<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v16/theme/favicon.ico" type='image/x-icon'> <title>Obfuscated Files or Information: Command Obfuscation, Sub-technique T1027.010 - Enterprise | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v16/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v16/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v16/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v16/"><img src="/versions/v16/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v16/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v16/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v16/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v16/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/groups">Groups</a> <a class="dropdown-item" href="/versions/v16/software">Software</a> <a class="dropdown-item" href="/versions/v16/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v16/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v16/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v16/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v16/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v16/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v16/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v16/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v16/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v16/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v16/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v16/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v16.1" target="_blank">ATT&CK v16.1</a> which is the current version of ATT&CK. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> <div class="container-fluid d-none"> Reminder: the TAXII 2.0 server will be <a href='https://medium.com/mitre-attack/introducing-taxii-2-1-and-a-fond-farewell-to-taxii-2-0-d9fca6ce4c58'>retiring on December 18</a>. Please switch to the <a href='https://github.com/mitre-attack/attack-workbench-taxii-server/blob/main/docs/USAGE.md'>TAXII 2.1 server</a> to ensure uninterrupted service. </div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v16/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/versions/v16/techniques/T1027">Obfuscated Files or Information</a></li> <li class="breadcrumb-item">Command Obfuscation</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">Obfuscated Files or Information:</span> Command Obfuscation </h1> <div class="row"> <div class="col-md-8"> <!--stop-indexing-for-search--> <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Obfuscated Files or Information (14)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/techniques/T1027/001/" class="subtechnique-table-item" data-subtechnique_id="T1027.001"> T1027.001 </a> </td> <td> <a href="/versions/v16/techniques/T1027/001/" class="subtechnique-table-item" data-subtechnique_id="T1027.001"> Binary Padding </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/002/" class="subtechnique-table-item" data-subtechnique_id="T1027.002"> T1027.002 </a> </td> <td> <a href="/versions/v16/techniques/T1027/002/" class="subtechnique-table-item" data-subtechnique_id="T1027.002"> Software Packing </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/003/" class="subtechnique-table-item" data-subtechnique_id="T1027.003"> T1027.003 </a> </td> <td> <a href="/versions/v16/techniques/T1027/003/" class="subtechnique-table-item" data-subtechnique_id="T1027.003"> Steganography </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/004/" class="subtechnique-table-item" data-subtechnique_id="T1027.004"> T1027.004 </a> </td> <td> <a href="/versions/v16/techniques/T1027/004/" class="subtechnique-table-item" data-subtechnique_id="T1027.004"> Compile After Delivery </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/005/" class="subtechnique-table-item" data-subtechnique_id="T1027.005"> T1027.005 </a> </td> <td> <a href="/versions/v16/techniques/T1027/005/" class="subtechnique-table-item" data-subtechnique_id="T1027.005"> Indicator Removal from Tools </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/006/" class="subtechnique-table-item" data-subtechnique_id="T1027.006"> T1027.006 </a> </td> <td> <a href="/versions/v16/techniques/T1027/006/" class="subtechnique-table-item" data-subtechnique_id="T1027.006"> HTML Smuggling </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/007/" class="subtechnique-table-item" data-subtechnique_id="T1027.007"> T1027.007 </a> </td> <td> <a href="/versions/v16/techniques/T1027/007/" class="subtechnique-table-item" data-subtechnique_id="T1027.007"> Dynamic API Resolution </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/008/" class="subtechnique-table-item" data-subtechnique_id="T1027.008"> T1027.008 </a> </td> <td> <a href="/versions/v16/techniques/T1027/008/" class="subtechnique-table-item" data-subtechnique_id="T1027.008"> Stripped Payloads </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/009/" class="subtechnique-table-item" data-subtechnique_id="T1027.009"> T1027.009 </a> </td> <td> <a href="/versions/v16/techniques/T1027/009/" class="subtechnique-table-item" data-subtechnique_id="T1027.009"> Embedded Payloads </a> </td> </tr> <tr> <td class="active"> T1027.010 </td> <td class="active"> Command Obfuscation </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/011/" class="subtechnique-table-item" data-subtechnique_id="T1027.011"> T1027.011 </a> </td> <td> <a href="/versions/v16/techniques/T1027/011/" class="subtechnique-table-item" data-subtechnique_id="T1027.011"> Fileless Storage </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/012/" class="subtechnique-table-item" data-subtechnique_id="T1027.012"> T1027.012 </a> </td> <td> <a href="/versions/v16/techniques/T1027/012/" class="subtechnique-table-item" data-subtechnique_id="T1027.012"> LNK Icon Smuggling </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/013/" class="subtechnique-table-item" data-subtechnique_id="T1027.013"> T1027.013 </a> </td> <td> <a href="/versions/v16/techniques/T1027/013/" class="subtechnique-table-item" data-subtechnique_id="T1027.013"> Encrypted/Encoded File </a> </td> </tr> <tr> <td> <a href="/versions/v16/techniques/T1027/014/" class="subtechnique-table-item" data-subtechnique_id="T1027.014"> T1027.014 </a> </td> <td> <a href="/versions/v16/techniques/T1027/014/" class="subtechnique-table-item" data-subtechnique_id="T1027.014"> Polymorphic Code </a> </td> </tr> </tbody> </table> </div> </div> </div> <!--start-indexing-for-search--> <div class="description-body"> <p>Adversaries may obfuscate content during command execution to impede detection. Command-line obfuscation is a method of making strings and patterns within commands and scripts more difficult to signature and analyze. This type of obfuscation can be included within commands executed by delivered payloads (e.g., <a href="/versions/v16/techniques/T1566">Phishing</a> and <a href="/versions/v16/techniques/T1189">Drive-by Compromise</a>) or interactively via <a href="/versions/v16/techniques/T1059">Command and Scripting Interpreter</a>.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Katz, O. (2020, October 26). Catch Me if You Can—JavaScript Obfuscation. Retrieved March 17, 2023."data-reference="Akamai JS">^{<a href="https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span><span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Bromiley, M. (2016, December 27). Malware Monday: VBScript and VBE Files. Retrieved March 17, 2023."data-reference="Malware Monday VBE">^{<a href="https://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span></p><p>For example, adversaries may abuse syntax that utilizes various symbols and escape characters (such as spacing, <code>^</code>, <code>+</code>. <code>$</code>, and <code>%</code>) to make commands difficult to analyze while maintaining the same intended functionality.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Red Canary. (n.d.). 2022 Threat Detection Report: PowerShell. Retrieved March 17, 2023."data-reference="RC PowerShell">^{<a href="https://redcanary.com/threat-detection-report/techniques/powershell/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> Many languages support built-in obfuscation in the form of base64 or URL encoding.