/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v16/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v16/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v16/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v16/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v16/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v16/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1" target="_blank">ATT&CK v16.1</a> which is the current version of ATT&CK. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div class="container-fluid d-none"> Reminder: the TAXII 2.0 server will be <a href='https://medium.com/mitre-attack/introducing-taxii-2-1-and-a-fond-farewell-to-taxii-2-0-d9fca6ce4c58'>retiring on December 18</a>. Please switch to the <a href='https://github.com/mitre-attack/attack-workbench-taxii-server/blob/main/docs/USAGE.md'>TAXII 2.1 server</a> to ensure uninterrupted service. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v16/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item">Windows Management Instrumentation</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> Windows Management Instrumentation </h1> <div class="row"> <div class="col-md-8"> <div class="description-body"> <p>Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is designed for programmers and is the infrastructure for management data and operations on Windows systems.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Microsoft. (2023, March 7). Retrieved February 13, 2024."data-reference="WMI 1-3">^{<a href="https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page?redirectedfrom=MSDN" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> WMI is an administration feature that provides a uniform environment to access Windows system components.</p><p>The WMI service enables both local and remote access, though the latter is facilitated by <a href="/versions/v16/techniques/T1021">Remote Services</a> such as <a href="/versions/v16/techniques/T1021/003">Distributed Component Object Model</a> and <a href="/versions/v16/techniques/T1021/006">Windows Remote Management</a>.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Microsoft. (2023, March 7). Retrieved February 13, 2024."data-reference="WMI 1-3">^{<a href="https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page?redirectedfrom=MSDN" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Microsoft. (2023, March 7). Retrieved February 13, 2024."data-reference="WMI 1-3">^{<a href="https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page?redirectedfrom=MSDN" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span> <span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Mandiant. (n.d.). Retrieved February 13, 2024."data-reference="Mandiant WMI">^{<a href="https://www.mandiant.com/resources/reports" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p><p>An adversary can use WMI to interact with local and remote systems and use it as a means to execute various behaviors, such as gathering information for <a href="https://attack.mitre.org/tactics/TA0007">Discovery</a> as well as <a href="https://attack.mitre.org/tactics/TA0002">Execution</a> of commands and payloads.<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Mandiant. (n.d.). Retrieved February 13, 2024."data-reference="Mandiant WMI">^{<a href="https://www.mandiant.com/resources/reports" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span> For example, <code>wmic.exe</code> can be abused by an adversary to delete shadow copies with the command <code>wmic.exe Shadowcopy Delete</code> (i.e., <a href="/versions/v16/techniques/T1490">Inhibit System Recovery</a>).<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Microsoft. (2022, June 13). BlackCat. Retrieved February 13, 2024."data-reference="WMI 6">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p><p><strong>Note:</strong> <code>wmic.exe</code> is deprecated as of January of 2024, with the WMIC feature being "disabled by default" on Windows 11+. WMIC will be removed from subsequent Windows releases and replaced by <a href="/versions/v16/techniques/T1059/001">PowerShell</a> as the primary WMI interface.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Microsoft. (2024, January 26). WMIC Deprecation. Retrieved February 13, 2024."data-reference="WMI 7,8">^{<a href="https://techcommunity.microsoft.com/t5/windows-it-pro-blog/wmi-command-line-wmic-utility-deprecation-next-steps/ba-p/4039242" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> In addition to PowerShell and tools like <code>wbemtool.exe</code>, COM APIs can also be used to programmatically interact with WMI via C++, .NET, VBScript, etc.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Microsoft. (2024, January 26). WMIC Deprecation. Retrieved February 13, 2024."data-reference="WMI 7,8">^{<a href="https://techcommunity.microsoft.com/t5/windows-it-pro-blog/wmi-command-line-wmic-utility-deprecation-next-steps/ba-p/4039242" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1047 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-techniques:&nbsp;</span> No sub-techniques </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/versions/v16/tactics/TA0002">Execution</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Windows </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="If the (sub-)technique can invoke an instance of itself remotely without relying on external tools/techniques">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Supports Remote:&nbsp;</span> Yes </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors:&nbsp;</span>@ionstorm; Olaf Hartong, Falcon Force; Tristan Madani </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>1.5 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>31 May 2017 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>15 October 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1047" href="/versions/v16/techniques/T1047/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1047" href="/techniques/T1047/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/campaigns/C0025"> C0025 </a> </td> <td> <a href="/versions/v16/campaigns/C0025"> 2016 Ukraine Electric Power Attack </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0025">2016 Ukraine Electric Power Attack</a>, WMI in scripts were used for remote execution and system surveys. <span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1028"> S1028 </a> </td> <td> <a href="/versions/v16/software/S1028"> Action RAT </a> </td> <td> <p><a href="/versions/v16/software/S1028">Action RAT</a> can use WMI to gather AV products installed on an infected host.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022."data-reference="MalwareBytes SideCopy Dec 2021">^{<a href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0331"> S0331 </a> </td> <td> <a href="/versions/v16/software/S0331"> Agent Tesla </a> </td> <td> <p><a href="/versions/v16/software/S0331">Agent Tesla</a> has used wmi queries to gather information from the system.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020."data-reference="Bitdefender Agent Tesla April 2020">^{<a href="https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1129"> S1129 </a> </td> <td> <a href="/versions/v16/software/S1129"> Akira </a> </td> <td> <p><a href="/versions/v16/software/S1129">Akira</a> will leverage COM objects accessed through WMI during execution to evade detection.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024."data-reference="Kersten Akira 2023">^{<a href="https://www.trellix.com/blogs/research/akira-ransomware/" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0016"> G0016 </a> </td> <td> <a href="/versions/v16/groups/G0016"> APT29 </a> </td> <td> <p><a href="/versions/v16/groups/G0016">APT29</a> used WMI to steal credentials and execute backdoors at a future time.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024."data-reference="Mandiant No Easy Breach">^{<a href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0050"> G0050 </a> </td> <td> <a href="/versions/v16/groups/G0050"> APT32 </a> </td> <td> <p><a href="/versions/v16/groups/G0050">APT32</a> used WMI to deploy their tools on remote machines and to gather information about the Outlook process.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017">^{<a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0096"> G0096 </a> </td> <td> <a href="/versions/v16/groups/G0096"> APT41 </a> </td> <td> <p><a href="/versions/v16/groups/G0096">APT41</a> used WMI in several ways, including for execution of commands via WMIEXEC as well as for persistence via <a href="/versions/v16/software/S0194">PowerSploit</a>.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."data-reference="FireEye APT41 Aug 2019">^{<a href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021."data-reference="Group IB APT 41 June 2021">^{<a href="https://www.group-ib.com/blog/colunmtk-apt41/" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span> <a href="/versions/v16/groups/G0096">APT41</a> has executed files through Windows Management Instrumentation (WMI).<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024."data-reference="apt41_dcsocytec_dec2022">^{<a href="https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0143"> G0143 </a> </td> <td> <a href="/versions/v16/groups/G0143"> Aquatic Panda </a> </td> <td> <p><a href="/versions/v16/groups/G0143">Aquatic Panda</a> used WMI for lateral movement in victim environments.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024."data-reference="Crowdstrike HuntReport 2022">^{<a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/2022OverWatchThreatHuntingReport.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0373"> S0373 </a> </td> <td> <a href="/versions/v16/software/S0373"> Astaroth </a> </td> <td> <p><a href="/versions/v16/software/S0373">Astaroth</a> uses WMIC to execute payloads. <span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024."data-reference="Cofense Astaroth Sept 2018">^{<a href="https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0640"> S0640 </a> </td> <td> <a href="/versions/v16/software/S0640"> Avaddon </a> </td> <td> <p><a href="/versions/v16/software/S0640">Avaddon</a> uses wmic.exe to delete shadow copies.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021."data-reference="Hornet Security Avaddon June 2020">^{<a href="https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1081"> S1081 </a> </td> <td> <a href="/versions/v16/software/S1081"> BADHATCH </a> </td> <td> <p><a href="/versions/v16/software/S1081">BADHATCH</a> can utilize WMI to collect system information, create new processes, and run malicious PowerShell scripts on a compromised machine.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021."data-reference="Gigamon BADHATCH Jul 2019">^{<a href="https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span><span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021."data-reference="BitDefender BADHATCH Mar 2021">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0534"> S0534 </a> </td> <td> <a href="/versions/v16/software/S0534"> Bazar </a> </td> <td> <p><a href="/versions/v16/software/S0534">Bazar</a> can execute a WMI query to gather information about the installed antivirus engine.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020."data-reference="Cybereason Bazar July 2020">^{<a href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020."data-reference="DFIR Ryuk's Return October 2020">^{<a href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1070"> S1070 </a> </td> <td> <a href="/versions/v16/software/S1070"> Black Basta </a> </td> <td> <p><a href="/versions/v16/software/S1070">Black Basta</a> has used WMI to execute files over the network.<span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023."data-reference="NCC Group Black Basta June 2022">^{<a href="https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1068"> S1068 </a> </td> <td> <a href="/versions/v16/software/S1068"> BlackCat </a> </td> <td> <p><a href="/versions/v16/software/S1068">BlackCat</a> can use <code>wmic.exe</code> to delete shadow copies on compromised networks.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022."data-reference="Microsoft BlackCat Jun 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0089"> S0089 </a> </td> <td> <a href="/versions/v16/software/S0089"> BlackEnergy </a> </td> <td> <p>A <a href="/versions/v16/software/S0089">BlackEnergy</a> 2 plug-in uses WMI to gather victim host details.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016."data-reference="Securelist BlackEnergy Feb 2015">^{<a href="https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0108"> G0108 </a> </td> <td> <a href="/versions/v16/groups/G0108"> Blue Mockingbird </a> </td> <td> <p><a href="/versions/v16/groups/G0108">Blue Mockingbird</a> has used wmic.exe to set environment variables.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."data-reference="RedCanary Mockingbird May 2020">^{<a href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1063"> S1063 </a> </td> <td> <a href="/versions/v16/software/S1063"> Brute Ratel C4 </a> </td> <td> <p><a href="/versions/v16/software/S1063">Brute Ratel C4</a> can use WMI to move laterally.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023."data-reference="Palo Alto Brute Ratel July 2022">^{<a href="https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1039"> S1039 </a> </td> <td> <a href="/versions/v16/software/S1039"> Bumblebee </a> </td> <td> <p><a href="/versions/v16/software/S1039">Bumblebee</a> can use WMI to gather system information and to spawn processes for code injection.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022."data-reference="Google EXOTIC LILY March 2022">^{<a href="https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022."data-reference="Proofpoint Bumblebee April 2022">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span><span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022."data-reference="Cybereason Bumblebee August 2022">^{<a href="https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0015"> C0015 </a> </td> <td> <a href="/versions/v16/campaigns/C0015"> C0015 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0015">C0015</a>, the threat actors used <code>wmic</code> and <code>rundll32</code> to load <a href="/versions/v16/software/S0154">Cobalt Strike</a> onto a target host.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022."data-reference="DFIR Conti Bazar Nov 2021">^{<a href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0018"> C0018 </a> </td> <td> <a href="/versions/v16/campaigns/C0018"> C0018 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0018">C0018</a>, the threat actors used WMIC to modify administrative settings on both a local and a remote host, likely as part of the first stages for their lateral movement; they also used WMI Provider Host (<code>wmiprvse.exe</code>) to execute a variety of encoded PowerShell scripts using the <code>DownloadString</code> method.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023."data-reference="Cisco Talos Avos Jun 2022">^{<a href="https://blog.talosintelligence.com/avoslocker-new-arsenal/" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023."data-reference="Costa AvosLocker May 2022">^{<a href="https://www.linkedin.com/pulse/raas-avoslocker-incident-response-analysis-fl%C3%A1vio-costa?trk=articles_directory" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0027"> C0027 </a> </td> <td> <a href="/versions/v16/campaigns/C0027"> C0027 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0027">C0027</a>, <a href="/versions/v16/groups/G1015">Scattered Spider</a> used Windows Management Instrumentation (WMI) to move laterally via <a href="/versions/v16/software/S0357">Impacket</a>.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023."data-reference="Crowdstrike TELCO BPO Campaign December 2022">^{<a href="https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0674"> S0674 </a> </td> <td> <a href="/versions/v16/software/S0674"> CharmPower </a> </td> <td> <p><a href="/versions/v16/software/S0674">CharmPower</a> can use <code>wmic</code> to gather information from a system.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022."data-reference="Check Point APT35 CharmPower January 2022">^{<a href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0114"> G0114 </a> </td> <td> <a href="/versions/v16/groups/G0114"> Chimera </a> </td> <td> <p><a href="/versions/v16/groups/G0114">Chimera</a> has used WMIC to execute remote commands.