CINXE.COM
TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping | Google Cloud Blog
<!doctype html><html lang="en-US" dir="ltr"><head><base href="https://cloud.google.com/blog/"><link rel="preconnect" href="//www.gstatic.com"><meta name="referrer" content="origin"><meta name="viewport" content="initial-scale=1, width=device-width"><meta name="track-metadata-page_hosting_platform" content="blog_boq"><meta name="mobile-web-app-capable" content="yes"><meta name="apple-mobile-web-app-capable" content="yes"><meta name="application-name" content="Google Cloud Blog"><meta name="apple-mobile-web-app-title" content="Google Cloud Blog"><meta name="apple-mobile-web-app-status-bar-style" content="black"><meta name="msapplication-tap-highlight" content="no"><link rel="preconnect" href="//fonts.googleapis.com"><link rel="preconnect" href="//fonts.gstatic.com"><link rel="preconnect" href="//www.gstatic.com"><link rel="preconnect" href="//storage.googleapis.com"><link rel="stylesheet" href="https://fonts.googleapis.com/css?family=Google+Sans+Text_old:400,500,700,400i,500i,700i"><link rel="manifest" crossorigin="use-credentials" href="_/TransformBlogUi/manifest.json"><link rel="home" href="/?lfhs=2"><link rel="msapplication-starturl" href="/?lfhs=2"><link rel="icon" href="//www.gstatic.com/cloud/images/icons/favicon.ico" sizes="32x32"><link rel="apple-touch-icon-precomposed" href="//www.gstatic.com/cloud/images/icons/favicon.ico" sizes="32x32"><link rel="msapplication-square32x32logo" href="//www.gstatic.com/cloud/images/icons/favicon.ico" sizes="32x32"><script data-id="_gd" nonce="pPuvw5Srdj0z5N266Gn3nw">window.WIZ_global_data = {"Bwo7Jf":"%.@.\"SG\",1]","CGQM5":"%.@.[[1]]]","DpimGf":false,"EP1ykd":["/_/*","/accounts/*","/transform","/transform/*"],"FdrFJe":"7435586028887741990","Im6cmf":"/blog/_/TransformBlogUi","JvMKJd":"%.@.\"GTM-5CVQBG\",[[\"en\",\"\\u202aEnglish\\u202c\",true,\"en\"],[\"de\",\"\\u202aDeutsch\\u202c\",true,\"de\"],[\"es\",\"\\u202aEspañol\\u202c\",true,\"es\"],[\"es-419\",\"\\u202aEspañol (Latinoamérica)\\u202c\",true,\"es-419\"],[\"fr\",\"\\u202aFrançais\\u202c\",true,\"fr\"],[\"id\",\"\\u202aIndonesia\\u202c\",true,\"id\"],[\"it\",\"\\u202aItaliano\\u202c\",true,\"it\"],[\"pt-BR\",\"\\u202aPortuguês (Brasil)\\u202c\",true,\"pt-BR\"],[\"zh-CN\",\"\\u202a简体中文\\u202c\",true,\"zh-Hans\"],[\"zh-TW\",\"\\u202a繁體中文\\u202c\",true,\"zh-Hant\"],[\"ja\",\"\\u202a日本語\\u202c\",true,\"ja\"],[\"ko\",\"\\u202a한국어\\u202c\",true,\"ko\"]],[\"83405\",\"AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg\"],\"en\",null,null,[],[[\"https://cloud.google.com/innovators\",\"https://cloud.google.com/innovators/plus/activate\",\"https://cloud.google.com/innovators/innovatorsplus\"],[\"https://workspace.google.com/pricing\",\"https://www.x.com/googleworkspace\",\"https://www.facebook.com/googleworkspace\",\"https://www.youtube.com/channel/UCBmwzQnSoj9b6HzNmFrg_yw\",\"https://www.instagram.com/googleworkspace\",\"https://www.linkedin.com/showcase/googleworkspace\",\"https://about.google/?utm_source\\u003dworkspace.google.com\\u0026utm_medium\\u003dreferral\\u0026utm_campaign\\u003dgsuite-footer-en\",\"https://about.google/products/?tip\\u003dexplore\",\"https://workspace.google.com\",\"https://workspace.google.com/contact/?source\\u003dgafb-form-globalnav-en\",\"https://workspace.google.com/business/signup/welcome?hl\\u003den\\u0026source\\u003dgafb-form-globalnav-en\",\"https://workspace.google.com/blog\"],[\"https://www.cloudskillsboost.google\",\"https://www.cloudskillsboost.google?