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Microsoft. (2023, February 8). about_PowerShell_exe: EncodedCommand. Retrieved March 17, 2023."data-reference="Microsoft PowerShellB64">^{<a href="https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> Adversaries may also manually implement command obfuscation via string splitting (<code>"Wor"+"d.Application"</code>), order and casing of characters (<code>rev &lt;&lt;&lt;'dwssap/cte/ tac'</code>), globing (<code>mkdir -p '/tmp/:&amp;$NiA'</code>), as well as various tricks involving passing strings through tokens/environment variables/input streams.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="LeFevre, A. (n.d.). Bashfuscator Command Obfuscators. Retrieved March 17, 2023."data-reference="Bashfuscator Command Obfuscators">^{<a href="https://bashfuscator.readthedocs.io/en/latest/Mutators/command_obfuscators/index.html" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span><span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018."data-reference="FireEye Obfuscation June 2017">^{<a href="https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span></p><p>Adversaries may also use tricks such as directory traversals to obfuscate references to the binary being invoked by a command (<code>C:\voi\pcw\..\..\Windows\tei\qs\k\..\..\..\system32\erool\..\wbem\wg\je\..\..\wmic.exe shadowcopy delete</code>).<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12, 2024."data-reference="Twitter Richard WMIC">^{<a href="https://x.com/rfackroyd/status/1639136000755765254" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p><p>Tools such as <code>Invoke-Obfuscation</code> and <code>Invoke-DOSfucation</code> have also been used to obfuscate commands.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Bohannon, D. (2018, March 19). Invoke-DOSfuscation. Retrieved March 17, 2023."data-reference="Invoke-DOSfuscation">^{<a href="https://github.com/danielbohannon/Invoke-DOSfuscation" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span><span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved March 17, 2023."data-reference="Invoke-Obfuscation">^{<a href="https://github.com/danielbohannon/Invoke-Obfuscation" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1027.010 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of:&nbsp;</span> <a href="/versions/v16/techniques/T1027">T1027</a> </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactic:</span> <a href="/versions/v16/tactics/TA0005">Defense Evasion</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Linux, Windows, macOS </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors:&nbsp;</span>George Thomas; Tim Peck; TruKno </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>1.0 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>14 March 2023 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>12 September 2024 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1027.010" href="/versions/v16/techniques/T1027/010/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1027.010" href="/techniques/T1027/010/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/groups/G0073"> G0073 </a> </td> <td> <a href="/versions/v16/groups/G0073"> APT19 </a> </td> <td> <p><a href="/versions/v16/groups/G0073">APT19</a> used Base64 to obfuscate executed commands.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018."data-reference="FireEye APT19">^{<a href="https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0050"> G0050 </a> </td> <td> <a href="/versions/v16/groups/G0050"> APT32 </a> </td> <td> <p><a href="/versions/v16/groups/G0050">APT32</a> has used the <code>Invoke-Obfuscation</code> framework to obfuscate their PowerShell.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017."data-reference="FireEye APT32 May 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017."data-reference="GitHub Invoke-Obfuscation">^{<a href="https://github.com/danielbohannon/Invoke-Obfuscation" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017">^{<a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0143"> G0143 </a> </td> <td> <a href="/versions/v16/groups/G0143"> Aquatic Panda </a> </td> <td> <p><a href="/versions/v16/groups/G0143">Aquatic Panda</a> has encoded PowerShell commands in Base64.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022."data-reference="CrowdStrike AQUATIC PANDA December 2021">^{<a href="https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0373"> S0373 </a> </td> <td> <a href="/versions/v16/software/S0373"> Astaroth </a> </td> <td> <p><a href="/versions/v16/software/S0373">Astaroth</a> has obfuscated and randomized parts of the JScript code it is initiating.<span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019."data-reference="Cybereason Astaroth Feb 2019">^{<a href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0475"> S0475 </a> </td> <td> <a href="/versions/v16/software/S0475"> BackConfig </a> </td> <td> <p><a href="/versions/v16/software/S0475">BackConfig</a> has used compressed and decimal encoded VBS scripts.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."data-reference="Unit 42 BackConfig May 2020">^{<a href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1081"> S1081 </a> </td> <td> <a href="/versions/v16/software/S1081"> BADHATCH </a> </td> <td> <p><a href="/versions/v16/software/S1081">BADHATCH</a> malicious PowerShell commands can be encoded with base64.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021."data-reference="BitDefender BADHATCH Mar 2021">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0018"> C0018 </a> </td> <td> <a href="/versions/v16/campaigns/C0018"> C0018 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0018">C0018</a>, the threat actors used Base64 to encode their PowerShell scripts.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023."data-reference="Cisco Talos Avos Jun 2022">^{<a href="https://blog.talosintelligence.com/avoslocker-new-arsenal/" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span><span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023."data-reference="Costa AvosLocker May 2022">^{<a href="https://www.linkedin.com/pulse/raas-avoslocker-incident-response-analysis-fl%C3%A1vio-costa?trk=articles_directory" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0021"> C0021 </a> </td> <td> <a href="/versions/v16/campaigns/C0021"> C0021 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0021">C0021</a>, the threat actors used encoded PowerShell commands.<span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018."data-reference="FireEye APT29 Nov 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019."data-reference="Microsoft Unidentified Dec 2018">^{<a href="https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0462"> S0462 </a> </td> <td> <a href="/versions/v16/software/S0462"> CARROTBAT </a> </td> <td> <p><a href="/versions/v16/software/S0462">CARROTBAT</a> has the ability to execute obfuscated commands on the infected host.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020."data-reference="Unit 42 CARROTBAT November 2018">^{<a href="https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0114"> G0114 </a> </td> <td> <a href="/versions/v16/groups/G0114"> Chimera </a> </td> <td> <p><a href="/versions/v16/groups/G0114">Chimera</a> has encoded PowerShell commands.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.."data-reference="Cycraft Chimera April 2020">^{<a href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0080"> G0080 </a> </td> <td> <a href="/versions/v16/groups/G0080"> Cobalt Group </a> </td> <td> <p><a href="/versions/v16/groups/G0080">Cobalt Group</a> obfuscated several scriptlets and code used on the victim’s machine, including through use of XOR and RC4.