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.."data-reference="Cycraft Chimera April 2020">^{<a href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span><span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024."data-reference="NCC Group Chimera January 2021">^{<a href="https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1021"> G1021 </a> </td> <td> <a href="/versions/v16/groups/G1021"> Cinnamon Tempest </a> </td> <td> <p><a href="/versions/v16/groups/G1021">Cinnamon Tempest</a> has used <a href="/versions/v16/software/S0357">Impacket</a> for lateral movement via WMI.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023."data-reference="Microsoft Ransomware as a Service">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023."data-reference="Sygnia Emperor Dragonfly October 2022">^{<a href="https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0154"> S0154 </a> </td> <td> <a href="/versions/v16/software/S0154"> Cobalt Strike </a> </td> <td> <p><a href="/versions/v16/software/S0154">Cobalt Strike</a> can use WMI to deliver a payload to a remote host.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017."data-reference="cobaltstrike manual">^{<a href="https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021."data-reference="Cobalt Strike Manual 4.3 November 2020">^{<a href="https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span><span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022."data-reference="DFIR Conti Bazar Nov 2021">^{<a href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1155"> S1155 </a> </td> <td> <a href="/versions/v16/software/S1155"> Covenant </a> </td> <td> <p><a href="/versions/v16/software/S1155">Covenant</a> can utilize WMI to install new Grunt listeners through XSL files or command one-liners.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024."data-reference="Github Covenant">^{<a href="https://github.com/cobbr/Covenant" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0488"> S0488 </a> </td> <td> <a href="/versions/v16/software/S0488"> CrackMapExec </a> </td> <td> <p><a href="/versions/v16/software/S0488">CrackMapExec</a> can execute remote commands using Windows Management Instrumentation.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020."data-reference="CME Github September 2018">^{<a href="https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1066"> S1066 </a> </td> <td> <a href="/versions/v16/software/S1066"> DarkTortilla </a> </td> <td> <p><a href="/versions/v16/software/S1066">DarkTortilla</a> can use WMI queries to obtain system information.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022."data-reference="Secureworks DarkTortilla Aug 2022">^{<a href="https://www.secureworks.com/research/darktortilla-malware-analysis" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0673"> S0673 </a> </td> <td> <a href="/versions/v16/software/S0673"> DarkWatchman </a> </td> <td> <p><a href="/versions/v16/software/S0673">DarkWatchman</a> can use WMI to execute commands.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022."data-reference="Prevailion DarkWatchman 2021">^{<a href="https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0616"> S0616 </a> </td> <td> <a href="/versions/v16/software/S0616"> DEATHRANSOM </a> </td> <td> <p><a href="/versions/v16/software/S0616">DEATHRANSOM</a> has the ability to use WMI to delete volume shadow copies.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021."data-reference="FireEye FiveHands April 2021">^{<a href="https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0009"> G0009 </a> </td> <td> <a href="/versions/v16/groups/G0009"> Deep Panda </a> </td> <td> <p>The <a href="/versions/v16/groups/G0009">Deep Panda</a> group is known to utilize WMI for lateral movement.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014."data-reference="Alperovitch 2014">^{<a href="https://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0062"> S0062 </a> </td> <td> <a href="/versions/v16/software/S0062"> DustySky </a> </td> <td> <p>The <a href="/versions/v16/software/S0062">DustySky</a> dropper uses Windows Management Instrumentation to extract information about the operating system and whether an anti-virus is active.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016."data-reference="DustySky">^{<a href="https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1006"> G1006 </a> </td> <td> <a href="/versions/v16/groups/G1006"> Earth Lusca </a> </td> <td> <p><a href="/versions/v16/groups/G1006">Earth Lusca</a> used a VBA script to execute WMI.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022."data-reference="TrendMicro EarthLusca 2022">^{<a href="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0605"> S0605 </a> </td> <td> <a href="/versions/v16/software/S0605"> EKANS </a> </td> <td> <p><a href="/versions/v16/software/S0605">EKANS</a> can use Windows Mangement Instrumentation (WMI) calls to execute operations.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021."data-reference="Dragos EKANS">^{<a href="https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1003"> G1003 </a> </td> <td> <a href="/versions/v16/groups/G1003"> Ember Bear </a> </td> <td> <p><a href="/versions/v16/groups/G1003">Ember Bear</a> has used WMI execution with password hashes for command execution and lateral movement.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024."data-reference="CISA GRU29155 2024">^{<a href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0367"> S0367 </a> </td> <td> <a href="/versions/v16/software/S0367"> Emotet </a> </td> <td> <p><a href="/versions/v16/software/S0367">Emotet</a> has used WMI to execute powershell.exe.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019."data-reference="Carbon Black Emotet Apr 2019">^{<a href="https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0363"> S0363 </a> </td> <td> <a href="/versions/v16/software/S0363"> Empire </a> </td> <td> <p><a href="/versions/v16/software/S0363">Empire</a> can use WMI to deliver a payload to a remote host.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016."data-reference="Github PowerShell Empire">^{<a href="https://github.com/PowerShellEmpire/Empire" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0396"> S0396 </a> </td> <td> <a href="/versions/v16/software/S0396"> EvilBunny </a> </td> <td> <p><a href="/versions/v16/software/S0396">EvilBunny</a> has used WMI to gather information about the system.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019."data-reference="Cyphort EvilBunny Dec 2014">^{<a href="https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0568"> S0568 </a> </td> <td> <a href="/versions/v16/software/S0568"> EVILNUM </a> </td> <td> <p><a href="/versions/v16/software/S0568">EVILNUM</a> has used the Windows Management Instrumentation (WMI) tool to enumerate infected machines.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021."data-reference="Prevailion EvilNum May 2020">^{<a href="https://www.prevailion.com/phantom-in-the-command-shell-2/" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0267"> S0267 </a> </td> <td> <a href="/versions/v16/software/S0267"> FELIXROOT </a> </td> <td> <p><a href="/versions/v16/software/S0267">FELIXROOT</a> uses WMI to query the Windows Registry.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018."data-reference="ESET GreyEnergy Oct 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1016"> G1016 </a> </td> <td> <a href="/versions/v16/groups/G1016"> FIN13 </a> </td> <td> <p><a href="/versions/v16/groups/G1016">FIN13</a> has utilized <code>WMI</code> to execute commands and move laterally on compromised Windows machines.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023."data-reference="Mandiant FIN13 Aug 2022">^{<a href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span><span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023."data-reference="Sygnia Elephant Beetle Jan 2022">^{<a href="https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0037"> G0037 </a> </td> <td> <a href="/versions/v16/groups/G0037"> FIN6 </a> </td> <td> <p><a href="/versions/v16/groups/G0037">FIN6</a> has used WMI to automate the remote execution of PowerShell scripts.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019."data-reference="Security Intelligence More Eggs Aug 2019">^{<a href="https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0046"> G0046 </a> </td> <td> <a href="/versions/v16/groups/G0046"> FIN7 </a> </td> <td> <p><a href="/versions/v16/groups/G0046">FIN7</a> has used WMI to install malware on targeted systems.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021."data-reference="eSentire FIN7 July 2021">^{<a href="https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0061"> G0061 </a> </td> <td> <a href="/versions/v16/groups/G0061"> FIN8 </a> </td> <td> <p><a href="/versions/v16/groups/G0061">FIN8</a>'s malicious spearphishing payloads use WMI to launch malware and spawn <code>cmd.exe</code> execution. <a href="/versions/v16/groups/G0061">FIN8</a> has also used WMIC and the <a href="/versions/v16/software/S0357">Impacket</a> suite for lateral movement, as well as during and post compromise cleanup activities.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018."data-reference="FireEye Obfuscation June 2017">^{<a href="https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span><span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021."data-reference="Bitdefender FIN8 July 2021">^{<a href="https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span><span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018."data-reference="FireEye Know Your Enemy FIN8 Aug 2016">^{<a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span><span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023."data-reference="Symantec FIN8 Jul 2023">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0618"> S0618 </a> </td> <td> <a href="/versions/v16/software/S0618"> FIVEHANDS </a> </td> <td> <p><a href="/versions/v16/software/S0618">FIVEHANDS</a> can use WMI to delete files on a target machine.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021."data-reference="FireEye FiveHands April 2021">^{<a href="https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span><span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021."data-reference="CISA AR21-126A FIVEHANDS May 2021">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0381"> S0381 </a> </td> <td> <a href="/versions/v16/software/S0381"> FlawedAmmyy </a> </td> <td> <p><a href="/versions/v16/software/S0381">FlawedAmmyy</a> leverages WMI to enumerate anti-virus on the victim.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019."data-reference="Proofpoint TA505 Mar 2018">^{<a href="https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0001"> C0001 </a> </td> <td> <a href="/versions/v16/campaigns/C0001"> Frankenstein </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0001">Frankenstein</a>, the threat actors used WMI queries to check if various security applications were running as well as to determine the operating system version.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."data-reference="Talos Frankenstein June 2019">^{<a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1044"> S1044 </a> </td> <td> <a href="/versions/v16/software/S1044"> FunnyDream </a> </td> <td> <p><a href="/versions/v16/software/S1044">FunnyDream</a> can use WMI to open a Windows command shell on a remote machine.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0007"> C0007 </a> </td> <td> <a href="/versions/v16/campaigns/C0007"> FunnyDream </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0007">FunnyDream</a>, the threat actors used <code>wmiexec.vbs</code> to run remote commands.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0093"> G0093 </a> </td> <td> <a href="/versions/v16/groups/G0093"> GALLIUM </a> </td> <td> <p><a href="/versions/v16/groups/G0093">GALLIUM</a> used WMI for execution to assist in lateral movement as well as for installing tools across multiple assets.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019."data-reference="Cybereason Soft Cell June 2019">^{<a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0047"> G0047 </a> </td> <td> <a href="/versions/v16/groups/G0047"> Gamaredon Group </a> </td> <td> <p><a href="/versions/v16/groups/G0047">Gamaredon Group</a> has used WMI to execute scripts used for discovery and for determining the C2 IP address.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022."data-reference="CERT-EE Gamaredon January 2021">^{<a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span><span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024."data-reference="unit42_gamaredon_dec2022">^{<a href="https://unit42.paloaltonetworks.com/trident-ursa/" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0237"> S0237 </a> </td> <td> <a href="/versions/v16/software/S0237"> GravityRAT </a> </td> <td> <p><a href="/versions/v16/software/S0237">GravityRAT</a> collects various information via WMI requests, including CPU information in the Win32_Processor entry (Processor ID, Name, Manufacturer and the clock speed).<span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018."data-reference="Talos GravityRAT">^{<a href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0151"> S0151 </a> </td> <td> <a href="/versions/v16/software/S0151"> HALFBAKED </a> </td> <td> <p><a href="/versions/v16/software/S0151">HALFBAKED</a> can use WMI queries to gather system information.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017."data-reference="FireEye FIN7 April 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0617"> S0617 </a> </td> <td> <a href="/versions/v16/software/S0617"> HELLOKITTY </a> </td> <td> <p><a href="/versions/v16/software/S0617">HELLOKITTY</a> can use WMI to delete volume shadow copies.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021."data-reference="FireEye FiveHands April 2021">^{<a href="https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0698"> S0698 </a> </td> <td> <a href="/versions/v16/software/S0698"> HermeticWizard </a> </td> <td> <p><a href="/versions/v16/software/S0698">HermeticWizard</a> can use WMI to create a new process on a remote machine via <code>C:\windows\system32\cmd.exe /c start C:\windows\system32\\regsvr32.exe /s /iC:\windows\&lt;filename&gt;.dll</code>.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022."data-reference="ESET Hermetic Wizard March 2022">^{<a href="https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0038"> C0038 </a> </td> <td> <a href="/versions/v16/campaigns/C0038"> HomeLand Justice </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0038">HomeLand Justice</a>, threat actors used WMI to modify Windows Defender settings.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024."data-reference="Microsoft Albanian Government Attacks September 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0376"> S0376 </a> </td> <td> <a href="/versions/v16/software/S0376"> HOPLIGHT </a> </td> <td> <p><a href="/versions/v16/software/S0376">HOPLIGHT</a> has used WMI to recompile the Managed Object Format (MOF) files in the WMI repository.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019."data-reference="US-CERT HOPLIGHT Apr 2019">^{<a href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0483"> S0483 </a> </td> <td> <a href="/versions/v16/software/S0483"> IcedID </a> </td> <td> <p><a href="/versions/v16/software/S0483">IcedID</a> has used WMI to execute binaries.<span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020."data-reference="Juniper IcedID June 2020">^{<a href="https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a>}</span><span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="DFIR. (2021, March 29). Sodinokibi (aka REvil) Ransomware. Retrieved July 22, 2024."data-reference="DFIR_Sodinokibi_Ransomware">^{<a href="https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1152"> S1152 </a> </td> <td> <a href="/versions/v16/software/S1152"> IMAPLoader </a> </td> <td> <p><a href="/versions/v16/software/S1152">IMAPLoader</a> uses WMI queries to query system information on victim hosts.