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\",\"https://www.cloudskillsboost.google/subscriptions?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreenlaunchpromo\",\"https://www.cloudskillsboost.google/subscriptions?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\",\"https://www.cloudskillsboost.google/catalog?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\",\"https://www.cloudskillsboost.google/paths?utm_source\\u003dcgc\\u0026utm_medium\\u003dwebsite\\u0026utm_campaign\\u003devergreen\"],[\"https://mapsplatform.google.com\"],[\"https://cloud.google.com/developers\",\"https://cloud.google.com/developers/settings?utm_source\\u003dinnovators\"],[\"https://console.cloud.google.com/freetrial\",\"https://console.cloud.google.com/\",\"https://console.cloud.google.com/freetrial?redirectPath\\u003dhttps://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections/\"],[\"https://aitestkitchen.withgoogle.com/signup\",\"https://blog.google/technology/ai/join-us-in-the-ai-test-kitchen/\",\"https://cloud.google.com/ai\"],[\"https://googlecloudplatform.blogspot.com/\",\"https://github.com/GoogleCloudPlatform\",\"https://www.linkedin.com/company/google-cloud\",\"https://twitter.com/GoogleCloud_sg\",\"https://www.facebook.com/googlecloud\",\"https://www.youtube.com/GoogleCloudAPAC\"]],[2025,2,22],[[\"en\",\"x-default\"],\"x-default\"],[null,true],null,\"/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections/?hl\\u003den\",[\"6LcsrxUqAAAAAFhpR1lXsPN2j2nsTwy6JTbRKzJr\"]]","LVIXXb":1,"LoQv7e":false,"M55kSc":"%.@.]","MT7f9b":[],"MUE6Ne":"TransformBlogUi","PylxI":"%.@.\"cloudblog\",\"topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections\",[\"en\",\"de\",\"fr\",\"ko\",\"ja\"],\"en\",null,\"https://cloud.google.com/blog\",\"blog_article\",\"cloud.google.com\",[\"https://console.cloud.google.com/freetrial/\",\"https://cloud.google.com/contact/\",\"https://cloud.google.com/\",\"https://cloud.google.com/blog\",\"https://cloud.google.com/\",\"https://www.google.com/\",\"https://cloud.google.com/products/\",\"https://about.google.com/products/\",\"https://about.google/intl/en/\",\"https://support.google.com\"],[\"googlecloud\",\"googlecloud\",\"showcase/google-cloud\",\"googlecloud/\",\"googlecloud/\"],true]","QrtxK":"","S06Grb":"","S6lZl":105833389,"TSDtV":"%.@.[[null,[[45680097,null,false,null,null,null,\"PvHIUc\"],[45532645,null,true,null,null,null,\"wFnpse\"],[45449433,null,true,null,null,null,\"BotAtd\"],[45662378,null,true,null,null,null,\"DG71uf\"],[45449449,null,true,null,null,null,\"b5B1L\"],[45671693,null,false,null,null,null,\"U3qtXc\"],[45646404,null,false,null,null,null,\"tfPPe\"],[45651445,null,true,null,null,null,\"XzXOC\"],[45631885,null,false,null,null,null,\"kG32O\"],[45449445,null,true,null,null,null,\"C4H3Td\"],[45649370,null,true,null,null,null,\"LibkZ\"],[45657332,null,true,null,null,null,\"oBUucf\"],[45449438,null