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018."data-reference="Talos Cobalt Group July 2018">^{<a href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span><span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018."data-reference="Morphisec Cobalt Gang Oct 2018">^{<a href="https://blog.morphisec.com/cobalt-gang-2.0" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0126"> S0126 </a> </td> <td> <a href="/versions/v16/software/S0126"> ComRAT </a> </td> <td> <p><a href="/versions/v16/software/S0126">ComRAT</a> has used encryption and base64 to obfuscate its orchestrator code in the Registry. <a href="/versions/v16/software/S0126">ComRAT</a> has also used encoded PowerShell scripts.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."data-reference="ESET ComRAT May 2020">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span><span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020."data-reference="CISA ComRAT Oct 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0492"> S0492 </a> </td> <td> <a href="/versions/v16/software/S0492"> CookieMiner </a> </td> <td> <p><a href="/versions/v16/software/S0492">CookieMiner</a> has used base64 encoding to obfuscate scripts on the system.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020."data-reference="Unit42 CookieMiner Jan 2019">^{<a href="https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0673"> S0673 </a> </td> <td> <a href="/versions/v16/software/S0673"> DarkWatchman </a> </td> <td> <p><a href="/versions/v16/software/S0673">DarkWatchman</a> has used Base64 to encode PowerShell commands.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022."data-reference="Prevailion DarkWatchman 2021">^{<a href="https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0354"> S0354 </a> </td> <td> <a href="/versions/v16/software/S0354"> Denis </a> </td> <td> <p><a href="/versions/v16/software/S0354">Denis</a> has encoded its PowerShell commands in Base64.<span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017">^{<a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0367"> S0367 </a> </td> <td> <a href="/versions/v16/software/S0367"> Emotet </a> </td> <td> <p><a href="/versions/v16/software/S0367">Emotet</a> has obfuscated macros within malicious documents to hide the URLs hosting the malware, CMD.exe arguments, and PowerShell scripts. <span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019."data-reference="Talos Emotet Jan 2019">^{<a href="https://blog.talosintelligence.com/2019/01/return-of-emotet.html" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019."data-reference="Trend Micro Emotet Jan 2019">^{<a href="https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span><span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019."data-reference="Picus Emotet Dec 2018">^{<a href="https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span><span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Perez, D.. (2018, December 28). Analysis of the latest Emotet propagation campaign. Retrieved April 16, 2019."data-reference="ESET Emotet Dec 2018">^{<a href="https://www.welivesecurity.com/2018/12/28/analysis-latest-emotet-propagation-campaign/" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0363"> S0363 </a> </td> <td> <a href="/versions/v16/software/S0363"> Empire </a> </td> <td> <p><a href="/versions/v16/software/S0363">Empire</a> has the ability to obfuscate commands using <code>Invoke-Obfuscation</code>.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016."data-reference="Github PowerShell Empire">^{<a href="https://github.com/PowerShellEmpire/Empire" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0037"> G0037 </a> </td> <td> <a href="/versions/v16/groups/G0037"> FIN6 </a> </td> <td> <p><a href="/versions/v16/groups/G0037">FIN6</a> has used encoded PowerShell commands.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019."data-reference="Visa FIN6 Feb 2019">^{<a href="https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0046"> G0046 </a> </td> <td> <a href="/versions/v16/groups/G0046"> FIN7 </a> </td> <td> <p><a href="/versions/v16/groups/G0046">FIN7</a> has used fragmented strings, environment variables, standard input (stdin), and native character-replacement functionalities to obfuscate commands.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018."data-reference="FireEye Obfuscation June 2017">^{<a href="https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018."data-reference="FireEye FIN7 Aug 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021."data-reference="CrowdStrike Carbon Spider August 2021">^{<a href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0061"> G0061 </a> </td> <td> <a href="/versions/v16/groups/G0061"> FIN8 </a> </td> <td> <p><a href="/versions/v16/groups/G0061">FIN8</a> has used environment variables and standard input (stdin) to obfuscate command-line arguments. <a href="/versions/v16/groups/G0061">FIN8</a> also obfuscates malicious macros delivered as payloads.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018."data-reference="FireEye Obfuscation June 2017">^{<a href="https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span><span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018."data-reference="FireEye Know Your Enemy FIN8 Aug 2016">^{<a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span><span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021."data-reference="Bitdefender FIN8 July 2021">^{<a href="https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0117"> G0117 </a> </td> <td> <a href="/versions/v16/groups/G0117"> Fox Kitten </a> </td> <td> <p><a href="/versions/v16/groups/G0117">Fox Kitten</a> has base64 encoded scripts to avoid detection.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020."data-reference="CISA AA20-259A Iran-Based Actor September 2020">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0001"> C0001 </a> </td> <td> <a href="/versions/v16/campaigns/C0001"> Frankenstein </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0001">Frankenstein</a>, the threat actors ran encoded commands from the command line.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."data-reference="Talos Frankenstein June 2019">^{<a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0277"> S0277 </a> </td> <td> <a href="/versions/v16/software/S0277"> FruitFly </a> </td> <td> <p><a href="/versions/v16/software/S0277">FruitFly</a> executes and stores obfuscated Perl scripts.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018."data-reference="objsee mac malware 2017">^{<a href="https://objective-see.com/blog/blog_0x25.html" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0047"> G0047 </a> </td> <td> <a href="/versions/v16/groups/G0047"> Gamaredon Group </a> </td> <td> <p><a href="/versions/v16/groups/G0047">Gamaredon Group</a> has used obfuscated or encrypted scripts.<span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."data-reference="ESET Gamaredon June 2020">^{<a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span><span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022."data-reference="Microsoft Actinium February 2022">^{<a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0115"> G0115 </a> </td> <td> <a href="/versions/v16/groups/G0115"> GOLD SOUTHFIELD </a> </td> <td> <p><a href="/versions/v16/groups/G0115">GOLD SOUTHFIELD</a> has executed base64 encoded PowerShell scripts on compromised hosts.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020."data-reference="Tetra Defense Sodinokibi March 2020">^{<a href="https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1001"> G1001 </a> </td> <td> <a href="/versions/v16/groups/G1001"> HEXANE </a> </td> <td> <p><a href="/versions/v16/groups/G1001">HEXANE</a> has used Base64-encoded scripts.<span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022."data-reference="Kaspersky Lyceum October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1022"> S1022 </a> </td> <td> <a href="/versions/v16/software/S1022"> IceApple </a> </td> <td> <p><a href="/versions/v16/software/S1022">IceApple</a> can use Base64 and "junk" JavaScript code to obfuscate information.