<span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024."data-reference="PWC Yellow Liderc 2023">^{<a href="https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0357"> S0357 </a> </td> <td> <a href="/versions/v16/software/S0357"> Impacket </a> </td> <td> <p><a href="/versions/v16/software/S0357">Impacket</a>'s wmiexec module can be used to execute commands through WMI.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="SecureAuth. (n.d.). Retrieved January 15, 2019."data-reference="Impacket Tools">^{<a href="https://www.secureauth.com/labs/open-source-tools/impacket" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1032"> G1032 </a> </td> <td> <a href="/versions/v16/groups/G1032"> INC Ransom </a> </td> <td> <p><a href="/versions/v16/groups/G1032">INC Ransom</a> has used WMIC to deploy ransomware.<span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" title="Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024."data-reference="Cybereason INC Ransomware November 2023">^{<a href="https://www.cybereason.com/hubfs/dam/collateral/reports/threat-alert-inc-ransomware.pdf" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a>}</span><span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024."data-reference="Huntress INC Ransom Group August 2023">^{<a href="https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span><span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024."data-reference="SOCRadar INC Ransom January 2024">^{<a href="https://socradar.io/dark-web-profile-inc-ransom/" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1139"> S1139 </a> </td> <td> <a href="/versions/v16/software/S1139"> INC Ransomware </a> </td> <td> <p><a href="/versions/v16/software/S1139">INC Ransomware</a> has the ability to use wmic.exe to spread to multiple endpoints within a compromised environment.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024."data-reference="Huntress INC Ransom Group August 2023">^{<a href="https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span><span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024."data-reference="Secureworks GOLD IONIC April 2024">^{<a href="https://www.secureworks.com/blog/gold-ionic-deploys-inc-ransomware" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0119"> G0119 </a> </td> <td> <a href="/versions/v16/groups/G0119"> Indrik Spider </a> </td> <td> <p><a href="/versions/v16/groups/G0119">Indrik Spider</a> has used WMIC to execute commands on remote computers.<span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021."data-reference="Symantec WastedLocker June 2020">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0283"> S0283 </a> </td> <td> <a href="/versions/v16/software/S0283"> jRAT </a> </td> <td> <p><a href="/versions/v16/software/S0283">jRAT</a> uses WMIC to identify anti-virus products installed on the victim’s machine and to obtain firewall details.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018."data-reference="jRAT Symantec Aug 2018">^{<a href="https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0265"> S0265 </a> </td> <td> <a href="/versions/v16/software/S0265"> Kazuar </a> </td> <td> <p><a href="/versions/v16/software/S0265">Kazuar</a> obtains a list of running processes through WMI querying.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018."data-reference="Unit 42 Kazuar May 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0250"> S0250 </a> </td> <td> <a href="/versions/v16/software/S0250"> Koadic </a> </td> <td> <p><a href="/versions/v16/software/S0250">Koadic</a> can use WMI to execute commands.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024."data-reference="Github Koadic">^{<a href="https://github.com/offsecginger/koadic" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0156"> S0156 </a> </td> <td> <a href="/versions/v16/software/S0156"> KOMPROGO </a> </td> <td> <p><a href="/versions/v16/software/S0156">KOMPROGO</a> is capable of running WMI queries.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017."data-reference="FireEye APT32 May 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1160"> S1160 </a> </td> <td> <a href="/versions/v16/software/S1160"> Latrodectus </a> </td> <td> <p><a href="/versions/v16/software/S1160">Latrodectus</a> has used WMI in malicious email infection chains to facilitate the installation of remotely-hosted files.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024."data-reference="Elastic Latrodectus May 2024">^{<a href="https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a>}</span><span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024."data-reference="Bitsight Latrodectus June 2024">^{<a href="https://www.bitsight.com/blog/latrodectus-are-you-coming-back" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0032"> G0032 </a> </td> <td> <a href="/versions/v16/groups/G0032"> Lazarus Group </a> </td> <td> <p><a href="/versions/v16/groups/G0032">Lazarus Group</a> has used WMIC for discovery as well as to execute payloads for persistence and lateral movement.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016."data-reference="Novetta Blockbuster">^{<a href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a>}</span><span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016."data-reference="Novetta Blockbuster RATs">^{<a href="https://web.archive.org/web/20220608001455/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a>}</span><span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021."data-reference="Kaspersky ThreatNeedle Feb 2021">^{<a href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a>}</span><span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022."data-reference="Qualys LolZarus">^{<a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0065"> G0065 </a> </td> <td> <a href="/versions/v16/groups/G0065"> Leviathan </a> </td> <td> <p><a href="/versions/v16/groups/G0065">Leviathan</a> has used WMI for execution.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018."data-reference="Proofpoint Leviathan Oct 2017">^{<a href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0532"> S0532 </a> </td> <td> <a href="/versions/v16/software/S0532"> Lucifer </a> </td> <td> <p><a href="/versions/v16/software/S0532">Lucifer</a> can use WMI to log into remote machines for propagation.<span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" title="Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020."data-reference="Unit 42 Lucifer June 2020">^{<a href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1141"> S1141 </a> </td> <td> <a href="/versions/v16/software/S1141"> LunarWeb </a> </td> <td> <p><a href="/versions/v16/software/S1141">LunarWeb</a> can use WMI queries for discovery on the victim host.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" title="Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024."data-reference="ESET Turla Lunar toolset May 2024">^{<a href="https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0059"> G0059 </a> </td> <td> <a href="/versions/v16/groups/G0059"> Magic Hound </a> </td> <td> <p><a href="/versions/v16/groups/G0059">Magic Hound</a> has used a tool to run <code>cmd /c wmic computersystem get domain</code> for discovery.<span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0449"> S0449 </a> </td> <td> <a href="/versions/v16/software/S0449"> Maze </a> </td> <td> <p><a href="/versions/v16/software/S0449">Maze</a> has used WMI to attempt to delete the shadow volumes on a machine, and to connect a virtual machine to the network domain of the victim organization's network.<span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" title="Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020."data-reference="McAfee Maze March 2020">^{<a href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a>}</span><span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" title="Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020."data-reference="Sophos Maze VM September 2020">^{<a href="https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0045"> G0045 </a> </td> <td> <a href="/versions/v16/groups/G0045"> menuPass </a> </td> <td> <p><a href="/versions/v16/groups/G0045">menuPass</a> has used a modified version of pentesting script wmiexec.vbs, which logs into a remote machine using WMI.<span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017">^{<a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a>}</span><span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" title="Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017."data-reference="Github AD-Pentest-Script">^{<a href="https://github.com/Twi1ight/AD-Pentest-Script/blob/master/wmiexec.vbs" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a>}</span><span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" title="Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020."data-reference="Symantec Cicada November 2020">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0688"> S0688 </a> </td> <td> <a href="/versions/v16/software/S0688"> Meteor </a> </td> <td> <p><a href="/versions/v16/software/S0688">Meteor</a> can use <code>wmic.exe</code> as part of its effort to delete shadow copies.<span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" title="Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022."data-reference="Check Point Meteor Aug 2021">^{<a href="https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0339"> S0339 </a> </td> <td> <a href="/versions/v16/software/S0339"> Micropsia </a> </td> <td> <p><a href="/versions/v16/software/S0339">Micropsia</a> searches for anti-virus software and firewall products installed on the victim’s machine using WMI.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" title="Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018."data-reference="Talos Micropsia June 2017">^{<a href="https://blog.talosintelligence.com/2017/06/palestine-delphi.html" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a>}</span><span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" title="Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018."data-reference="Radware Micropsia July 2018">^{<a href="https://www.radware.com/blog/security/2018/07/micropsia-malware/" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0553"> S0553 </a> </td> <td> <a href="/versions/v16/software/S0553"> MoleNet </a> </td> <td> <p><a href="/versions/v16/software/S0553">MoleNet</a> can perform WMI commands on the system.<span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020."data-reference="Cybereason Molerats Dec 2020">^{<a href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0256"> S0256 </a> </td> <td> <a href="/versions/v16/software/S0256"> Mosquito </a> </td> <td> <p><a href="/versions/v16/software/S0256">Mosquito</a>'s installer uses WMI to search for antivirus display names.<span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" title="ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018."data-reference="ESET Turla Mosquito Jan 2018">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0069"> G0069 </a> </td> <td> <a href="/versions/v16/groups/G0069"> MuddyWater </a> </td> <td> <p><a href="/versions/v16/groups/G0069">MuddyWater</a> has used malware that leveraged WMI for execution and querying host information.<span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018."data-reference="Securelist MuddyWater Oct 2018">^{<a href="https://securelist.com/muddywater/88059/" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a>}</span><span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018."data-reference="ClearSky MuddyWater Nov 2018">^{<a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a>}</span><span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" title="Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019."data-reference="Talos MuddyWater May 2019">^{<a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a>}</span><span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" title="FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022."data-reference="DHS CISA AA22-055A MuddyWater February 2022">^{<a href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0129"> G0129 </a> </td> <td> <a href="/versions/v16/groups/G0129"> Mustang Panda </a> </td> <td> <p><a href="/versions/v16/groups/G0129">Mustang Panda</a> has executed PowerShell scripts via WMI.<span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" title="Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021."data-reference="Anomali MUSTANG PANDA October 2019">^{<a href="https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a>}</span><span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021."data-reference="Secureworks BRONZE PRESIDENT December 2019">^{<a href="https://www.secureworks.com/research/bronze-president-targets-ngos" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0019"> G0019 </a> </td> <td> <a href="/versions/v16/groups/G0019"> Naikon </a> </td> <td> <p><a href="/versions/v16/groups/G0019">Naikon</a> has used WMIC.exe for lateral movement.<span onclick=scrollToRef('scite-114') id="scite-ref-114-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0457"> S0457 </a> </td> <td> <a href="/versions/v16/software/S0457"> Netwalker </a> </td> <td> <p><a href="/versions/v16/software/S0457">Netwalker</a> can use WMI to delete Shadow Volumes.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" title="Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."data-reference="TrendMicro Netwalker May 2020">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0368"> S0368 </a> </td> <td> <a href="/versions/v16/software/S0368"> NotPetya </a> </td> <td> <p><a href="/versions/v16/software/S0368">NotPetya</a> can use <code>wmic</code> to help propagate itself across a network.<span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" title="Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019."data-reference="Talos Nyetya June 2017">^{<a href="https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a>}</span><span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" title="US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019."data-reference="US-CERT NotPetya 2017">^{<a href="https://www.us-cert.gov/ncas/alerts/TA17-181A" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0340"> S0340 </a> </td> <td> <a href="/versions/v16/software/S0340"> Octopus </a> </td> <td> <p><a href="/versions/v16/software/S0340">Octopus</a> has used wmic.exe for local discovery information.<span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018."data-reference="Securelist Octopus Oct 2018">^{<a href="https://securelist.com/octopus-infested-seas-of-central-asia/88200/" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0049"> G0049 </a> </td> <td> <a href="/versions/v16/groups/G0049"> OilRig </a> </td> <td> <p><a href="/versions/v16/groups/G0049">OilRig</a> has used WMI for execution.<span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" title="Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017."data-reference="FireEye APT34 Webinar Dec 2017">^{<a href="https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0365"> S0365 </a> </td> <td> <a href="/versions/v16/software/S0365"> Olympic Destroyer </a> </td> <td> <p><a href="/versions/v16/software/S0365">Olympic Destroyer</a> uses WMI to help propagate itself across a network.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" title="Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019."data-reference="Talos Olympic Destroyer 2018">^{<a href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0264"> S0264 </a> </td> <td> <a href="/versions/v16/software/S0264"> OopsIE </a> </td> <td> <p><a href="/versions/v16/software/S0264">OopsIE</a> uses WMI to perform discovery techniques.<span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" title="Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018."data-reference="Unit 42 OilRig Sept 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0022"> C0022 </a> </td> <td> <a href="/versions/v16/campaigns/C0022"> Operation Dream Job </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0022">Operation Dream Job</a>, <a href="/versions/v16/groups/G0032">Lazarus Group</a> used WMIC to executed a remote XSL script.<span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021."data-reference="ESET Lazarus Jun 2020">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0014"> C0014 </a> </td> <td> <a href="/versions/v16/campaigns/C0014"> Operation Wocao </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a>, threat actors has used WMI to execute commands.