,false,null,null,null,\"m0uJSe\"],[45675648,null,true,null,null,null,\"QQ53xf\"],[45678264,null,false,null,null,null,\"ELAPBf\"],[45449467,null,null,null,\"variant2\",null,\"qL2Vf\"],[45672660,null,false,null,null,null,\"yquuPe\"],[45449469,null,null,null,\"default\",null,\"mBNY1\"],[45449434,null,true,null,null,null,\"PvZHQ\"],[45664077,null,false,null,null,null,\"w1axY\"],[45449423,null,null,null,\"default\",null,\"FIJFKf\"],[45449435,null,false,null,null,null,\"s7Z7Ld\"],[45659313,null,true,null,null,null,\"i2rGv\"],[45532646,null,true,null,null,null,\"RIvlU\"],[45449439,null,true,null,null,null,\"lsuui\"],[45650156,null,true,null,null,null,\"Pr5Lcf\"],[45651724,null,true,null,null,null,\"xYDLRc\"],[45672575,null,true,null,null,null,\"XvhzSc\"],[45449444,null,true,null,null,null,\"HGJqie\"],[45663526,null,false,null,null,null,\"kG33G\"],[45449436,null,false,null,null,null,\"NCoWOd\"],[45667527,null,true,null,null,null,\"Qzt9sd\"],[45449424,null,null,null,\"default\",null,\"PB4oCc\"],[45674523,null,false,null,null,null,\"EB3TEf\"],[45449442,null,true,null,null,null,\"dsKk4d\"],[45672570,null,true,null,null,null,\"N2GVqc\"],[45663339,null,true,null,null,null,\"OEmSkb\"],[45664956,null,true,null,null,null,\"aeNUHe\"],[45459555,null,false,null,null,null,\"Imeoqb\"],[45449440,null,false,null,null,null,\"j9nUqf\"],[45449471,null,null,null,\"default\",null,\"Ammqqf\"],[45612748,null,false,null,null,null,\"fdXYmb\"],[45671281,null,false,null,null,null,\"TQUxrf\"],[45449443,null,false,null,null,null,\"wvKxS\"],[45616194,null,false,null,null,null,\"y3jdm\"],[45449428,null,null,null,\"default\",null,\"cbPi4d\"],[45449450,null,false,null,null,null,\"PTNaKe\"],[45449446,null,true,null,null,null,\"ktxJzc\"],[45449468,null,null,null,\"variant3\",null,\"BUEcUe\"],[45672461,null,false,null,null,null,\"Nf7gI\"],[45449422,null,null,null,\"default\",null,\"epsxQe\"],[45628378,null,true,null,null,null,\"hRRuzd\"],[45662552,null,true,null,null,null,\"epuB3d\"],[45655733,null,true,null,null,null,\"xPTOyb\"]],\"CAMSLB0t5c2IEKX+BOjvF/2KA82ttBKe7AQIy47YBgjExxL8aN809sQCBd9Av/gG\"]]]","UUFaWc":"%.@.null,1000,2]","Vvafkd":false,"Yllh3e":"%.@.1740275724230888,88849730,1950060419]","aAofAd":"%.@.[[[\"Solutions \\u0026 technology\",null,[[[\"AI \\u0026 Machine Learning\",\"/blog/products/ai-machine-learning\"],[\"API Management\",\"/blog/products/api-management\"],[\"Application Development\",\"/blog/products/application-development\"],[\"Application Modernization\",\"/blog/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/products/chrome-enterprise\"],[\"Compute\",\"/blog/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/products/containers-kubernetes\"],[\"Data Analytics\",\"/blog/products/data-analytics\"],[\"Databases\",\"/blog/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/topics/maps-geospatial\"],[\"Security\",null,[[[\"Security \\u0026 Identity\",\"/blog/products/identity-security\"],[\"Threat Intelligence\",\"/blog/topics/threat-intelligence\"]]]],[\"Infrastructure\",\"/blog/products/infrastructure\"],[\"Infrastructure Modernization\",\"/blog/products/infrastructure-modernization\"],[\"Networking\",\"/blog/products/networking\"],[\"Productivity \\u0026 