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022."data-reference="CrowdStrike IceApple May 2022">^{<a href="https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0669"> S0669 </a> </td> <td> <a href="/versions/v16/software/S0669"> KOCTOPUS </a> </td> <td> <p><a href="/versions/v16/software/S0669">KOCTOPUS</a> has obfuscated scripts with the BatchEncryption tool.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021">^{<a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0140"> G0140 </a> </td> <td> <a href="/versions/v16/groups/G0140"> LazyScripter </a> </td> <td> <p><a href="/versions/v16/groups/G0140">LazyScripter</a> has leveraged the BatchEncryption tool to perform advanced batch script obfuscation and encoding techniques.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021">^{<a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0077"> G0077 </a> </td> <td> <a href="/versions/v16/groups/G0077"> Leafminer </a> </td> <td> <p><a href="/versions/v16/groups/G0077">Leafminer</a> obfuscated scripts that were used on victim machines.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018."data-reference="Symantec Leafminer July 2018">^{<a href="https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0451"> S0451 </a> </td> <td> <a href="/versions/v16/software/S0451"> LoudMiner </a> </td> <td> <p><a href="/versions/v16/software/S0451">LoudMiner</a> has obfuscated various scripts.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020."data-reference="ESET LoudMiner June 2019">^{<a href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0409"> S0409 </a> </td> <td> <a href="/versions/v16/software/S0409"> Machete </a> </td> <td> <p><a href="/versions/v16/software/S0409">Machete</a> has used pyobfuscate, zlib compression, and base64 encoding for obfuscation. <a href="/versions/v16/groups/G0095">Machete</a> has also used some visual obfuscation techniques by naming variables as combinations of letters to hinder analysis.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019."data-reference="Cylance Machete Mar 2017">^{<a href="https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span><span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019."data-reference="ESET Machete July 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0059"> G0059 </a> </td> <td> <a href="/versions/v16/groups/G0059"> Magic Hound </a> </td> <td> <p><a href="/versions/v16/groups/G0059">Magic Hound</a> has used base64-encoded commands.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017."data-reference="Unit 42 Magic Hound Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span><span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023."data-reference="Microsoft Iranian Threat Actor Trends November 2021">^{<a href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0069"> G0069 </a> </td> <td> <a href="/versions/v16/groups/G0069"> MuddyWater </a> </td> <td> <p><a href="/versions/v16/groups/G0069">MuddyWater</a> has used Daniel Bohannon’s Invoke-Obfuscation framework and obfuscated PowerShell scripts.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018."data-reference="Unit 42 MuddyWater Nov 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017."data-reference="GitHub Invoke-Obfuscation">^{<a href="https://github.com/danielbohannon/Invoke-Obfuscation" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span> The group has also used other obfuscation methods, including Base64 obfuscation of VBScripts and PowerShell commands.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018."data-reference="Unit 42 MuddyWater Nov 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span><span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018."data-reference="FireEye MuddyWater Mar 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span><span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018."data-reference="Securelist MuddyWater Oct 2018">^{<a href="https://securelist.com/muddywater/88059/" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span><span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019."data-reference="Talos MuddyWater May 2019">^{<a href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span><span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020."data-reference="ClearSky MuddyWater June 2019">^{<a href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span><span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021."data-reference="Trend Micro Muddy Water March 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span><span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022."data-reference="Talos MuddyWater Jan 2022">^{<a href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0457"> S0457 </a> </td> <td> <a href="/versions/v16/software/S0457"> Netwalker </a> </td> <td> <p><a href="/versions/v16/software/S0457">Netwalker</a>'s PowerShell script has been obfuscated with multiple layers including base64 and hexadecimal encoding and XOR-encryption, as well as obfuscated PowerShell functions and variables.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020."data-reference="TrendMicro Netwalker May 2020">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span><span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020."data-reference="Sophos Netwalker May 2020">^{<a href="https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0012"> C0012 </a> </td> <td> <a href="/versions/v16/campaigns/C0012"> Operation CuckooBees </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0012">Operation CuckooBees</a>, the threat actors executed an encoded VBScript file.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022."data-reference="Cybereason OperationCuckooBees May 2022">^{<a href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/campaigns/C0014"> C0014 </a> </td> <td> <a href="/versions/v16/campaigns/C0014"> Operation Wocao </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a>, threat actors executed PowerShell commands which were encoded or compressed using Base64, zlib, and XOR.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020."data-reference="FoxIT Wocao December 2019">^{<a href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0040"> G0040 </a> </td> <td> <a href="/versions/v16/groups/G0040"> Patchwork </a> </td> <td> <p><a href="/versions/v16/groups/G0040">Patchwork</a> has obfuscated a script with Crypto Obfuscator.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018."data-reference="TrendMicro Patchwork Dec 2017">^{<a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G1040"> G1040 </a> </td> <td> <a href="/versions/v16/groups/G1040"> Play </a> </td> <td> <p><a href="/versions/v16/groups/G1040">Play</a> has used Base64-encoded PowerShell scripts for post exploit activities on compromised hosts.<span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024."data-reference="Trend Micro Ransomware Spotlight Play July 2023">^{<a href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0428"> S0428 </a> </td> <td> <a href="/versions/v16/software/S0428"> PoetRAT </a> </td> <td> <p><a href="/versions/v16/software/S0428">PoetRAT</a> has <code>pyminifier</code> to obfuscate scripts.<span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021."data-reference="Talos PoetRAT October 2020">^{<a href="https://blog.talosintelligence.com/2020/10/poetrat-update.html" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0685"> S0685 </a> </td> <td> <a href="/versions/v16/software/S0685"> PowerPunch </a> </td> <td> <p><a href="/versions/v16/software/S0685">PowerPunch</a> can use Base64-encoded scripts.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022."data-reference="Microsoft Actinium February 2022">^{<a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0194"> S0194 </a> </td> <td> <a href="/versions/v16/software/S0194"> PowerSploit </a> </td> <td> <p><a href="/versions/v16/software/S0194">PowerSploit</a> contains a collection of ScriptModification modules that compress and encode scripts and payloads.