<span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" title="Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020."data-reference="FoxIT Wocao December 2019">^{<a href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0378"> S0378 </a> </td> <td> <a href="/versions/v16/software/S0378"> PoshC2 </a> </td> <td> <p><a href="/versions/v16/software/S0378">PoshC2</a> has a number of modules that use WMI to execute tasks.<span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" title="Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019."data-reference="GitHub PoshC2">^{<a href="https://github.com/nettitude/PoshC2_Python" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0194"> S0194 </a> </td> <td> <a href="/versions/v16/software/S0194"> PowerSploit </a> </td> <td> <p><a href="/versions/v16/software/S0194">PowerSploit</a>'s <code>Invoke-WmiCommand</code> CodeExecution module uses WMI to execute and retrieve the output from a <a href="/versions/v16/techniques/T1086">PowerShell</a> payload.<span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" title="PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018."data-reference="GitHub PowerSploit May 2012">^{<a href="https://github.com/PowerShellMafia/PowerSploit" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a>}</span><span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" title="PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018."data-reference="PowerSploit Documentation">^{<a href="http://powersploit.readthedocs.io" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0223"> S0223 </a> </td> <td> <a href="/versions/v16/software/S0223"> POWERSTATS </a> </td> <td> <p><a href="/versions/v16/software/S0223">POWERSTATS</a> can use WMI queries to retrieve data from compromised hosts.<span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" title="Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018."data-reference="FireEye MuddyWater Mar 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a>}</span><span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018."data-reference="ClearSky MuddyWater Nov 2018">^{<a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0184"> S0184 </a> </td> <td> <a href="/versions/v16/software/S0184"> POWRUNER </a> </td> <td> <p><a href="/versions/v16/software/S0184">POWRUNER</a> may use WMI when collecting information about a victim.<span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" title="Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017."data-reference="FireEye APT34 Dec 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0654"> S0654 </a> </td> <td> <a href="/versions/v16/software/S0654"> ProLock </a> </td> <td> <p><a href="/versions/v16/software/S0654">ProLock</a> can use WMIC to execute scripts on targeted hosts.<span onclick=scrollToRef('scite-129') id="scite-ref-129-a" class="scite-citeref-number" title="Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021."data-reference="Group IB Ransomware September 2020">^{<a href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank" data-hasqtip="128" aria-describedby="qtip-128">[129]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1032"> S1032 </a> </td> <td> <a href="/versions/v16/software/S1032"> PyDCrypt </a> </td> <td> <p><a href="/versions/v16/software/S1032">PyDCrypt</a> has attempted to execute with WMIC.<span onclick=scrollToRef('scite-130') id="scite-ref-130-a" class="scite-citeref-number" title="Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022."data-reference="Checkpoint MosesStaff Nov 2021">^{<a href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank" data-hasqtip="129" aria-describedby="qtip-129">[130]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0650"> S0650 </a> </td> <td> <a href="/versions/v16/software/S0650"> QakBot </a> </td> <td> <p><a href="/versions/v16/software/S0650">QakBot</a> can execute WMI queries to gather information.<span onclick=scrollToRef('scite-131') id="scite-ref-131-a" class="scite-citeref-number" title="Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021."data-reference="Kaspersky QakBot September 2021">^{<a href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank" data-hasqtip="130" aria-describedby="qtip-130">[131]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1130"> S1130 </a> </td> <td> <a href="/versions/v16/software/S1130"> Raspberry Robin </a> </td> <td> <p><a href="/versions/v16/software/S1130">Raspberry Robin</a> can execute via LNK containing a command to run a legitimate executable, such as wmic.exe, to download a malicious Windows Installer (MSI) package.<span onclick=scrollToRef('scite-132') id="scite-ref-132-a" class="scite-citeref-number" title="Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024."data-reference="TrendMicro RaspberryRobin 2022">^{<a href="https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0241"> S0241 </a> </td> <td> <a href="/versions/v16/software/S0241"> RATANKBA </a> </td> <td> <p><a href="/versions/v16/software/S0241">RATANKBA</a> uses WMI to perform process monitoring.<span onclick=scrollToRef('scite-133') id="scite-ref-133-a" class="scite-citeref-number" title="Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018."data-reference="Lazarus RATANKBA">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" target="_blank" data-hasqtip="132" aria-describedby="qtip-132">[133]</a>}</span><span onclick=scrollToRef('scite-134') id="scite-ref-134-a" class="scite-citeref-number" title="Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018."data-reference="RATANKBA">^{<a href="https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" target="_blank" data-hasqtip="133" aria-describedby="qtip-133">[134]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0375"> S0375 </a> </td> <td> <a href="/versions/v16/software/S0375"> Remexi </a> </td> <td> <p><a href="/versions/v16/software/S0375">Remexi</a> executes received commands with wmic.exe (for WMI commands). <span onclick=scrollToRef('scite-135') id="scite-ref-135-a" class="scite-citeref-number" title="Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019."data-reference="Securelist Remexi Jan 2019">^{<a href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank" data-hasqtip="134" aria-describedby="qtip-134">[135]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0496"> S0496 </a> </td> <td> <a href="/versions/v16/software/S0496"> REvil </a> </td> <td> <p><a href="/versions/v16/software/S0496">REvil</a> can use WMI to monitor for and kill specific processes listed in its configuration file.<span onclick=scrollToRef('scite-136') id="scite-ref-136-a" class="scite-citeref-number" title="Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020."data-reference="Secureworks GandCrab and REvil September 2019">^{<a href="https://www.secureworks.com/blog/revil-the-gandcrab-connection" target="_blank" data-hasqtip="135" aria-describedby="qtip-135">[136]</a>}</span><span onclick=scrollToRef('scite-137') id="scite-ref-137-a" class="scite-citeref-number" title="Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020."data-reference="Group IB Ransomware May 2020">^{<a href="https://www.group-ib.com/whitepapers/ransomware-uncovered.html" target="_blank" data-hasqtip="136" aria-describedby="qtip-136">[137]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0270"> S0270 </a> </td> <td> <a href="/versions/v16/software/S0270"> RogueRobin </a> </td> <td> <p><a href="/versions/v16/software/S0270">RogueRobin</a> uses various WMI queries to check if the sample is running in a sandbox.<span onclick=scrollToRef('scite-138') id="scite-ref-138-a" class="scite-citeref-number" title="Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018."data-reference="Unit 42 DarkHydrus July 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank" data-hasqtip="137" aria-describedby="qtip-137">[138]</a>}</span><span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019."data-reference="Unit42 DarkHydrus Jan 2019">^{<a href="https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0034"> G0034 </a> </td> <td> <a href="/versions/v16/groups/G0034"> Sandworm Team </a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used <a href="/versions/v16/software/S0357">Impacket</a>’s WMIexec module for remote code execution and VBScript to run WMI queries.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020."data-reference="Dragos Crashoverride 2018">^{<a href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1085"> S1085 </a> </td> <td> <a href="/versions/v16/software/S1085"> Sardonic </a> </td> <td> <p><a href="/versions/v16/software/S1085">Sardonic</a> can use WMI to execute PowerShell commands on a compromised machine.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" title="Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023."data-reference="Bitdefender Sardonic Aug 2021">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0546"> S0546 </a> </td> <td> <a href="/versions/v16/software/S0546"> SharpStage </a> </td> <td> <p><a href="/versions/v16/software/S0546">SharpStage</a> can use WMI for execution.<span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020."data-reference="Cybereason Molerats Dec 2020">^{<a href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a>}</span><span onclick=scrollToRef('scite-142') id="scite-ref-142-a" class="scite-citeref-number" title="Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020."data-reference="BleepingComputer Molerats Dec 2020">^{<a href="https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" target="_blank" data-hasqtip="141" aria-describedby="qtip-141">[142]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0589"> S0589 </a> </td> <td> <a href="/versions/v16/software/S0589"> Sibot </a> </td> <td> <p><a href="/versions/v16/software/S0589">Sibot</a> has used WMI to discover network connections and configurations. <a href="/versions/v16/software/S0589">Sibot</a> has also used the Win32_Process class to execute a malicious DLL.<span onclick=scrollToRef('scite-143') id="scite-ref-143-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="142" aria-describedby="qtip-142">[143]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0692"> S0692 </a> </td> <td> <a href="/versions/v16/software/S0692"> SILENTTRINITY </a> </td> <td> <p><a href="/versions/v16/software/S0692">SILENTTRINITY</a> can use WMI for lateral movement.<span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" title="Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022."data-reference="GitHub SILENTTRINITY Modules July 2019">^{<a href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1086"> S1086 </a> </td> <td> <a href="/versions/v16/software/S1086"> Snip3 </a> </td> <td> <p><a href="/versions/v16/software/S1086">Snip3</a> can query the WMI class <code>Win32_ComputerSystem</code> to gather information.<span onclick=scrollToRef('scite-145') id="scite-ref-145-a" class="scite-citeref-number" title="Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023."data-reference="Morphisec Snip3 May 2021">^{<a href="https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" target="_blank" data-hasqtip="144" aria-describedby="qtip-144">[145]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1124"> S1124 </a> </td> <td> <a href="/versions/v16/software/S1124"> SocGholish </a> </td> <td> <p><a href="/versions/v16/software/S1124">SocGholish</a> has used WMI calls for script execution and system profiling.<span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" title="Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024."data-reference="SocGholish-update">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0024"> C0024 </a> </td> <td> <a href="/versions/v16/campaigns/C0024"> SolarWinds Compromise </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/versions/v16/groups/G0016">APT29</a> used WMI for the remote execution of files for lateral movement.<span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" title="Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021."data-reference="Microsoft 365 Defender Solorigate">^{<a href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a>}</span><span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" title="MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021."data-reference="Microsoft Deep Dive Solorigate January 2021">^{<a href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0038"> G0038 </a> </td> <td> <a href="/versions/v16/groups/G0038"> Stealth Falcon </a> </td> <td> <p><a href="/versions/v16/groups/G0038">Stealth Falcon</a> malware gathers system information via Windows Management Instrumentation (WMI).<span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" title="Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016."data-reference="Citizen Lab Stealth Falcon May 2016">^{<a href="https://citizenlab.org/2016/05/stealth-falcon/" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0380"> S0380 </a> </td> <td> <a href="/versions/v16/software/S0380"> StoneDrill </a> </td> <td> <p><a href="/versions/v16/software/S0380">StoneDrill</a> has used the WMI command-line (WMIC) utility to run tasks.<span onclick=scrollToRef('scite-150') id="scite-ref-150-a" class="scite-citeref-number" title="Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019."data-reference="Kaspersky StoneDrill 2017">^{<a href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf" target="_blank" data-hasqtip="149" aria-describedby="qtip-149">[150]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0603"> S0603 </a> </td> <td> <a href="/versions/v16/software/S0603"> Stuxnet </a> </td> <td> <p><a href="/versions/v16/software/S0603">Stuxnet</a> used WMI with an <code>explorer.exe</code> token to execute on a remote share.<span onclick=scrollToRef('scite-151') id="scite-ref-151-a" class="scite-citeref-number" title="Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 "data-reference="Nicolas Falliere, Liam O Murchu, Eric Chien February 2011">^{<a href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank" data-hasqtip="150" aria-describedby="qtip-150">[151]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0559"> S0559 </a> </td> <td> <a href="/versions/v16/software/S0559"> SUNBURST </a> </td> <td> <p><a href="/versions/v16/software/S0559">SUNBURST</a> used the WMI query <code>Select * From Win32_SystemDriver</code> to retrieve a driver listing.<span onclick=scrollToRef('scite-152') id="scite-ref-152-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="151" aria-describedby="qtip-151">[152]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1064"> S1064 </a> </td> <td> <a href="/versions/v16/software/S1064"> SVCReady </a> </td> <td> <p><a href="/versions/v16/software/S1064">SVCReady</a> can use <code>WMI</code> queries to detect the presence of a virtual machine environment.<span onclick=scrollToRef('scite-153') id="scite-ref-153-a" class="scite-citeref-number" title="Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022."data-reference="HP SVCReady Jun 2022">^{<a href="https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" target="_blank" data-hasqtip="152" aria-describedby="qtip-152">[153]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0663"> S0663 </a> </td> <td> <a href="/versions/v16/software/S0663"> SysUpdate </a> </td> <td> <p><a href="/versions/v16/software/S0663">SysUpdate</a> can use WMI for execution on a compromised host.<span onclick=scrollToRef('scite-154') id="scite-ref-154-a" class="scite-citeref-number" title="Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021."data-reference="Trend Micro Iron Tiger April 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank" data-hasqtip="153" aria-describedby="qtip-153">[154]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1018"> G1018 </a> </td> <td> <a href="/versions/v16/groups/G1018"> TA2541 </a> </td> <td> <p><a href="/versions/v16/groups/G1018">TA2541</a> has used WMI to query targeted systems for security products.<span onclick=scrollToRef('scite-155') id="scite-ref-155-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="154" aria-describedby="qtip-154">[155]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0027"> G0027 </a> </td> <td> <a href="/versions/v16/groups/G0027"> Threat Group-3390 </a> </td> <td> <p>A <a href="/versions/v16/groups/G0027">Threat Group-3390</a> tool can use WMI to execute a binary.