Collaboration\",\"/blog/products/productivity-collaboration\"],[\"SAP on Google Cloud\",\"/blog/products/sap-google-cloud\"],[\"Storage \\u0026 Data Transfer\",\"/blog/products/storage-data-transfer\"],[\"Sustainability\",\"/blog/topics/sustainability\"]]]],[\"Ecosystem\",null,[[[\"IT Leaders\",\"/transform\"],[\"Industries\",null,[[[\"Financial Services\",\"/blog/topics/financial-services\"],[\"Healthcare \\u0026 Life Sciences\",\"/blog/topics/healthcare-life-sciences\"],[\"Manufacturing\",\"/blog/topics/manufacturing\"],[\"Media \\u0026 Entertainment\",\"/blog/products/media-entertainment\"],[\"Public Sector\",\"/blog/topics/public-sector\"],[\"Retail\",\"/blog/topics/retail\"],[\"Supply Chain\",\"/blog/topics/supply-chain-logistics\"],[\"Telecommunications\",\"/blog/topics/telecommunications\"]]]],[\"Partners\",\"/blog/topics/partners\"],[\"Startups \\u0026 SMB\",\"/blog/topics/startups\"],[\"Training \\u0026 Certifications\",\"/blog/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/topics/inside-google-cloud\"],[\"Google Cloud Next \\u0026 Events\",\"/blog/topics/google-cloud-next\"],[\"Google Cloud Consulting\",\"/blog/topics/consulting\"],[\"Google Maps Platform\",\"https://mapsplatform.google.com/resources/blog/\"],[\"Google Workspace\",\"https://workspace.google.com/blog\"]]]],[\"Developers \\u0026 Practitioners\",\"/blog/topics/developers-practitioners\"],[\"Transform with Google Cloud\",\"/transform\"]]],[[\"de\",[[[\"Neuigkeiten\",\"/blog/de/topics/whats-new/aktuelles-auf-dem-google-cloud-blog\"],[\"Lösungen \\u0026 Technologien\",null,[[[\"Anwendungsentwicklung\",\"/blog/de/products/application-development\"],[\"Anwendungsmodernisierung\",\"/blog/de/products/anwendungsmodernisierung\"],[\"API-Verwaltung\",\"/blog/de/products/api-management\"],[\"Chrome Enterprise\",\"/blog/de/products/chrome-enterprise\"],[\"Computing\",\"/blog/de/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/de/products/containers-kubernetes\"],[\"Datenanalysen\",\"/blog/de/products/data-analytics\"],[\"Datenbanken\",\"/blog/de/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/de/products/devops-sre\"],[\"Infrastruktur\",\"/blog/de/products/infrastructure\"],[\"KI \\u0026 Machine Learning\",\"/blog/de/products/ai-machine-learning\"],[\"Maps \\u0026 Geospatial\",\"/blog/de/topics/maps-geospatial\"],[\"Modernisierung der Infrastruktur\",\"/blog/de/products/modernisierung-der-infrastruktur\"],[\"Nachhaltigkeit\",\"/blog/de/topics/nachhaltigkeit\"],[\"Netzwerk\",\"/blog/de/products/networking\"],[\"Produktivität und Zusammenarbeit\",\"/blog/de/products/produktivitaet-und-kollaboration\"],[\"SAP in Google Cloud\",\"/blog/de/products/sap-google-cloud\"],[\"Sicherheit \\u0026 Identität\",\"/blog/de/products/identity-security\"],[\"Speicher und Datentransfer\",\"/blog/de/products/storage-data-transfer\"]]]],[\"Ökosystem\",null,[[[\"IT Leader\",\"/transform/de\"],[\"Industrien\",null,[[[\"Behörden und öffentlicher Sektor\",\"/blog/de/topics/public-sector\"],[\"Einzelhandel\",\"/blog/de/topics/retail\"],[\"Fertigung\",\"/blog/de/topics/fertigung\"],[\"Finanzdienstleistungen\",\"/blog/de/topics/financial-services\"],[\"Gesundheitswesen und Biowissenschaften\",\"/blog/de/topics/healthcare-life-sciences\"],[\"Lieferkette