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018."data-reference="GitHub PowerSploit May 2012">^{<a href="https://github.com/PowerShellMafia/PowerSploit" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a>}</span><span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018."data-reference="PowerSploit Documentation">^{<a href="http://powersploit.readthedocs.io" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0223"> S0223 </a> </td> <td> <a href="/versions/v16/software/S0223"> POWERSTATS </a> </td> <td> <p><a href="/versions/v16/software/S0223">POWERSTATS</a> uses character replacement, <a href="/versions/v16/techniques/T1059/001">PowerShell</a> environment variables, and XOR encoding to obfuscate code. <a href="/versions/v16/software/S0223">POWERSTATS</a>'s backdoor code is a multi-layer obfuscated, encoded, and compressed blob. <span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018."data-reference="FireEye MuddyWater Mar 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span><span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018."data-reference="ClearSky MuddyWater Nov 2018">^{<a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a>}</span> <a href="/versions/v16/software/S0223">POWERSTATS</a> has used PowerShell code with custom string obfuscation <span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."data-reference="TrendMicro POWERSTATS V3 June 2019">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0650"> S0650 </a> </td> <td> <a href="/versions/v16/software/S0650"> QakBot </a> </td> <td> <p><a href="/versions/v16/software/S0650">QakBot</a> can use obfuscated and encoded scripts.<span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021."data-reference="Cyberint Qakbot May 2021">^{<a href="https://blog.cyberint.com/qakbot-banking-trojan" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a>}</span><span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023."data-reference="Trend Micro Black Basta October 2022">^{<a href="https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0269"> S0269 </a> </td> <td> <a href="/versions/v16/software/S0269"> QUADAGENT </a> </td> <td> <p><a href="/versions/v16/software/S0269">QUADAGENT</a> was likely obfuscated using <code>Invoke-Obfuscation</code>.<span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018."data-reference="Unit 42 QUADAGENT July 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017."data-reference="GitHub Invoke-Obfuscation">^{<a href="https://github.com/danielbohannon/Invoke-Obfuscation" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0270"> S0270 </a> </td> <td> <a href="/versions/v16/software/S0270"> RogueRobin </a> </td> <td> <p>The PowerShell script with the <a href="/versions/v16/software/S0270">RogueRobin</a> payload was obfuscated using the COMPRESS technique in <code>Invoke-Obfuscation</code>.<span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018."data-reference="Unit 42 DarkHydrus July 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a>}</span><span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017."data-reference="GitHub Invoke-Obfuscation">^{<a href="https://github.com/danielbohannon/Invoke-Obfuscation" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0034"> G0034 </a> </td> <td> <a href="/versions/v16/groups/G0034"> Sandworm Team </a> </td> <td> <p><a href="/versions/v16/groups/G0034">Sandworm Team</a> has used ROT13 encoding, AES encryption and compression with the zlib library for their Python-based backdoor.<span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020."data-reference="ESET Telebots Dec 2016">^{<a href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S1085"> S1085 </a> </td> <td> <a href="/versions/v16/software/S1085"> Sardonic </a> </td> <td> <p><a href="/versions/v16/software/S1085">Sardonic</a> PowerShell scripts can be encrypted with RC4 and compressed using Gzip.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023."data-reference="Bitdefender Sardonic Aug 2021">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0450"> S0450 </a> </td> <td> <a href="/versions/v16/software/S0450"> SHARPSTATS </a> </td> <td> <p><a href="/versions/v16/software/S0450">SHARPSTATS</a> has used base64 encoding and XOR to obfuscate PowerShell scripts.<span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020."data-reference="TrendMicro POWERSTATS V3 June 2019">^{<a href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0589"> S0589 </a> </td> <td> <a href="/versions/v16/software/S0589"> Sibot </a> </td> <td> <p><a href="/versions/v16/software/S0589">Sibot</a> has obfuscated scripts used in execution.<span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0121"> G0121 </a> </td> <td> <a href="/versions/v16/groups/G0121"> Sidewinder </a> </td> <td> <p><a href="/versions/v16/groups/G0121">Sidewinder</a> has used base64 encoding for scripts.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021."data-reference="ATT Sidewinder January 2021">^{<a href="https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span><span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021."data-reference="Rewterz Sidewinder APT April 2020">^{<a href="https://www.rewterz.com/threats/sidewinder-apt-group-campaign-analysis" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0091"> G0091 </a> </td> <td> <a href="/versions/v16/groups/G0091"> Silence </a> </td> <td> <p><a href="/versions/v16/groups/G0091">Silence</a> has used environment variable string substitution for obfuscation.<span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019."data-reference="Cyber Forensicator Silence Jan 2019">^{<a href="https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0390"> S0390 </a> </td> <td> <a href="/versions/v16/software/S0390"> SQLRat </a> </td> <td> <p><a href="/versions/v16/software/S0390">SQLRat</a> has used a character insertion obfuscation technique, making the script appear to contain Chinese characters.<span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019."data-reference="Flashpoint FIN 7 March 2019">^{<a href="https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0092"> G0092 </a> </td> <td> <a href="/versions/v16/groups/G0092"> TA505 </a> </td> <td> <p><a href="/versions/v16/groups/G0092">TA505</a> has used base64 encoded PowerShell commands.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019."data-reference="Cybereason TA505 April 2019">^{<a href="https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a>}</span><span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024.."data-reference="Deep Instinct TA505 Apr 2019">^{<a href="https://www.deepinstinct.com/blog/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0127"> G0127 </a> </td> <td> <a href="/versions/v16/groups/G0127"> TA551 </a> </td> <td> <p><a href="/versions/v16/groups/G0127">TA551</a> has used obfuscated variable names in a JavaScript configuration file.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020."data-reference="Unit 42 Valak July 2020">^{<a href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0010"> G0010 </a> </td> <td> <a href="/versions/v16/groups/G0010"> Turla </a> </td> <td> <p><a href="/versions/v16/groups/G0010">Turla</a> has used encryption (including salted 3DES via <a href="/versions/v16/software/S0194">PowerSploit</a>'s <code>Out-EncryptedScript.ps1</code>), random variable names, and base64 encoding to obfuscate PowerShell commands and payloads.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019."data-reference="ESET Turla PowerShell May 2019">^{<a href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0386"> S0386 </a> </td> <td> <a href="/versions/v16/software/S0386"> Ursnif </a> </td> <td> <p><a href="/versions/v16/software/S0386">Ursnif</a> droppers execute base64 encoded <a href="/versions/v16/techniques/T1059/001">PowerShell</a> commands.<span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019."data-reference="Bromium Ursnif Mar 2017">^{<a href="https://www.bromium.com/how-ursnif-evades-detection/" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/groups/G0102"> G0102 </a> </td> <td> <a href="/versions/v16/groups/G0102"> Wizard Spider </a> </td> <td> <p><a href="/versions/v16/groups/G0102">Wizard Spider</a> used Base64 encoding to obfuscate an <a href="/versions/v16/software/S0363">Empire</a> service and PowerShell commands.