<span onclick=scrollToRef('scite-156') id="scite-ref-156-a" class="scite-citeref-number" title="Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018."data-reference="Nccgroup Emissary Panda May 2018">^{<a href="https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1022"> G1022 </a> </td> <td> <a href="/versions/v16/groups/G1022"> ToddyCat </a> </td> <td> <p><a href="/versions/v16/groups/G1022">ToddyCat</a> has used WMI to execute scripts for post exploit document collection.<span onclick=scrollToRef('scite-157') id="scite-ref-157-a" class="scite-citeref-number" title="Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat Check Logs October 2023">^{<a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" data-hasqtip="156" aria-describedby="qtip-156">[157]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0386"> S0386 </a> </td> <td> <a href="/versions/v16/software/S0386"> Ursnif </a> </td> <td> <p><a href="/versions/v16/software/S0386">Ursnif</a> droppers have used WMI classes to execute <a href="/versions/v16/techniques/T1059/001">PowerShell</a> commands.<span onclick=scrollToRef('scite-158') id="scite-ref-158-a" class="scite-citeref-number" title="Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019."data-reference="Bromium Ursnif Mar 2017">^{<a href="https://www.bromium.com/how-ursnif-evades-detection/" target="_blank" data-hasqtip="157" aria-describedby="qtip-157">[158]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0476"> S0476 </a> </td> <td> <a href="/versions/v16/software/S0476"> Valak </a> </td> <td> <p><a href="/versions/v16/software/S0476">Valak</a> can use <code>wmic process call create</code> in a scheduled task to launch plugins and for execution.<span onclick=scrollToRef('scite-159') id="scite-ref-159-a" class="scite-citeref-number" title="Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020."data-reference="SentinelOne Valak June 2020">^{<a href="https://assets.sentinelone.com/labs/sentinel-one-valak-i" target="_blank" data-hasqtip="158" aria-describedby="qtip-158">[159]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1017"> G1017 </a> </td> <td> <a href="/versions/v16/groups/G1017"> Volt Typhoon </a> </td> <td> <p><a href="/versions/v16/groups/G1017">Volt Typhoon</a> has leveraged WMIC for execution, remote system discovery, and to create and use temporary directories.<span onclick=scrollToRef('scite-160') id="scite-ref-160-a" class="scite-citeref-number" title="Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023."data-reference="Microsoft Volt Typhoon May 2023">^{<a href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" target="_blank" data-hasqtip="159" aria-describedby="qtip-159">[160]</a>}</span><span onclick=scrollToRef('scite-161') id="scite-ref-161-a" class="scite-citeref-number" title="NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023."data-reference="Joint Cybersecurity Advisory Volt Typhoon June 2023">^{<a href="https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" target="_blank" data-hasqtip="160" aria-describedby="qtip-160">[161]</a>}</span><span onclick=scrollToRef('scite-162') id="scite-ref-162-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023."data-reference="Secureworks BRONZE SILHOUETTE May 2023">^{<a href="https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" target="_blank" data-hasqtip="161" aria-describedby="qtip-161">[162]</a>}</span><span onclick=scrollToRef('scite-163') id="scite-ref-163-a" class="scite-citeref-number" title="CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024."data-reference="CISA AA24-038A PRC Critical Infrastructure February 2024">^{<a href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank" data-hasqtip="162" aria-describedby="qtip-162">[163]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0366"> S0366 </a> </td> <td> <a href="/versions/v16/software/S0366"> WannaCry </a> </td> <td> <p><a href="/versions/v16/software/S0366">WannaCry</a> utilizes <code>wmic</code> to delete shadow copies.<span onclick=scrollToRef('scite-164') id="scite-ref-164-a" class="scite-citeref-number" title="Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019."data-reference="LogRhythm WannaCry">^{<a href="https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/" target="_blank" data-hasqtip="163" aria-describedby="qtip-163">[164]</a>}</span><span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" title="Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019."data-reference="FireEye WannaCry 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a>}</span><span onclick=scrollToRef('scite-166') id="scite-ref-166-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019."data-reference="SecureWorks WannaCry Analysis">^{<a href="https://www.secureworks.com/research/wcry-ransomware-analysis" target="_blank" data-hasqtip="165" aria-describedby="qtip-165">[166]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0112"> G0112 </a> </td> <td> <a href="/versions/v16/groups/G0112"> Windshift </a> </td> <td> <p><a href="/versions/v16/groups/G0112">Windshift</a> has used WMI to collect information about target machines.<span onclick=scrollToRef('scite-167') id="scite-ref-167-a" class="scite-citeref-number" title="The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021."data-reference="BlackBerry Bahamut">^{<a href="https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" target="_blank" data-hasqtip="166" aria-describedby="qtip-166">[167]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0102"> G0102 </a> </td> <td> <a href="/versions/v16/groups/G0102"> Wizard Spider </a> </td> <td> <p><a href="/versions/v16/groups/G0102">Wizard Spider</a> has used WMI and LDAP queries for network discovery and to move laterally. <a href="/versions/v16/groups/G0102">Wizard Spider</a> has also used batch scripts to leverage WMIC to deploy ransomware.<span onclick=scrollToRef('scite-168') id="scite-ref-168-a" class="scite-citeref-number" title="John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."data-reference="CrowdStrike Grim Spider May 2019">^{<a href="https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" target="_blank" data-hasqtip="167" aria-describedby="qtip-167">[168]</a>}</span><span onclick=scrollToRef('scite-169') id="scite-ref-169-a" class="scite-citeref-number" title="DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020."data-reference="DHS/CISA Ransomware Targeting Healthcare October 2020">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-302a" target="_blank" data-hasqtip="168" aria-describedby="qtip-168">[169]</a>}</span><span onclick=scrollToRef('scite-170') id="scite-ref-170-a" class="scite-citeref-number" title="Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020."data-reference="FireEye KEGTAP SINGLEMALT October 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" target="_blank" data-hasqtip="169" aria-describedby="qtip-169">[170]</a>}</span><span onclick=scrollToRef('scite-171') id="scite-ref-171-a" class="scite-citeref-number" title="Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020."data-reference="Red Canary Hospital Thwarted Ryuk October 2020">^{<a href="https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" target="_blank" data-hasqtip="170" aria-describedby="qtip-170">[171]</a>}</span><span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023."data-reference="Mandiant FIN12 Oct 2021">^{<a href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0251"> S0251 </a> </td> <td> <a href="/versions/v16/software/S0251"> Zebrocy </a> </td> <td> <p>One variant of <a href="/versions/v16/software/S0251">Zebrocy</a> uses WMI queries to gather information.<span onclick=scrollToRef('scite-173') id="scite-ref-173-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019."data-reference="Unit42 Sofacy Dec 2018">^{<a href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank" data-hasqtip="172" aria-describedby="qtip-172">[173]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/mitigations/M1040"> M1040 </a> </td> <td> <a href="/versions/v16/mitigations/M1040"> Behavior Prevention on Endpoint </a> </td> <td> <p>On Windows 10, enable Attack Surface Reduction (ASR) rules to block processes created by WMI commands from running. Note: many legitimate tools and applications utilize WMI for command execution. <span onclick=scrollToRef('scite-174') id="scite-ref-174-a" class="scite-citeref-number" title="Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021."data-reference="win10_asr">^{<a href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction" target="_blank" data-hasqtip="173" aria-describedby="qtip-173">[174]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M1038"> M1038 </a> </td> <td> <a href="/versions/v16/mitigations/M1038"> Execution Prevention </a> </td> <td> <p>Use application control configured to block execution of <code>wmic.exe</code> if it is not required for a given system or network to prevent potential misuse by adversaries. For example, in Windows 10 and Windows Server 2016 and above, Windows Defender Application Control (WDAC) policy rules may be applied to block the <code>wmic.exe</code> application and to prevent abuse.<span onclick=scrollToRef('scite-175') id="scite-ref-175-a" class="scite-citeref-number" title="Coulter, D. et al.. (2019, April 9). Microsoft recommended block rules. Retrieved August 12, 2021."data-reference="Microsoft WDAC">^{<a href="https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules" target="_blank" data-hasqtip="174" aria-describedby="qtip-174">[175]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M1026"> M1026 </a> </td> <td> <a href="/versions/v16/mitigations/M1026"> Privileged Account Management </a> </td> <td> <p>Prevent credential overlap across systems of administrator and privileged accounts. <span onclick=scrollToRef('scite-176') id="scite-ref-176-a" class="scite-citeref-number" title="Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016."data-reference="FireEye WMI 2015">^{<a href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" target="_blank" data-hasqtip="175" aria-describedby="qtip-175">[176]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M1018"> M1018 </a> </td> <td> <a href="/versions/v16/mitigations/M1018"> User Account Management </a> </td> <td> <p>By default, only administrators are allowed to connect remotely using WMI. Restrict other users who are allowed to connect, or disallow all users to connect remotely to WMI.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/versions/v16/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0017">Command</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments for actions that are used to perform remote behavior.</p><p>Analytic 1 - Look for wmic.exeexecution with arguments indicative of remote process creation.</p><p><code> index=windows_logs sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational| eval CommandLine=coalesce(CommandLine, ParentCommandLine)| eval ProcessName=lower(ProcessName), CommandLine=lower(CommandLine)| search ProcessName IN ("wmic.exe", "powershell.exe", "wbemtool.exe", "wmiprvse.exe", "wmiadap.exe", "scrcons.exe")| search CommandLine IN ("<em>process call create</em>", "<em>shadowcopy delete</em>", "<em>process start</em>", "<em>createobject</em>")| stats count by _time, ComputerName, User, ProcessName, CommandLine, ParentProcessName, ParentCommandLine, dest, src_ip, dest_ip| eval alert_message="Suspicious WMI activity detected: " + ProcessName + " executed by " + User + " on " + ComputerName + " with command: " + CommandLine| where NOT (User="SYSTEM" OR ProcessName="wmiprvse.exe" OR CommandLine="<em>wmic shadowcopy delete</em>" AND src_ip="trusted_ip_range")| table _time, ComputerName, User, ProcessName, CommandLine, ParentProcessName, ParentCommandLine, src_ip, dest_ip, alert_message</code></p> </td> </tr> <tr class="datasource" id="uses-DS0029"> <td> <a href="/versions/v16/datasources/DS0029">DS0029</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0029">Network Traffic</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0029/#Network%20Connection%20Creation">Network Connection Creation</a> </td> <td> <p>Monitor network traffic for WMI connections for potential use to remotely edit configuration, start services, or query files. When remote WMI requests are over RPC it connects to a DCOM interface within the RPC group <code>netsvcs</code>. To detect this activity, a sensor is needed at the network level that can decode RPC traffic or on the host where the communication can be detected more natively, such as Event Tracing for Windows. Using wireshark/tshark decoders, the WMI interfaces can be extracted so that WMI activity over RPC can be detected. Although the description details how to detect remote WMI precisely, a decent estimate has been to look for the string RPCSS within the initial RPC connection on 135/tcp. It returns a superset of this activity, and will trigger on all DCOM-related services running within RPC, which is likely to also be activity that should be detected between hosts. More about RPCSS at : rpcss_dcom_interfaces.html</p><p>Look for instances of the WMI querying in network traffic, and find the cases where a process is launched immediately after a connection is seen. This essentially merges the request to start a remote process via WMI with the process execution. If other processes are spawned from wmiprvse.exe in this time frame, it is possible for race conditions to occur, and the wrong process may be merged. If this is the case, it may be useful to look deeper into the network traffic to see if the desired command can be extracted.</p><p>After the WMI connection has been initialized, a process can be remotely launched using the command: <code>wmic /node:"<hostname>" process call create "<command line>"</code>, which is detected in the third Detection Pseudocode. </p><p>This leaves artifacts at both a network (RPC) and process (command line) level. When <code>wmic.exe</code> (or the schtasks API) is used to remotely create processes, Windows uses RPC (135/tcp) to communicate with the the remote machine.</p><p>After RPC authenticates, the RPC endpoint mapper opens a high port connection, through which the schtasks Remote Procedure Call is actually implemented. With the right packet decoders, or by looking for certain byte streams in raw data, these functions can be identified.</p><p>When the command line is executed, it has the parent process of <code>C:\windows\system32\wbem\WmiPrvSE.exe</code>. This analytic looks for these two events happening in sequence, so that the network connection and target process are output.</p><p>Certain strings can be identifiers of the WMI by looking up the interface UUID for <code>IRemUnknown2</code> in different formats- UUID <code>00000143-0000-0000-c000-000000000046</code> (decoded)- Hex <code>43 01 00 00 00 00 00 00 c0 00 00 00 00 00 00 46</code> (raw)- ASCII <code>CF</code> (printable text only)</p><p>This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement this analytic. The transfer syntax is- UUID <code>8a885d04-1ceb-11c9-9fe8-08002b104860</code> (decoded)- Hex <code>04 5d 88 8a eb 1c c9 11 9f e8 08 00 2b 10 48 60</code> (raw)- ASCII <code>`]+H``</code> (printable text only)</p><p>Thus, a great ASCII based signature is- <code><em>CF</em>]+H<em>CF</em>CF<em>host</em>"</code></p><p>Note: To detect WMI over RPC (using DCOM), a sensor needs to exist that has the insight into individual connections and can actually decode and make sense of RPC traffic. Specifically, WMI can be detected by looking at RPC traffic where the target interface matches that of WMI, which is IRemUnknown2. Look for instances of the WMI querying in network traffic, and find the cases where a process is launched immediately after a connection is seen. This essentially merges the request to start a remote process via WMI with the process execution. If other processes are spawned from wmiprvse.exe in this time frame, it is possible for race conditions to occur, and the wrong process may be merged. If this is the case, it may be useful to look deeper into the network traffic to see if the desired command can be extracted.</p><p>Analytic 1 - Monitor for WMI over RPC (DCOM) connections. Look for the string RPCSS within the initial RPC connection on port 135/tcp.