und Logistik\",\"/blog/de/topics/lieferkette-und-logistik\"],[\"Medien und Unterhaltung\",\"/blog/de/products/media-entertainment\"],[\"Telekommunikation\",\"/blog/de/topics/telecommunications\"]]]],[\"Entwickler*innen \\u0026 Fachkräfte\",\"/blog/de/topics/developers-practitioners\"],[\"Google Cloud Next \\u0026 Events\",\"/blog/de/topics/events\"],[\"Google Maps Platform\",\"/blog/de/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/de\"],[\"Inside Google Cloud\",\"/blog/de/topics/inside-google-cloud\"],[\"Kunden\",\"/blog/de/topics/kunden\"],[\"Partner\",\"/blog/de/topics/partners\"],[\"Start-ups und KMU\",\"/blog/de/topics/startups\"],[\"Training und Zertifizierung\",\"/blog/de/topics/training-certifications\"]]]],[\"Transformation mit Google Cloud\",\"/transform/de\"]]]],[\"en\",[[[\"Solutions \\u0026 technology\",null,[[[\"AI \\u0026 Machine Learning\",\"/blog/products/ai-machine-learning\"],[\"API Management\",\"/blog/products/api-management\"],[\"Application Development\",\"/blog/products/application-development\"],[\"Application Modernization\",\"/blog/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/products/chrome-enterprise\"],[\"Compute\",\"/blog/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/products/containers-kubernetes\"],[\"Data Analytics\",\"/blog/products/data-analytics\"],[\"Databases\",\"/blog/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/topics/maps-geospatial\"],[\"Security\",null,[[[\"Security \\u0026 Identity\",\"/blog/products/identity-security\"],[\"Threat Intelligence\",\"/blog/topics/threat-intelligence\"]]]],[\"Infrastructure\",\"/blog/products/infrastructure\"],[\"Infrastructure Modernization\",\"/blog/products/infrastructure-modernization\"],[\"Networking\",\"/blog/products/networking\"],[\"Productivity \\u0026 Collaboration\",\"/blog/products/productivity-collaboration\"],[\"SAP on Google Cloud\",\"/blog/products/sap-google-cloud\"],[\"Storage \\u0026 Data Transfer\",\"/blog/products/storage-data-transfer\"],[\"Sustainability\",\"/blog/topics/sustainability\"]]]],[\"Ecosystem\",null,[[[\"IT Leaders\",\"/transform\"],[\"Industries\",null,[[[\"Financial Services\",\"/blog/topics/financial-services\"],[\"Healthcare \\u0026 Life Sciences\",\"/blog/topics/healthcare-life-sciences\"],[\"Manufacturing\",\"/blog/topics/manufacturing\"],[\"Media \\u0026 Entertainment\",\"/blog/products/media-entertainment\"],[\"Public Sector\",\"/blog/topics/public-sector\"],[\"Retail\",\"/blog/topics/retail\"],[\"Supply Chain\",\"/blog/topics/supply-chain-logistics\"],[\"Telecommunications\",\"/blog/topics/telecommunications\"]]]],[\"Partners\",\"/blog/topics/partners\"],[\"Startups \\u0026 SMB\",\"/blog/topics/startups\"],[\"Training \\u0026 Certifications\",\"/blog/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/topics/inside-google-cloud\"],[\"Google Cloud Next \\u0026 Events\",\"/blog/topics/google-cloud-next\"],[\"Google Cloud Consulting\",\"/blog/topics/consulting\"],[\"Google Maps Platform\",\"https://mapsplatform.google.com/resources/blog/\"],[\"Google Workspace\",\"https://workspace.google.com/blog\"]]]],[\"Developers \\u0026 Practitioners\",\"/blog/topics/developers-practitioners\"],[\"Transform