<span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020."data-reference="FireEye Ryuk and Trickbot January 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a>}</span><span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020."data-reference="DFIR Ryuk's Return October 2020">^{<a href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v16/software/S0330"> S0330 </a> </td> <td> <a href="/versions/v16/software/S0330"> Zeus Panda </a> </td> <td> <p><a href="/versions/v16/software/S0330">Zeus Panda</a> obfuscates the macro commands in its initial payload.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018."data-reference="Talos Zeus Panda Nov 2017">^{<a href="https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v16/mitigations/M1049"> M1049 </a> </td> <td> <a href="/versions/v16/mitigations/M1049"> Antivirus/Antimalware </a> </td> <td> <p>Consider utilizing the Antimalware Scan Interface (AMSI) on Windows 10+ to analyze commands after being processed/interpreted. </p> </td> </tr> <tr> <td> <a href="/versions/v16/mitigations/M1040"> M1040 </a> </td> <td> <a href="/versions/v16/mitigations/M1040"> Behavior Prevention on Endpoint </a> </td> <td> <p>On Windows 10+, enable Attack Surface Reduction (ASR) rules to block execution of potentially obfuscated scripts.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="Microsoft. (2023, February 22). Attack surface reduction (ASR) rules reference: Block execution of potentially obfuscated scripts. Retrieved March 17, 2023."data-reference="Microsoft ASR Obfuscation">^{<a href="https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-execution-of-potentially-obfuscated-scripts" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/versions/v16/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0017">Command</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments for indicators of obfuscation and potentially suspicious syntax such as uninterpreted escape characters (e.g., <code>^</code>).</p><p>Also monitor command-lines for syntax-specific signs of obfuscation, such as variations of arguments associated with encoding.</p> </td> </tr> <tr class="datasource" id="uses-DS0022"> <td> <a href="/versions/v16/datasources/DS0022">DS0022</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0022">File</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0022/#File%20Metadata">File Metadata</a> </td> <td> <p>Scripts containing obfuscated content may have higher entropy of characters/strings.</p> </td> </tr> <tr class="datasource" id="uses-DS0012"> <td> <a href="/versions/v16/datasources/DS0012">DS0012</a> </td> <td class="nowrap"> <a href="/versions/v16/datasources/DS0012">Script</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0012/#Script%20Execution">Script Execution</a> </td> <td> <p>Monitor executed scripts for indicators of obfuscation and potentially suspicious command syntax, such as uninterpreted escape characters (e.g., <code>^</code>).</p><p>Also monitor commands within scripts for syntax-specific signs of obfuscation, such as encoded or otherwise unreadable blobs of characters.</p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.akamai.com/blog/security/catch-me-if-you-can-javascript-obfuscation" target="_blank"> Katz, O. (2020, October 26). Catch Me if You Can—JavaScript Obfuscation. Retrieved March 17, 2023. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://bromiley.medium.com/malware-monday-vbscript-and-vbe-files-292252c1a16" target="_blank"> Bromiley, M. (2016, December 27). Malware Monday: VBScript and VBE Files. Retrieved March 17, 2023. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://redcanary.com/threat-detection-report/techniques/powershell/" target="_blank"> Red Canary. (n.d.). 2022 Threat Detection Report: PowerShell. Retrieved March 17, 2023. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://learn.microsoft.com/powershell/module/microsoft.powershell.core/about/about_powershell_exe?view=powershell-5.1#-encodedcommand-base64encodedcommand" target="_blank"> Microsoft. (2023, February 8). about_PowerShell_exe: EncodedCommand. Retrieved March 17, 2023. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://bashfuscator.readthedocs.io/en/latest/Mutators/command_obfuscators/index.html" target="_blank"> LeFevre, A. (n.d.). Bashfuscator Command Obfuscators. Retrieved March 17, 2023. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://web.archive.org/web/20170923102302/https://www.fireeye.com/blog/threat-research/2017/06/obfuscation-in-the-wild.html" target="_blank"> Bohannon, D. & Carr N. (2017, June 30). Obfuscation in the Wild: Targeted Attackers Lead the Way in Evasion Techniques. Retrieved February 12, 2018. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://x.com/rfackroyd/status/1639136000755765254" target="_blank"> Ackroyd, R. (2023, March 24). Twitter. Retrieved September 12, 2024. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://github.com/danielbohannon/Invoke-DOSfuscation" target="_blank"> Bohannon, D. (2018, March 19). Invoke-DOSfuscation. Retrieved March 17, 2023. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://github.com/danielbohannon/Invoke-Obfuscation" target="_blank"> Bohannon, D. (2016, September 24). Invoke-Obfuscation. Retrieved March 17, 2023. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="https://www.fireeye.com/blog/threat-research/2017/06/phished-at-the-request-of-counsel.html" target="_blank"> Ahl, I. (2017, June 06). Privileges and Credentials: Phished at the Request of Counsel. Retrieved May 17, 2018. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank"> Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://github.com/danielbohannon/Invoke-Obfuscation" target="_blank"> Bohannon, D.. (2017, March 13). Invoke-Obfuscation - PowerShell Obfuscator. Retrieved June 18, 2017. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://www.crowdstrike.com/blog/overwatch-exposes-aquatic-panda-in-possession-of-log-4-shell-exploit-tools/" target="_blank"> Wiley, B. et al. (2021, December 29). OverWatch Exposes AQUATIC PANDA in Possession of Log4Shell Exploit Tools During Hands-on Intrusion Attempt. Retrieved January 18, 2022. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.cybereason.com/blog/information-stealing-malware-targeting-brazil-full-research" target="_blank"> Salem, E. (2019, February 13). ASTAROTH MALWARE USES LEGITIMATE OS AND ANTIVIRUS PROCESSES TO STEAL PASSWORDS AND PERSONAL DATA. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank"> Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" target="_blank"> Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://blog.talosintelligence.com/avoslocker-new-arsenal/" target="_blank"> Venere, G. Neal, C. (2022, June 21). Avos ransomware group expands with new attack arsenal. Retrieved January 11, 2023. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.linkedin.com/pulse/raas-avoslocker-incident-response-analysis-fl%C3%A1vio-costa?trk=articles_directory" target="_blank"> Costa, F. (2022, May 1). RaaS AvosLocker Incident Response Analysis. Retrieved January 11, 2023. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.fireeye.com/blog/threat-research/2018/11/not-so-cozy-an-uncomfortable-examination-of-a-suspected-apt29-phishing-campaign.html" target="_blank"> Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.microsoft.com/security/blog/2018/12/03/analysis-of-cyberattack-on-u-s-think-tanks-non-profits-public-sector-by-unidentified-attackers/" target="_blank"> Microsoft Defender Research Team. (2018, December 3). Analysis of cyberattack on U.S. think tanks, non-profits, public sector by unidentified attackers. Retrieved April 15, 2019. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://unit42.paloaltonetworks.com/unit42-the-fractured-block-campaign-carrotbat-malware-used-to-deliver-malware-targeting-southeast-asia/" target="_blank"> Grunzweig, J. and Wilhoit, K. (2018, November 29). The Fractured Block Campaign: CARROTBAT Used to Deliver Malware Targeting Southeast Asia. Retrieved June 2, 2020. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank"> Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020.. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://blog.talosintelligence.com/2018/07/multiple-cobalt-personality-disorder.html" target="_blank"> Svajcer, V. (2018, July 31). Multiple Cobalt Personality Disorder. Retrieved September 5, 2018. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://blog.morphisec.com/cobalt-gang-2.0" target="_blank"> Gorelik, M. (2018, October 08). Cobalt Group 2.0. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank"> Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a" target="_blank"> CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://unit42.paloaltonetworks.com/mac-malware-steals-cryptocurrency-exchanges-cookies/" target="_blank"> Chen, y., et al. (2019, January 31). Mac Malware Steals Cryptocurrency Exchanges’ Cookies. Retrieved July 22, 2020. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://web.archive.org/web/20220629230035/https://www.prevailion.com/darkwatchman-new-fileless-techniques/" target="_blank"> Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://blog.talosintelligence.com/2019/01/return-of-emotet.html" target="_blank"> Brumaghin, E.. (2019, January 15). Emotet re-emerges after the holidays. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://documents.trendmicro.com/assets/white_papers/ExploringEmotetsActivities_Final.pdf" target="_blank"> Trend Micro. (2019, January 16). Exploring Emotet's Activities . Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://www.picussecurity.com/blog/the-christmas-card-you-never-wanted-a-new-wave-of-emotet-is-back-to-wreak-havoc.html" target="_blank"> Özarslan, S. (2018, December 21). The Christmas Card you never wanted - A new wave of Emotet is back to wreak havoc. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://www.welivesecurity.com/2018/12/28/analysis-latest-emotet-propagation-campaign/" target="_blank"> Perez, D.. (2018, December 28). Analysis of the latest Emotet propagation campaign. Retrieved April 16, 2019. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://github.com/PowerShellEmpire/Empire" target="_blank"> Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://usa.visa.com/dam/VCOM/global/support-legal/documents/fin6-cybercrime-group-expands-threat-To-ecommerce-merchants.pdf" target="_blank"> Visa Public. (2019, February). FIN6 Cybercrime Group Expands Threat to eCommerce Merchants. Retrieved September 16, 2019. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" target="_blank"> Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank"> Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://businessinsights.bitdefender.com/deep-dive-into-a-fin8-attack-a-forensic-investigation" target="_blank"> Martin Zugec. (2021, July 27). Deep Dive Into a FIN8 Attack - A Forensic Investigation. Retrieved September 1, 2021. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank"> CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank"> Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://objective-see.com/blog/blog_0x25.html" target="_blank"> Patrick Wardle. (n.d.). Mac Malware of 2017. Retrieved September 21, 2018. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank"> Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" target="_blank"> Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.tetradefense.com/incident-response-services/cause-and-effect-sodinokibi-ransomware-analysis" target="_blank"> Tetra Defense. (2020, March). CAUSE AND EFFECT: SODINOKIBI RANSOMWARE ANALYSIS. Retrieved December 14, 2020. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank"> Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="47.0"> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://www.crowdstrike.com/wp-content/uploads/2022/05/crowdstrike-iceapple-a-novel-internet-information-services-post-exploitation-framework.pdf" target="_blank"> CrowdStrike. (2022, May). ICEAPPLE: A NOVEL INTERNET INFORMATION SERVICES (IIS) POST-EXPLOITATION FRAMEWORK. Retrieved June 27, 2022. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank"> Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://www.symantec.com/blogs/threat-intelligence/leafminer-espionage-middle-east" target="_blank"> Symantec Security Response. (2018, July 25). Leafminer: New Espionage Campaigns Targeting Middle Eastern Regions. Retrieved August 28, 2018. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.welivesecurity.com/2019/06/20/loudminer-mining-cracked-vst-software/" target="_blank"> Malik, M. (2019, June 20). LoudMiner: Cross-platform mining in cracked VST software. Retrieved May 18, 2020. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://threatvector.cylance.com/en_us/home/el-machete-malware-attacks-cut-through-latam.html" target="_blank"> The Cylance Threat Research Team. (2017, March 22). El Machete's Malware Attacks Cut Through LATAM. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://researchcenter.paloaltonetworks.com/2017/02/unit42-magic-hound-campaign-attacks-saudi-targets/" target="_blank"> Lee, B. and Falcone, R. (2017, February 15). Magic Hound Campaign Attacks Saudi Targets. Retrieved December 27, 2017. </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://www.microsoft.com/en-us/security/blog/2021/11/16/evolving-trends-in-iranian-threat-actor-activity-mstic-presentation-at-cyberwarcon-2021" target="_blank"> MSTIC. (2021, November 16). Evolving trends in Iranian threat actor activity – MSTIC presentation at CyberWarCon 2021. Retrieved January 12, 2023. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://researchcenter.paloaltonetworks.com/2017/11/unit42-muddying-the-water-targeted-attacks-in-the-middle-east/" target="_blank"> Lancaster, T.. (2017, November 14). Muddying the Water: Targeted Attacks in the Middle East. Retrieved March 15, 2018. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://www.fireeye.com/blog/threat-research/2018/03/iranian-threat-group-updates-ttps-in-spear-phishing-campaign.html" target="_blank"> Singh, S. et al.. (2018, March 13). Iranian Threat Group Updates Tactics, Techniques and Procedures in Spear Phishing Campaign. Retrieved April 11, 2018. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://securelist.com/muddywater/88059/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2018, October 10). MuddyWater expands operations. Retrieved November 2, 2018. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://blog.talosintelligence.com/2019/05/recent-muddywater-associated-blackwater.html" target="_blank"> Adamitis, D. et al. (2019, May 20). Recent MuddyWater-associated BlackWater campaign shows signs of new anti-detection techniques. Retrieved June 5, 2019. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://www.clearskysec.com/wp-content/uploads/2019/06/Clearsky-Iranian-APT-group-%E2%80%98MuddyWater%E2%80%99-Adds-Exploits-to-Their-Arsenal.pdf" target="_blank"> ClearSky. (2019, June). Iranian APT group ‘MuddyWater’ Adds Exploits to Their Arsenal. Retrieved May 14, 2020. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://www.trendmicro.com/en_us/research/21/c/earth-vetala---muddywater-continues-to-target-organizations-in-t.html" target="_blank"> Peretz, A. and Theck, E. (2021, March 5). Earth Vetala – MuddyWater Continues to Target Organizations in the Middle East. Retrieved March 18, 2021. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://blog.talosintelligence.com/2022/01/iranian-apt-muddywater-targets-turkey.html" target="_blank"> Malhortra, A and Ventura, V. (2022, January 31). Iranian APT MuddyWater targets Turkish users via malicious PDFs, executables. Retrieved June 22, 2022. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://blog.trendmicro.com/trendlabs-security-intelligence/netwalker-fileless-ransomware-injected-via-reflective-loading/" target="_blank"> Victor, K.. (2020, May 18). Netwalker Fileless Ransomware Injected via Reflective Loading . Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://news.sophos.com/en-us/2020/05/27/netwalker-ransomware-tools-give-insight-into-threat-actor/" target="_blank"> Szappanos, G., Brandt, A.. (2020, May 27). Netwalker ransomware tools give insight into threat actor. Retrieved May 27, 2020. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" target="_blank"> Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank"> Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="https://www.trendmicro.com/vinfo/us/security/news/ransomware-spotlight/ransomware-spotlight-play" target="_blank"> Trend Micro Research. (2023, July 21). Ransomware Spotlight: Play. Retrieved September 24, 2024. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://blog.talosintelligence.com/2020/10/poetrat-update.html" target="_blank"> Mercer, W. Rascagneres, P. Ventura, V. (2020, October 6). PoetRAT: Malware targeting public and private sector in Azerbaijan evolves . Retrieved April 9, 2021. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://github.com/PowerShellMafia/PowerSploit" target="_blank"> PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="http://powersploit.readthedocs.io" target="_blank"> PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank"> ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="https://blog.trendmicro.com/trendlabs-security-intelligence/muddywater-resurfaces-uses-multi-stage-backdoor-powerstats-v3-and-new-post-exploitation-tools/" target="_blank"> Lunghi, D. and Horejsi, J.. (2019, June 10). MuddyWater Resurfaces, Uses Multi-Stage Backdoor POWERSTATS V3 and New Post-Exploitation Tools. Retrieved May 14, 2020. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://blog.cyberint.com/qakbot-banking-trojan" target="_blank"> Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://www.trendmicro.com/en_us/research/22/j/black-basta-infiltrates-networks-via-qakbot-brute-ratel-and-coba.html" target="_blank"> Kenefick, I. et al. (2022, October 12). Black Basta Ransomware Gang Infiltrates Networks via QAKBOT, Brute Ratel, and Cobalt Strike. Retrieved February 6, 2023. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank"> Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. </a> </span> </span> </li> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-new-threat-actor-group-darkhydrus-targets-middle-east-government/" target="_blank"> Falcone, R., et al. (2018, July 27). New Threat Actor Group DarkHydrus Targets Middle East Government. Retrieved August 2, 2018. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://www.welivesecurity.com/2016/12/13/rise-telebots-analyzing-disruptive-killdisk-attacks/" target="_blank"> Cherepanov, A.. (2016, December 13). The rise of TeleBots: Analyzing disruptive KillDisk attacks. Retrieved June 10, 2020. </a> </span> </span> </li> <li> <span id="scite-78" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-78" href="https://www.bitdefender.com/files/News/CaseStudies/study/401/Bitdefender-PR-Whitepaper-FIN8-creat5619-en-EN.pdf" target="_blank"> Budaca, E., et al. (2021, August 25). FIN8 Threat Actor Goes Agile with New Sardonic Backdoor. Retrieved August 9, 2023. </a> </span> </span> </li> <li> <span id="scite-79" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-79" href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank"> Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. </a> </span> </span> </li> <li> <span id="scite-80" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-80" href="https://cdn-cybersecurity.att.com/docs/global-perspective-of-the-sidewinder-apt.pdf" target="_blank"> Hegel, T. (2021, January 13). A Global Perspective of the SideWinder APT. Retrieved January 27, 2021. </a> </span> </span> </li> <li> <span id="scite-81" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-81" href="https://www.rewterz.com/threats/sidewinder-apt-group-campaign-analysis" target="_blank"> Rewterz. (2020, April 20). Sidewinder APT Group Campaign Analysis. Retrieved January 29, 2021. </a> </span> </span> </li> <li> <span id="scite-82" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-82" href="https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/" target="_blank"> Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019. </a> </span> </span> </li> <li> <span id="scite-83" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-83" href="https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" target="_blank"> Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. </a> </span> </span> </li> <li> <span id="scite-84" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-84" href="https://www.cybereason.com/blog/threat-actor-ta505-targets-financial-enterprises-using-lolbins-and-a-new-backdoor-malware" target="_blank"> Salem, E. (2019, April 25). Threat Actor TA505 Targets Financial Enterprises Using LOLBins and a New Backdoor Malware. Retrieved May 28, 2019. </a> </span> </span> </li> <li> <span id="scite-85" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-85" href="https://www.deepinstinct.com/blog/new-servhelper-variant-employs-excel-4-0-macro-to-drop-signed-payload" target="_blank"> Vilkomir-Preisman, S. (2019, April 2). New ServHelper Variant Employs Excel 4.0 Macro to Drop Signed Payload. Retrieved September 16, 2024.. </a> </span> </span> </li> <li> <span id="scite-86" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-86" href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank"> Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. </a> </span> </span> </li> <li> <span id="scite-87" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-87" href="https://www.welivesecurity.com/2019/05/29/turla-powershell-usage/" target="_blank"> Faou, M. and Dumont R.. (2019, May 29). A dive into Turla PowerShell usage. Retrieved June 14, 2019. </a> </span> </span> </li> <li> <span id="scite-88" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-88" href="https://www.bromium.com/how-ursnif-evades-detection/" target="_blank"> Holland, A. (2019, March 7). Tricks and COMfoolery: How Ursnif Evades Detection. Retrieved June 10, 2019. </a> </span> </span> </li> <li> <span id="scite-89" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-89" href="https://www.fireeye.com/blog/threat-research/2019/01/a-nasty-trick-from-credential-theft-malware-to-business-disruption.html" target="_blank"> Goody, K., et al (2019, January 11). A Nasty Trick: From Credential Theft Malware to Business Disruption. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-90" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-90" href="https://thedfirreport.com/2020/10/08/ryuks-return/" target="_blank"> The DFIR Report. (2020, October 8). Ryuk’s Return. Retrieved October 9, 2020. </a> </span> </span> </li> <li> <span id="scite-91" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-91" href="https://blog.talosintelligence.com/2017/11/zeus-panda-campaign.html#More" target="_blank"> Brumaghin, E., et al. (2017, November 02). Poisoning the Well: Banking Trojan Targets Google Search Results. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-92" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-92" href="https://learn.microsoft.com/microsoft-365/security/defender-endpoint/attack-surface-reduction-rules-reference#block-execution-of-potentially-obfuscated-scripts" target="_blank"> Microsoft. (2023, February 22). Attack surface reduction (ASR) rules reference: Block execution of potentially obfuscated scripts. Retrieved March 17, 2023. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v16/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v16/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v16/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v16.1&#013;Website v4.2.1">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v16/theme/scripts/popper.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v16/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v16/theme/scripts/site.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v16/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v16/theme/scripts/settings.js"></script> <script src="/versions/v16/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/versions/v16/theme/scripts/sidebar-load-all.js"></script> </body> </html>