</p><p><code> index=windows_logs sourcetype=WinEventLog:Security OR sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational OR sourcetype=WinEventLog:Microsoft-Windows-Security-Auditing| eval ProcessName=lower(ProcessName), CommandLine=lower(CommandLine)| search ProcessName IN ("wmic.exe", "powershell.exe", "wmiprvse.exe", "wmiadap.exe", "scrcons.exe", "wbemtool.exe")| search CommandLine IN ("<em>process call create</em>", "<em>win32_process</em>", "<em>win32_service</em>", "<em>shadowcopy delete</em>", "<em>network</em>")| search (sourcetype="WinEventLog:Security" EventCode=4688) OR (sourcetype="WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=1)| join ProcessName [ search index=windows_logs sourcetype=WinEventLog:Microsoft-Windows-Sysmon/Operational EventCode=3 | eval DestinationIp = coalesce(DestinationIp, dest_ip)| eval DestinationPort = coalesce(DestinationPort, dest_port)| search DestinationPort IN (135, 5985, 5986) ]| stats count by _time, ComputerName, User, ProcessName, CommandLine, DestinationIp, DestinationPort, dest, src_ip, dest_ip| eval alert_message="Suspicious WMI Network Connection Detected: " + ProcessName + " executed by " + User + " on " + ComputerName + " with command: " + CommandLine + " connecting to " + DestinationIp + ":" + DestinationPort| where NOT (User="SYSTEM" OR ProcessName="wmiprvse.exe" OR (src_ip="trusted_ip_range" AND DestinationIp="trusted_ip_range"))| table _time, ComputerName, User, ProcessName, CommandLine, DestinationIp, DestinationPort, src_ip, dest_ip, alert_message</code></p> </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/versions/v16/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0009">Process</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0009/#Process%20Creation">Process Creation</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines of "wmic". If the command line utility <code>wmic.exe</code> is used on the source host, then it can additionally be detected on an analytic. The command line on the source host is constructed into something like <code>wmic.exe /node:"\&lt;hostname&gt;" process call create "\&lt;command line&gt;"</code>. It is possible to also connect via IP address, in which case the string <code>"\&lt;hostname&gt;"</code> would instead look like IP Address. Processes can be created remotely via WMI in a few other ways, such as more direct API access or the built-in utility PowerShell.</p><p>Note: Event IDs are for Sysmon (Event ID 10 - process access) and Windows Security Log (Event ID 4688 - a new process has been created). </p><p>Besides executing arbitrary processes, wmic.exe can also be used to executed data stored in NTFS alternate data streams <a href="/versions/v16/techniques/T1564/004">NTFS File Attributes</a>.Looks for instances of wmic.exe as well as the substrings in the command line:- process call create- /node:</p><p>Analytic 1 - Detect wmic.exeprocess creation with command lines containing process call create or /node:.</p><p><code> index=security sourcetype="WinEventLog:Security" (EventCode=4688 OR EventCode=4656 OR EventCode=4103 OR EventCode=800) | eval command_line = coalesce(CommandLine, ParentCommandLine) | where (ProcessName="wmic.exe" AND (command_line LIKE "%/node:%" OR command_line LIKE "%process call create%"))OR (command_line LIKE "<em>Invoke-WmiMethod</em>" OR command_line LIKE "<em>Get-WmiObject</em>" OR command_line LIKE "<em>gwmi</em>" OR command_line LIKE "<em>win32_process</em>")</code></p> </td> </tr> <tr class="datasource" id="uses-DS0005"> <td> <a href="/versions/v16/datasources/DS0005">DS0005</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0005">WMI</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0005/#WMI%20Creation">WMI Creation</a> </td> <td> <p>Monitor for newly constructed WMI objects that will execute malicious commands and payloads. </p><p>Analytic 1 - WMI object creation events</p><p><code> index=security sourcetype="WinEventLog:Microsoft-Windows-WMI-Activity/Operational" (EventCode=5861 OR EventCode=5857 OR EventCode=5858) | eval CommandLine = coalesce(CommandLine, ParentCommandLine) | where (EventCode=5861 AND (CommandLine LIKE "<em>create</em>" OR CommandLine LIKE "<em>process</em>")) OR (EventCode=5857 AND (CommandLine LIKE "<em>exec</em>" OR CommandLine LIKE "<em>invoke</em>")) OR (EventCode=5858 AND (CommandLine LIKE "<em>payload</em>" OR CommandLine LIKE "<em>wmic</em>")) </code></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://learn.microsoft.com/en-us/windows/win32/wmisdk/wmi-start-page?redirectedfrom=MSDN" target="_blank"> Microsoft. (2023, March 7). Retrieved February 13, 2024. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://www.mandiant.com/resources/reports" target="_blank"> Mandiant. (n.d.). Retrieved February 13, 2024. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" target="_blank"> Microsoft. (2022, June 13). BlackCat. Retrieved February 13, 2024. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://techcommunity.microsoft.com/t5/windows-it-pro-blog/wmi-command-line-wmic-utility-deprecation-next-steps/ba-p/4039242" target="_blank"> Microsoft. (2024, January 26). WMIC Deprecation. Retrieved February 13, 2024. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.dragos.com/wp-content/uploads/CRASHOVERRIDE2018.pdf" target="_blank"> Joe Slowik. (2018, October 12). Anatomy of an Attack: Detecting and Defeating CRASHOVERRIDE. Retrieved December 18, 2020. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://www.malwarebytes.com/blog/news/2021/12/sidecopy-apt-connecting-lures-to-victims-payloads-to-infrastructure" target="_blank"> Threat Intelligence Team. (2021, December 2). SideCopy APT: Connecting lures victims, payloads to infrastructure. Retrieved June 13, 2022. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://labs.bitdefender.com/2020/04/oil-gas-spearphishing-campaigns-drop-agent-tesla-spyware-in-advance-of-historic-opec-deal/" target="_blank"> Arsene, L. (2020, April 21). Oil & Gas Spearphishing Campaigns Drop Agent Tesla Spyware in Advance of Historic OPEC+ Deal. Retrieved May 19, 2020. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://www.trellix.com/blogs/research/akira-ransomware/" target="_blank"> Max Kersten & Alexandre Mundo. (2023, November 29). Akira Ransomware. Retrieved April 4, 2024. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://www.slideshare.net/slideshow/no-easy-breach-derby-con-2016/66447908" target="_blank"> Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank"> Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.group-ib.com/blog/colunmtk-apt41/" target="_blank"> Rostovcev, N. (2021, June 10). Big airline heist APT41 likely behind a third-party attack on Air India. Retrieved August 26, 2021. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://medium.com/@DCSO_CyTec/apt41-the-spy-who-failed-to-encrypt-me-24fc0f49cad1" target="_blank"> DCSO CyTec Blog. (2022, December 24). APT41 — The spy who failed to encrypt me. Retrieved June 13, 2024. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://go.crowdstrike.com/rs/281-OBQ-266/images/2022OverWatchThreatHuntingReport.pdf" target="_blank"> CrowdStrike. (2023). 2022 Falcon OverWatch Threat Hunting Report. Retrieved May 20, 2024. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://web.archive.org/web/20200302071436/https://cofense.com/seeing-resurgence-demonic-astaroth-wmic-trojan/" target="_blank"> Doaty, J., Garrett, P.. (2018, September 10). We’re Seeing a Resurgence of the Demonic Astaroth WMIC Trojan. Retrieved September 25, 2024. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.hornetsecurity.com/en/security-information/avaddon-from-seeking-affiliates-to-in-the-wild-in-2-days/" target="_blank"> Security Lab. (2020, June 5). Avaddon: From seeking affiliates to in-the-wild in 2 days. Retrieved August 19, 2021. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://blog.gigamon.com/2019/07/23/abadbabe-8badf00d-discovering-badhatch-and-a-detailed-look-at-fin8s-tooling/" target="_blank"> Savelesky, K., et al. (2019, July 23). ABADBABE 8BADFOOD: Discovering BADHATCH and a Detailed Look at FIN8's Tooling. Retrieved September 8, 2021. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" target="_blank"> Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank"> Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank"> The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://research.nccgroup.com/2022/06/06/shining-the-light-on-black-basta/" target="_blank"> Inman, R. and Gurney, P. (2022, June 6). Shining the Light on Black Basta. Retrieved March 8, 2023. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.microsoft.com/en-us/security/blog/2022/06/13/the-many-lives-of-blackcat-ransomware/" target="_blank"> Microsoft Defender Threat Intelligence. (2022, June 13). The many lives of BlackCat ransomware. Retrieved December 20, 2022. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://securelist.com/be2-extraordinary-plugins-siemens-targeting-dev-fails/68838/" target="_blank"> Baumgartner, K. and Garnaeva, M.. (2015, February 17). BE2 extraordinary plugins, Siemens targeting, dev fails. Retrieved March 24, 2016. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank"> Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://unit42.paloaltonetworks.com/brute-ratel-c4-tool/" target="_blank"> Harbison, M. and Renals, P. (2022, July 5). When Pentest Tools Go Brutal: Red-Teaming Tool Being Abused by Malicious Actors. Retrieved February 1, 2023. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://blog.google/threat-analysis-group/exposing-initial-access-broker-ties-conti/" target="_blank"> Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" target="_blank"> Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.cybereason.com/blog/threat-analysis-report-bumblebee-loader-the-high-road-to-enterprise-domain-control" target="_blank"> Cybereason. (2022, August 17). Bumblebee Loader – The High Road to Enterprise Domain Control. Retrieved August 29, 2022. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://thedfirreport.com/2021/11/29/continuing-the-bazar-ransomware-story/" target="_blank"> DFIR Report. (2021, November 29). CONTInuing the Bazar Ransomware Story. Retrieved September 29, 2022. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://blog.talosintelligence.com/avoslocker-new-arsenal/" target="_blank"> Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://www.linkedin.com/pulse/raas-avoslocker-incident-response-analysis-fl%C3%A1vio-costa?trk=articles_directory" target="_blank"> Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://www.crowdstrike.com/blog/analysis-of-intrusion-campaign-targeting-telecom-and-bpo-companies/" target="_blank"> Parisi, T. (2022, December 2). Not a SIMulation: CrowdStrike Investigations Reveal Intrusion Campaign Targeting Telco and BPO Companies. Retrieved June 30, 2023. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://research.checkpoint.com/2022/apt35-exploits-log4j-vulnerability-to-distribute-new-modular-powershell-toolkit/" target="_blank"> Check Point. (2022, January 11). APT35 exploits Log4j vulnerability to distribute new modular PowerShell toolkit. Retrieved January 24, 2022. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank"> Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://web.archive.org/web/20230218064220/https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank"> Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://www.microsoft.com/en-us/security/blog/2022/05/09/ransomware-as-a-service-understanding-the-cybercrime-gig-economy-and-how-to-protect-yourself/" target="_blank"> Microsoft. (2022, May 9). Ransomware as a service: Understanding the cybercrime gig economy and how to protect yourself. Retrieved March 10, 2023. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://blog.sygnia.co/revealing-emperor-dragonfly-a-chinese-ransomware-group" target="_blank"> Biderman, O. et al. (2022, October 3). REVEALING EMPEROR DRAGONFLY: NIGHT SKY AND CHEERSCRYPT - A SINGLE RANSOMWARE GROUP. Retrieved December 6, 2023. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://web.archive.org/web/20210825130434/https://cobaltstrike.com/downloads/csmanual38.pdf" target="_blank"> Strategic Cyber LLC. (2017, March 14). Cobalt Strike Manual. Retrieved May 24, 2017. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://web.archive.org/web/20210708035426/https://www.cobaltstrike.com/downloads/csmanual43.pdf" target="_blank"> Strategic Cyber LLC. (2020, November 5). Cobalt Strike: Advanced Threat Tactics for Penetration Testers. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://github.com/cobbr/Covenant" target="_blank"> cobbr. (2021, April 21). Covenant. Retrieved September 4, 2024. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://github.com/byt3bl33d3r/CrackMapExec/wiki/SMB-Command-Reference" target="_blank"> byt3bl33d3r. (2018, September 8). SMB: Command Reference. Retrieved July 17, 2020. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://www.secureworks.com/research/darktortilla-malware-analysis" target="_blank"> Secureworks Counter Threat Unit Research Team. (2022, August 17). DarkTortilla Malware Analysis. Retrieved November 3, 2022. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/" target="_blank"> Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://www.fireeye.com/blog/threat-research/2021/04/unc2447-sombrat-and-fivehands-ransomware-sophisticated-financial-threat.html" target="_blank"> McLellan, T. and Moore, J. et al. (2021, April 29). UNC2447 SOMBRAT and FIVEHANDS Ransomware: A Sophisticated Financial Threat. Retrieved June 2, 2021. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://web.archive.org/web/20200424075623/https:/www.crowdstrike.com/blog/deep-thought-chinese-targeting-national-security-think-tanks/" target="_blank"> Alperovitch, D. (2014, July 7). Deep in Thought: Chinese Targeting of National Security Think Tanks. Retrieved November 12, 2014. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://www.clearskysec.com/wp-content/uploads/2016/01/Operation%20DustySky_TLP_WHITE.pdf" target="_blank"> ClearSky. (2016, January 7). Operation DustySky. Retrieved January 8, 2016. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://www.trendmicro.com/content/dam/trendmicro/global/en/research/22/a/earth-lusca-employs-sophisticated-infrastructure-varied-tools-and-techniques/technical-brief-delving-deep-an-analysis-of-earth-lusca-operations.pdf" target="_blank"> Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://www.dragos.com/blog/industry-news/ekans-ransomware-and-ics-operations/" target="_blank"> Dragos. (2020, February 3). EKANS Ransomware and ICS Operations. Retrieved February 9, 2021. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.cisa.gov/sites/default/files/2024-09/aa24-249a-russian-military-cyber-actors-target-us-and-global-critical-infrastructure.pdf" target="_blank"> US Cybersecurity & Infrastructure Security Agency et al. (2024, September 5). Russian Military Cyber Actors Target U.S. and Global Critical Infrastructure. Retrieved September 6, 2024. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.carbonblack.com/2019/04/24/cb-tau-threat-intelligence-notification-emotet-utilizing-wmi-to-launch-powershell-encoded-code/" target="_blank"> Lee, S.. (2019, April 24). Emotet Using WMI to Launch PowerShell Encoded Code. Retrieved May 24, 2019. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://github.com/PowerShellEmpire/Empire" target="_blank"> Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/" target="_blank"> Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://www.prevailion.com/phantom-in-the-command-shell-2/" target="_blank"> Adamitis, D. (2020, May 6). Phantom in the Command Shell. Retrieved December 22, 2021. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://www.welivesecurity.com/wp-content/uploads/2018/10/ESET_GreyEnergy.pdf" target="_blank"> Cherepanov, A. (2018, October). GREYENERGY A successor to BlackEnergy. Retrieved November 15, 2018. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank"> Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://f.hubspotusercontent30.net/hubfs/8776530/Sygnia-%20Elephant%20Beetle_Jan2022.pdf?