with Google Cloud\",\"/transform\"]]]],[\"fr\",[[[\"Les tendances\",\"/blog/fr/topics/les-tendances/quelles-sont-les-nouveautes-de-google-cloud\"],[\"Solutions et Technologie\",null,[[[\"Analyse de données\",\"/blog/fr/products/analyse-de-donnees/\"],[\"Bases de données\",\"/blog/fr/products/databases\"],[\"Calcul\",\"/blog/fr/products/calcul/\"],[\"Chrome Entreprise\",\"/blog/fr/products/chrome-enterprise/\"],[\"Conteneurs et Kubernetes\",\"/blog/fr/products/conteneurs-et-kubernetes/\"],[\"Développement d\u0027Applications\",\"/blog/fr/products/application-development\"],[\"Développement durable\",\"/blog/fr/topics/developpement-durable\"],[\"DevOps et ingénierie SRE\",\"/blog/fr/products/devops-sre\"],[\"Gestion des API\",\"/blog/fr/products/api-management\"],[\"IA et Machine Learning\",\"/blog/fr/products/ai-machine-learning\"],[\"Infrastructure\",\"/blog/fr/products/infrastructure\"],[\"Maps et Géospatial\",\"/blog/fr/topics/maps-geospatial\"],[\"Modernisation d\u0027Applications\",\"/blog/fr/products/modernisation-dapplications/\"],[\"Modernisation d\u0027Infrastructure\",\"/blog/fr/products/modernisation-dinfrastructure/\"],[\"Networking\",\"/blog/fr/products/networking\"],[\"Productivité et Collaboration\",\"/blog/fr/products/productivite-et-collaboration\"],[\"SAP sur Google Cloud\",\"/blog/fr/products/sap-google-cloud\"],[\"Sécurité et Identité\",\"/blog/fr/products/identity-security\"],[\"Stockage et transfert de données\",\"/blog/fr/products/storage-data-transfer\"]]]],[\"Écosystème\",null,[[[\"Responsables IT\",\"/transform/fr\"],[\"Industries\",null,[[[\"Commerce\",\"/blog/fr/topics/retail\"],[\"Manufacturing\",\"/blog/fr/topics/manufacturing\"],[\"Médias et Divertissement\",\"/blog/fr/products/media-entertainment\"],[\"Santé\",\"/blog/fr/topics/healthcare-life-sciences\"],[\"Secteur Public\",\"/blog/fr/topics/public-sector\"],[\"Services Financiers\",\"/blog/fr/topics/financial-services\"],[\"Supply Chain\",\"/blog/fr/topics/supply-chain/\"],[\"Telecommunications\",\"/blog/fr/topics/telecommunications\"]]]],[\"Clients\",\"/blog/fr/topics/clients/\"],[\"Développeurs et professionnels\",\"/blog/fr/topics/developers-practitioners\"],[\"Formations et certifications\",\"/blog/fr/topics/training-certifications\"],[\"Google Cloud Next et Événements\",\"/blog/fr/topics/evenements\"],[\"Google Maps Platform\",\"/blog/fr/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/fr\"],[\"Inside Google Cloud\",\"/blog/fr/topics/inside-google-cloud\"],[\"Partenaires\",\"/blog/fr/topics/partners\"],[\"Start-ups et PME\",\"/blog/fr/topics/startups\"]]]],[\"Transformer avec Google Cloud\",\"/transform/fr\"]]]],[\"ja\",[[[\"ソリューションとテクノロジー\",null,[[[\"AI \\u0026 機械学習\",\"/blog/ja/products/ai-machine-learning\"],[\"API 管理\",\"/blog/ja/products/api-management\"],[\"アプリケーション開発\",\"/blog/ja/products/application-development\"],[\"アプリケーション モダナイゼーション\",\"/blog/ja/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/ja/products/chrome-enterprise\"],[\"コンピューティング\",\"/blog/ja/products/compute\"],[\"Containers \\u0026 Kubernetes\",\"/blog/ja/products/containers-kubernetes\"],[\"データ分析\",\"/blog/ja/products/data-analytics\"],[\"データベース\",\"/blog/ja/products/databases\"],[\"DevOps \\u0026 SRE\",\"/blog/ja/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/ja/products/maps-platform\"],[\"セキュリティ\",null,[[[\"セキュリティ \\u0026 アイデンティティ\",\"/blog/ja/products/identity-security\"],[\"脅威インテリジェンス\",\"/blog/ja/topics/threat-intelligence\"]]]],[\"インフラストラクチャ\",\"/blog/ja/products/infrastructure\"],[\"インフラ モダナイゼーション\",\"/blog/ja/products/infrastructure-modernization\"],[\"ネットワーキング\",\"/blog/ja/products/networking\"],[\"生産性とコラボレーション\",\"/blog/ja/products/productivity-collaboration\"],[\"Google Cloud での SAP\",\"/blog/ja/products/sap-google-cloud\"],[\"ストレージとデータ転送\",\"/blog/ja/products/storage-data-transfer\"],[\"サステナビリティ\",\"/blog/ja/topics/sustainability\"]]]],[\"エコシステム\",null,[[[\"ITリーダー\",\"/transform/ja\"],[\"業種\",null,[[[\"金融サービス\",\"/blog/ja/topics/financial-services\"],[\"ヘルスケア、ライフ サイエンス\",\"/blog/ja/topics/healthcare-life-sciences\"],[\"製造\",\"/blog/ja/topics/manufacturing\"],[\"メディア、エンターテイメント\",\"/blog/ja/products/media-entertainment\"],[\"公共部門\",\"/blog/ja/topics/public-sector\"],[\"小売業\",\"/blog/ja/topics/retail\"],[\"サプライ チェーン\",\"/blog/ja/topics/supply-chain-logistics\"],[\"通信\",\"/blog/ja/topics/telecommunications\"]]]],[\"顧客事例\",\"/blog/ja/topics/customers\"],[\"パートナー\",\"/blog/ja/topics/partners\"],[\"スタートアップ \\u0026 SMB\",\"/blog/ja/topics/startups\"],[\"トレーニングと認定\",\"/blog/ja/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/ja/topics/inside-google-cloud\"],[\"Google Cloud Next と イベント\",\"/blog/ja/topics/google-cloud-next\"],[\"Google Maps Platform\",\"/blog/ja/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/ja\"]]]],[\"デベロッパー\",\"/blog/ja/topics/developers-practitioners\"],[\"Transform with Google Cloud\",\"/transform/ja\"]]]],[\"ko\",[[[\"솔루션 및 기술\",null,[[[\"AI 및 머신러닝\",\"/blog/ko/products/ai-machine-learning\"],[\"API 관리\",\"/blog/ko/products/api-management\"],[\"애플리케이션 개발\",\"/blog/ko/products/application-development\"],[\"애플리케이션 현대화\",\"/blog/ko/products/application-modernization\"],[\"Chrome Enterprise\",\"/blog/products/chrome-enterprise\"],[\"컴퓨팅\",\"/blog/ko/products/compute\"],[\"컨테이너 \\u0026 Kubernetes\",\"/blog/ko/products/containers-kubernetes\"],[\"데이터 분석\",\"/blog/ko/products/data-analytics\"],[\"데이터베이스\",\"/blog/ko/products/databases\"],[\"DevOps 및 SRE\",\"/blog/ko/products/devops-sre\"],[\"Maps \\u0026 Geospatial\",\"/blog/ko/products/maps-platform\"],[\"보안\",null,[[[\"보안 \\u0026 아이덴티티\",\"/blog/ko/products/identity-security\"],[\"위협 인텔리전스\",\"/blog/ko/topics/threat-intelligence\"]]]],[\"인프라\",\"/blog/ko/products/infrastructure\"],[\"Infrastructure Modernization\",\"/blog/ko/products/infrastructure-modernization\"],[\"네트워킹\",\"/blog/ko/products/networking\"],[\"생산성 및 공동작업\",\"/blog/ko/products/productivity-collaboration\"],[\"SAP on Google Cloud\",\"/blog/ko/products/sap-google-cloud\"],[\"스토리지 및 데이터 전송\",\"/blog/ko/products/storage-data-transfer\"],[\"지속가능성\",\"/blog/ko/topics/sustainability\"]]]],[\"에코시스템\",null,[[[\"IT Leaders\",\"/transform/ko\"],[\"업종\",null,[[[\"금융 서비스\",\"/blog/ko/topics/financial-services\"],[\"의료 및 생명과학\",\"/blog/ko/topics/healthcare-life-sciences\"],[\"제조업\",\"/blog/ko/topics/manufacturing\"],[\"미디어 및 