__hstc=147695848.3e8f1a482c8f8d4531507747318e660b.1680005306711.1680005306711.1680005306711.1&__hssc=147695848.1.1680005306711&__hsfp=3000179024&hsCtaTracking=189ec409-ae2d-4909-8bf1-62dcdd694372%7Cca91d317-8f10-4a38-9f80-367f551ad64d" target="_blank"> Sygnia Incident Response Team. (2022, January 5). TG2003: ELEPHANT BEETLE UNCOVERING AN ORGANIZED FINANCIAL-THEFT OPERATION. Retrieved February 9, 2023. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://securityintelligence.com/posts/more_eggs-anyone-threat-actor-itg08-strikes-again/" target="_blank"> Villadsen, O.. (2019, August 29). More_eggs, Anyone? Threat Actor ITG08 Strikes Again. Retrieved September 16, 2019. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://www.esentire.com/security-advisories/notorious-cybercrime-gang-fin7-lands-malware-in-law-firm-using-fake-legal-complaint-against-jack-daniels-owner-brown-forman-inc" target="_blank"> eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" target="_blank"> Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation" target="_blank"> Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/syssphinx-fin8-backdoor" target="_blank"> Symantec Threat Hunter Team. (2023, July 18). FIN8 Uses Revamped Sardonic Backdoor to Deliver Noberus Ransomware. Retrieved August 9, 2023. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar21-126a" target="_blank"> CISA. (2021, May 6). Analysis Report (AR21-126A) FiveHands Ransomware. Retrieved June 7, 2021. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://www.proofpoint.com/us/threat-insight/post/leaked-ammyy-admin-source-code-turned-malware" target="_blank"> Proofpoint Staff. (2018, March 7). Leaked Ammyy Admin Source Code Turned into Malware. Retrieved May 28, 2019. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank"> Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank"> Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"> Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf" target="_blank"> CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://unit42.paloaltonetworks.com/trident-ursa/" target="_blank"> Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" target="_blank"> Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="https://www.welivesecurity.com/2022/03/01/isaacwiper-hermeticwizard-wiper-worm-targeting-ukraine" target="_blank"> ESET. (2022, March 1). IsaacWiper and HermeticWizard: New wiper and worm targetingUkraine. Retrieved April 10, 2022. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://www.microsoft.com/en-us/security/blog/2022/09/08/microsoft-investigates-iranian-attacks-against-the-albanian-government/" target="_blank"> MSTIC. (2022, September 8). Microsoft investigates Iranian attacks against the Albanian government. Retrieved August 6, 2024. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://www.us-cert.gov/ncas/analysis-reports/AR19-100A" target="_blank"> US-CERT. (2019, April 10). MAR-10135536-8 – North Korean Trojan: HOPLIGHT. Retrieved April 19, 2019. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware" target="_blank"> Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. </a> </span> </span> </li> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href="https://thedfirreport.com/2021/03/29/sodinokibi-aka-revil-ransomware/" target="_blank"> DFIR. (2021, March 29). Sodinokibi (aka REvil) Ransomware. Retrieved July 22, 2024. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://www.pwc.com/gx/en/issues/cybersecurity/cyber-threat-intelligence/yellow-liderc-ships-its-scripts-delivers-imaploader-malware.html" target="_blank"> PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024. </a> </span> </span> </li> <li> <span id="scite-78" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-78" href="https://www.secureauth.com/labs/open-source-tools/impacket" target="_blank"> SecureAuth. (n.d.). Retrieved January 15, 2019. </a> </span> </span> </li> <li> <span id="scite-79" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-79" href="https://www.cybereason.com/hubfs/dam/collateral/reports/threat-alert-inc-ransomware.pdf" target="_blank"> Cybereason Security Research Team. (2023, November 20). Threat Alert: INC Ransomware. Retrieved June 5, 2024. </a> </span> </span> </li> <li> <span id="scite-80" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-80" href="https://www.huntress.com/blog/investigating-new-inc-ransom-group-activity" target="_blank"> Team Huntress. (2023, August 11). Investigating New INC Ransom Group Activity. Retrieved June 5, 2024. </a> </span> </span> </li> <li> <span id="scite-81" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-81" href="https://socradar.io/dark-web-profile-inc-ransom/" target="_blank"> SOCRadar. (2024, January 24). Dark Web Profile: INC Ransom. Retrieved June 5, 2024. </a> </span> </span> </li> <li> <span id="scite-82" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-82" href="https://www.secureworks.com/blog/gold-ionic-deploys-inc-ransomware" target="_blank"> Counter Threat Unit Research Team. (2024, April 15). GOLD IONIC DEPLOYS INC RANSOMWARE. Retrieved June 5, 2024. </a> </span> </span> </li> <li> <span id="scite-83" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-83" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/wastedlocker-ransomware-us" target="_blank"> Symantec Threat Intelligence. (2020, June 25). WastedLocker: Symantec Identifies Wave of Attacks Against U.S. Organizations. Retrieved May 20, 2021. </a> </span> </span> </li> <li> <span id="scite-84" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-84" href="https://www.symantec.com/blogs/threat-intelligence/jrat-new-anti-parsing-techniques" target="_blank"> Sharma, R. (2018, August 15). Revamped jRAT Uses New Anti-Parsing Techniques. Retrieved September 21, 2018. </a> </span> </span> </li> <li> <span id="scite-85" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-85" href="https://researchcenter.paloaltonetworks.com/2017/05/unit42-kazuar-multiplatform-espionage-backdoor-api-access/" target="_blank"> Levene, B, et al. (2017, May 03). Kazuar: Multiplatform Espionage Backdoor with API Access. Retrieved July 17, 2018. </a> </span> </span> </li> <li> <span id="scite-86" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-86" href="https://github.com/offsecginger/koadic" target="_blank"> Magius, J., et al. (2017, July 19). Koadic. Retrieved September 27, 2024. </a> </span> </span> </li> <li> <span id="scite-87" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-87" href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank"> Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. </a> </span> </span> </li> <li> <span id="scite-88" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-88" href="https://www.elastic.co/security-labs/spring-cleaning-with-latrodectus" target="_blank"> Stepanic, D. and Bousseaden, S. (2024, May 15). Spring Cleaning with LATRODECTUS: A Potential Replacement for ICEDID. Retrieved September 13, 2024. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="89.0"> <li> <span id="scite-89" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-89" href="https://www.bitsight.com/blog/latrodectus-are-you-coming-back" target="_blank"> Batista, J. (2024, June 17). Latrodectus, are you coming back?. Retrieved September 13, 2024. </a> </span> </span> </li> <li> <span id="scite-90" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-90" href="https://web.archive.org/web/20160226161828/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Unraveling the Long Thread of the Sony Attack. Retrieved February 25, 2016. </a> </span> </span> </li> <li> <span id="scite-91" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-91" href="https://web.archive.org/web/20220608001455/https://www.operationblockbuster.com/wp-content/uploads/2016/02/Operation-Blockbuster-RAT-and-Staging-Report.pdf" target="_blank"> Novetta Threat Research Group. (2016, February 24). Operation Blockbuster: Remote Administration Tools & Content Staging Malware Report. Retrieved March 16, 2016. </a> </span> </span> </li> <li> <span id="scite-92" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-92" href="https://securelist.com/lazarus-threatneedle/100803/" target="_blank"> Vyacheslav Kopeytsev and Seongsu Park. (2021, February 25). Lazarus targets defense industry with ThreatNeedle. Retrieved October 27, 2021. </a> </span> </span> </li> <li> <span id="scite-93" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-93" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank"> Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. </a> </span> </span> </li> <li> <span id="scite-94" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-94" href="https://www.proofpoint.com/us/threat-insight/post/leviathan-espionage-actor-spearphishes-maritime-and-defense-targets" target="_blank"> Axel F, Pierre T. (2017, October 16). Leviathan: Espionage actor spearphishes maritime and defense targets. Retrieved February 15, 2018. </a> </span> </span> </li> <li> <span id="scite-95" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-95" href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank"> Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. </a> </span> </span> </li> <li> <span id="scite-96" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-96" href="https://www.welivesecurity.com/en/eset-research/moon-backdoors-lunar-landing-diplomatic-missions/" target="_blank"> Jurčacko, F. (2024, May 15). To the Moon and back(doors): Lunar landing in diplomatic missions. Retrieved June 26, 2024. </a> </span> </span> </li> <li> <span id="scite-97" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-97" href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank"> DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. </a> </span> </span> </li> <li> <span id="scite-98" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-98" href="https://www.mcafee.com/blogs/other-blogs/mcafee-labs/ransomware-maze/" target="_blank"> Mundo, A. (2020, March 26). Ransomware Maze. Retrieved May 18, 2020. </a> </span> </span> </li> <li> <span id="scite-99" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-99" href="https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/" target="_blank"> Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020. </a> </span> </span> </li> <li> <span id="scite-100" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-100" href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. </a> </span> </span> </li> <li> <span id="scite-101" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-101" href="https://github.com/Twi1ight/AD-Pentest-Script/blob/master/wmiexec.vbs" target="_blank"> Twi1ight. (2015, July 11). AD-Pentest-Script - wmiexec.vbs. Retrieved June 29, 2017. </a> </span> </span> </li> <li> <span id="scite-102" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-102" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/cicada-apt10-japan-espionage" target="_blank"> Symantec. (2020, November 17). Japan-Linked Organizations Targeted in Long-Running and Sophisticated Attack Campaign. Retrieved December 17, 2020. </a> </span> </span> </li> <li> <span id="scite-103" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-103" href="https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" target="_blank"> Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. </a> </span> </span> </li> <li> <span id="scite-104" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-104" href="https://blog.talosintelligence.com/2017/06/palestine-delphi.html" target="_blank"> Rascagneres, P., Mercer, W. (2017, June 19). Delphi Used To Score Against Palestine. Retrieved November 13, 2018. </a> </span> </span> </li> <li> <span id="scite-105" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-105" href="https://www.radware.com/blog/security/2018/07/micropsia-malware/" target="_blank"> Tsarfaty, Y. (2018, July 25). Micropsia Malware. Retrieved November 13, 2018. </a> </span> </span> </li> <li> <span id="scite-106" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-106" href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank"> Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. </a> </span> </span> </li> <li> <span id="scite-107" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-107" href="https://www.welivesecurity.com/wp-content/uploads/2018/01/ESET_Turla_Mosquito.pdf" target="_blank"> ESET, et al. (2018, January). Diplomats in Eastern Europe bitten by a Turla mosquito. Retrieved July 3, 2018. </a> </span> </span> </li> <li> <span id="scite-108" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-108" href="https://securelist.com/muddywater/88059/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. </a> </span> </span> </li> <li> <span id="scite-109" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-109" href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank"> ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. </a> </span> </span> </li> <li> <span id="scite-110" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-110" href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank"> Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-111" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-111" href="https://www.cisa.gov/uscert/ncas/alerts/aa22-055a" target="_blank"> FBI, CISA, CNMF, NCSC-UK. (2022, February 24). Iranian Government-Sponsored Actors Conduct Cyber Operations Against Global Government and Commercial Networks. Retrieved September 27, 2022. </a> </span> </span> </li> <li> <span id="scite-112" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-112" href="https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations" target="_blank"> Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. </a> </span> </span> </li> <li> <span id="scite-113" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-113" href="https://www.secureworks.com/research/bronze-president-targets-ngos" target="_blank"> Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-114" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-114" href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank"> Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. </a> </span> </span> </li> <li> <span id="scite-115" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-115" href="https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/" target="_blank"> Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-116" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-116" href="https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" target="_blank"> Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019. </a> </span> </span> </li> <li> <span id="scite-117" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-117" href="https://www.us-cert.gov/ncas/alerts/TA17-181A" target="_blank"> US-CERT. (2017, July 1). Alert (TA17-181A): Petya Ransomware. Retrieved March 15, 2019. </a> </span> </span> </li> <li> <span id="scite-118" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-118" href="https://securelist.com/octopus-infested-seas-of-central-asia/88200/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, October 15). Octopus-infested seas of Central Asia. Retrieved November 14, 2018. </a> </span> </span> </li> <li> <span id="scite-119" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-119" href="https://www.brighttalk.com/webcast/10703/296317/apt34-new-targeted-attack-in-the-middle-east" target="_blank"> Davis, S. and Caban, D. (2017, December 19). APT34 - New Targeted Attack in the Middle East. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-120" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-120" href="https://blog.talosintelligence.com/2018/02/olympic-destroyer.html" target="_blank"> Mercer, W. and Rascagneres, P. (2018, February 12). Olympic Destroyer Takes Aim At Winter Olympics. Retrieved March 14, 2019. </a> </span> </span> </li> <li> <span id="scite-121" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-121" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" target="_blank"> Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. </a> </span> </span> </li> <li> <span id="scite-122" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-122" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank"> Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. </a> </span> </span> </li> <li> <span id="scite-123" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-123" href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </span> </span> </li> <li> <span id="scite-124" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-124" href="https://github.com/nettitude/PoshC2_Python" target="_blank"> Nettitude. (2018, July 23). Python Server for PoshC2. Retrieved April 23, 2019. </a> </span> </span> </li> <li> <span id="scite-125" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-125" href="https://github.com/PowerShellMafia/PowerSploit" target="_blank"> PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. </a> </span> </span> </li> <li> <span id="scite-126" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-126" href="http://powersploit.readthedocs.io" target="_blank"> PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. </a> </span> </span> </li> <li> <span id="scite-127" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-127" href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank"> Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. </a> </span> </span> </li> <li> <span id="scite-128" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-128" href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank"> Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-129" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-129" href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank"> Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-130" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-130" href="https://research.checkpoint.com/2021/mosesstaff-targeting-israeli-companies/" target="_blank"> Checkpoint Research. (2021, November 15). Uncovering MosesStaff techniques: Ideology over Money. Retrieved August 11, 2022. </a> </span> </span> </li> <li> <span id="scite-131" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-131" href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank"> Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-132" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-132" href="https://www.trendmicro.com/en_us/research/22/l/raspberry-robin-malware-targets-telecom-governments.html" target="_blank"> Christopher So. (2022, December 20). Raspberry Robin Malware Targets Telecom, Governments. Retrieved May 17, 2024. </a> </span> </span> </li> <li> <span id="scite-133" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-133" href="https://blog.trendmicro.com/trendlabs-security-intelligence/lazarus-campaign-targeting-cryptocurrencies-reveals-remote-controller-tool-evolved-ratankba/" target="_blank"> Lei, C., et al. (2018, January 24). Lazarus Campaign Targeting Cryptocurrencies Reveals Remote Controller Tool, an Evolved RATANKBA, and More. Retrieved May 22, 2018. </a> </span> </span> </li> <li> <span id="scite-134" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-134" href="https://www.trendmicro.com/en_us/research/17/b/ratankba-watering-holes-against-enterprises.html" target="_blank"> Trend Micro. (2017, February 27). RATANKBA: Delving into Large-scale Watering Holes against Enterprises. Retrieved May 22, 2018. </a> </span> </span> </li> <li> <span id="scite-135" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-135" href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank"> Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-136" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-136" href="https://www.secureworks.com/blog/revil-the-gandcrab-connection" target="_blank"> Secureworks . (2019, September 24). REvil: The GandCrab Connection. Retrieved August 4, 2020. </a> </span> </span> </li> <li> <span id="scite-137" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-137" href="https://www.group-ib.com/whitepapers/ransomware-uncovered.html" target="_blank"> Group IB. (2020, May). Ransomware Uncovered: Attackers’ Latest Methods. Retrieved August 5, 2020. </a> </span> </span> </li> <li> <span id="scite-138" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-138" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank"> Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. </a> </span> </span> </li> <li> <span id="scite-139" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-139" href="https://unit42.paloaltonetworks.com/darkhydrus-delivers-new-trojan-that-can-use-google-drive-for-c2-communications/" target="_blank"> Lee, B., Falcone, R. (2019, January 18). DarkHydrus delivers new Trojan that can use Google Drive for C2 communications. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-140" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-140" href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank"> MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. </a> </span> </span> </li> <li> <span id="scite-141" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-141" href="https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" target="_blank"> Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023. </a> </span> </span> </li> <li> <span id="scite-142" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-142" href="https://www.bleepingcomputer.com/news/security/hacking-group-s-new-malware-abuses-google-and-facebook-services/" target="_blank"> Ilascu, I. (2020, December 14). Hacking group’s new malware abuses Google and Facebook services. Retrieved December 28, 2020. </a> </span> </span> </li> <li> <span id="scite-143" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-143" href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank"> Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. </a> </span> </span> </li> <li> <span id="scite-144" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-144" href="https://github.com/byt3bl33d3r/SILENTTRINITY/tree/master/silenttrinity/core/teamserver/modules/boo" target="_blank"> Salvati, M. (2019, August 6). SILENTTRINITY Modules. Retrieved March 24, 2022. </a> </span> </span> </li> <li> <span id="scite-145" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-145" href="https://blog.morphisec.com/revealing-the-snip3-crypter-a-highly-evasive-rat-loader" target="_blank"> Lorber, N. (2021, May 7). Revealing the Snip3 Crypter, a Highly Evasive RAT Loader. Retrieved September 13, 2023. </a> </span> </span> </li> <li> <span id="scite-146" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-146" href="https://www.proofpoint.com/us/blog/threat-insight/part-1-socgholish-very-real-threat-very-fake-update" target="_blank"> Andrew Northern. (2022, November 22). SocGholish, a very real threat from a very fake update. Retrieved February 13, 2024. </a> </span> </span> </li> <li> <span id="scite-147" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-147" href="https://www.microsoft.com/security/blog/2020/12/28/using-microsoft-365-defender-to-coordinate-protection-against-solorigate/" target="_blank"> Microsoft 365 Defender Team. (2020, December 28). Using Microsoft 365 Defender to protect against Solorigate. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-148" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-148" href="https://www.microsoft.com/security/blog/2021/01/20/deep-dive-into-the-solorigate-second-stage-activation-from-sunburst-to-teardrop-and-raindrop/" target="_blank"> MSTIC, CDOC, 365 Defender Research Team. (2021, January 20). Deep dive into the Solorigate second-stage activation: From SUNBURST to TEARDROP and Raindrop . Retrieved January 22, 2021. </a> </span> </span> </li> <li> <span id="scite-149" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-149" href="https://citizenlab.org/2016/05/stealth-falcon/" target="_blank"> Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. </a> </span> </span> </li> <li> <span id="scite-150" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-150" href="https://media.kasperskycontenthub.com/wp-content/uploads/sites/43/2018/03/07180722/Report_Shamoon_StoneDrill_final.pdf" target="_blank"> Kaspersky Lab. (2017, March 7). From Shamoon to StoneDrill: Wipers attacking Saudi organizations and beyond. Retrieved March 14, 2019. </a> </span> </span> </li> <li> <span id="scite-151" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-151" href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank"> Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 </a> </span> </span> </li> <li> <span id="scite-152" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-152" href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank"> FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. </a> </span> </span> </li> <li> <span id="scite-153" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-153" href="https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" target="_blank"> Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. </a> </span> </span> </li> <li> <span id="scite-154" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-154" href="https://www.trendmicro.com/en_us/research/21/d/iron-tiger-apt-updates-toolkit-with-evolved-sysupdate-malware-va.html" target="_blank"> Lunghi, D. and Lu, K. (2021, April 9). Iron Tiger APT Updates Toolkit With Evolved SysUpdate Malware. Retrieved November 12, 2021. </a> </span> </span> </li> <li> <span id="scite-155" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-155" href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank"> Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023. </a> </span> </span> </li> <li> <span id="scite-156" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-156" href="https://research.nccgroup.com/2018/05/18/emissary-panda-a-potential-new-malicious-tool/" target="_blank"> Pantazopoulos, N., Henry T. (2018, May 18). Emissary Panda – A potential new malicious tool. Retrieved June 25, 2018. </a> </span> </span> </li> <li> <span id="scite-157" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-157" href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank"> Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. </a> </span> </span> </li> <li> <span id="scite-158" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-158" href="https://www.bromium.com/how-ursnif-evades-detection/" target="_blank"> Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019. </a> </span> </span> </li> <li> <span id="scite-159" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-159" href="https://assets.sentinelone.com/labs/sentinel-one-valak-i" target="_blank"> Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. </a> </span> </span> </li> <li> <span id="scite-160" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-160" href="https://www.microsoft.com/en-us/security/blog/2023/05/24/volt-typhoon-targets-us-critical-infrastructure-with-living-off-the-land-techniques/" target="_blank"> Microsoft Threat Intelligence. (2023, May 24). Volt Typhoon targets US critical infrastructure with living-off-the-land techniques. Retrieved July 27, 2023. </a> </span> </span> </li> <li> <span id="scite-161" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-161" href="https://media.defense.gov/2023/May/24/2003229517/-1/-1/0/CSA_Living_off_the_Land.PDF" target="_blank"> NSA et al. (2023, May 24). People's Republic of China State-Sponsored Cyber Actor Living off the Land to Evade Detection. Retrieved July 27, 2023. </a> </span> </span> </li> <li> <span id="scite-162" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-162" href="https://www.secureworks.com/blog/chinese-cyberespionage-group-bronze-silhouette-targets-us-government-and-defense-organizations" target="_blank"> Counter Threat Unit Research Team. (2023, May 24). Chinese Cyberespionage Group BRONZE SILHOUETTE Targets U.S. Government and Defense Organizations. Retrieved July 27, 2023. </a> </span> </span> </li> <li> <span id="scite-163" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-163" href="https://www.cisa.gov/sites/default/files/2024-03/aa24-038a_csa_prc_state_sponsored_actors_compromise_us_critical_infrastructure_3.pdf" target="_blank"> CISA et al.. (2024, February 7). PRC State-Sponsored Actors Compromise and Maintain Persistent Access to U.S. Critical Infrastructure. Retrieved May 15, 2024. </a> </span> </span> </li> <li> <span id="scite-164" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-164" href="https://logrhythm.com/blog/a-technical-analysis-of-wannacry-ransomware/" target="_blank"> Noerenberg, E., Costis, A., and Quist, N. (2017, May 16). A Technical Analysis of WannaCry Ransomware. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-165" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-165" href="https://www.fireeye.com/blog/threat-research/2017/05/wannacry-malware-profile.html" target="_blank"> Berry, A., Homan, J., and Eitzman, R. (2017, May 23). WannaCry Malware Profile. Retrieved March 15, 2019. </a> </span> </span> </li> <li> <span id="scite-166" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-166" href="https://www.secureworks.com/research/wcry-ransomware-analysis" target="_blank"> Counter Threat Unit Research Team. (2017, May 18). WCry Ransomware Analysis. Retrieved March 26, 2019. </a> </span> </span> </li> <li> <span id="scite-167" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-167" href="https://www.blackberry.com/us/en/pdfviewer?file=/content/dam/blackberry-com/asset/enterprise/pdf/direct/report-spark-bahamut.pdf" target="_blank"> The BlackBerry Research & Intelligence Team. (2020, October). BAHAMUT: Hack-for-Hire Masters of Phishing, Fake News, and Fake Apps. Retrieved February 8, 2021. </a> </span> </span> </li> <li> <span id="scite-168" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-168" href="https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" target="_blank"> John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-169" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-169" href="https://us-cert.cisa.gov/ncas/alerts/aa20-302a" target="_blank"> DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. </a> </span> </span> </li> <li> <span id="scite-170" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-170" href="https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" target="_blank"> Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. </a> </span> </span> </li> <li> <span id="scite-171" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-171" href="https://redcanary.com/blog/how-one-hospital-thwarted-a-ryuk-ransomware-outbreak/" target="_blank"> Brian Donohue, Katie Nickels, Paul Michaud, Adina Bodkins, Taylor Chapman, Tony Lambert, Jeff Felling, Kyle Rainey, Mike Haag, Matt Graeber, Aaron Didier.. (2020, October 29). A Bazar start: How one hospital thwarted a Ryuk ransomware outbreak. Retrieved October 30, 2020. </a> </span> </span> </li> <li> <span id="scite-172" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-172" href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank"> Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. </a> </span> </span> </li> <li> <span id="scite-173" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-173" href="https://unit42.paloaltonetworks.com/dear-joohn-sofacy-groups-global-campaign/" target="_blank"> Lee, B., Falcone, R. (2018, December 12). Dear Joohn: The Sofacy Group’s Global Campaign. Retrieved April 19, 2019. </a> </span> </span> </li> <li> <span id="scite-174" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-174" href="https://docs.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction" target="_blank"> Microsoft. (2021, July 2). Use attack surface reduction rules to prevent malware infection. Retrieved June 24, 2021. </a> </span> </span> </li> <li> <span id="scite-175" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-175" href="https://docs.microsoft.com/windows/security/threat-protection/windows-defender-application-control/microsoft-recommended-block-rules" target="_blank"> Coulter, D. et al.. (2019, April 9). Microsoft recommended block rules. Retrieved August 12, 2021. </a> </span> </span> </li> <li> <span id="scite-176" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-176" href="https://www.fireeye.com/content/dam/fireeye-www/global/en/current-threats/pdfs/wp-windows-management-instrumentation.pdf" target="_blank"> Ballenthin, W., et al. (2015). Windows Management Instrumentation (WMI) Offense, Defense, and Forensics. Retrieved March 30, 2016. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v16/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v16/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v16/theme/scripts/popper.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v16/theme/scripts/site.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/tour/tour-techniques.js"></script> <script src="/versions/v16/theme/scripts/sidebar-load-all.js"></script> </body> </html>