엔터테인먼트\",\"/blog/ko/products/media-entertainment\"],[\"공공부문\",\"/blog/ko/topics/public-sector\"],[\"소매업\",\"/blog/ko/topics/retail\"],[\"공급망\",\"/blog/topics/supply-chain-logistics\"],[\"통신\",\"/blog/ko/topics/telecommunications\"]]]],[\"고객 사례\",\"/blog/ko/topics/customers\"],[\"파트너\",\"/blog/ko/topics/partners\"],[\"스타트업 \\u0026 SMB\",\"/blog/ko/topics/startups\"],[\"교육 \\u0026 인증\",\"/blog/ko/topics/training-certifications\"],[\"Inside Google Cloud\",\"/blog/ko/topics/inside-google-cloud\"],[\"Google Cloud Next 및 이벤트\",\"/blog/ko/topics/google-cloud-next\"],[\"Google Maps Platform\",\"/blog/ko/products/maps-platform\"],[\"Google Workspace\",\"https://workspace.google.com/blog/ko\"]]]],[\"개발 및 IT운영\",\"/blog/ko/topics/developers-practitioners\"],[\"Google Cloud와 함께 하는 디지털 혁신\",\"/transform/ko\"]]]]]]","cfb2h":"boq_cloudx-web-blog-uiserver_20250220.07_p0","eptZe":"/blog/_/TransformBlogUi/","f8POw":"%.@.[97496386,97960269,1714258,1706538,97656897,97848710,97953322,97785986,98002146,48830069,93778619,48897392,97535270,97863042,97969449,97960272,97869659,93841509,97442197,48554501,48489826,97940381,97496370,97656881,97785970,93841493,97442181],null,null,null,null,true]","fPDxwd":[93841509,97496386,97848710,97863042,97869659,97960269],"gGcLoe":false,"iCzhFc":false,"nQyAE":{"b5B1L":"true","PTNaKe":"false","ktxJzc":"true","BUEcUe":"variant3","kG32O":"false","C4H3Td":"true","QQ53xf":"true","Pr5Lcf":"true","kG33G":"false","EB3TEf":"false","aeNUHe":"true","j9nUqf":"false","wvKxS":"false","PvHIUc":"false","wFnpse":"true","U3qtXc":"false","tfPPe":"false","m0uJSe":"false","ELAPBf":"false","yquuPe":"false","PvZHQ":"true","s7Z7Ld":"false","i2rGv":"true","RIvlU":"true","lsuui":"true","XvhzSc":"true","HGJqie":"true","NCoWOd":"false","Qzt9sd":"true","dsKk4d":"true","N2GVqc":"true","fdXYmb":"false","TQUxrf":"false","Nf7gI":"false","epuB3d":"true","BotAtd":"true"},"p9hQne":"https://www.gstatic.com/_/boq-cloudx-web-blog/_/r/","qwAQke":"TransformBlogUi","rtQCxc":-480,"u4g7r":"%.@.null,1,2]","vJ2GOe":"%.@.null,[[\"de\",[[[\"Themen\",null,[[[\"Product Announcements\",\"/blog/de/product-announcements\"],[\"KI \\u0026 Machine Learning\",\"/blog/de/ai-machine-learning\"],[\"Produktivität und Kollaboration\",\"/blog/de/productivity-collaboration\"],[\"Identität und Sicherheit\",\"/blog/de/identity-and-security\"],[\"Future of Work\",\"/blog/de/future-of-work\"],[\"Hybrides Arbeiten\",\"/blog/de/hybrid-work\"],[\"Kundenreferenzen\",\"/blog/de/customer-stories\"],[\"Entwickler*innen und Fachkräfte\",\"/blog/de/developers-practitioners\"],[\"Partner\",\"/blog/de/partners\"],[\"Events\",\"/blog/de/events\"],[\"Öffentlicher Sektor\",\"/blog/de/public-sector\"]]]],[\"Produktneuigkeiten\",null,[[[\"Gmail\",\"/blog/de/gmail\"],[\"Meet\",\"/blog/de/meet\"],[\"Chat and Spaces\",\"/blog/de/chat-spaces\"],[\"Drive\",\"/blog/de/drive\"],[\"Docs\",\"/blog/de/docs\"],[\"Sheets\",\"/blog/de/sheets\"]]]]]]],[\"en\",[[[\"Topics\",null,[[[\"Product Announcements\",\"/blog/product-announcements\"],[\"AI and Machine Learning\",\"/blog/ai-machine-learning\"],[\"Productivity and Collaboration\",\"/blog/productivity-collaboration\"],[\"Identity and Security\",\"/blog/identity-and-security\"],[\"Future of Work\",\"/blog/future-of-work\"],[\"Hybrid Work\",\"/blog/hybrid-work\"],[\"Customer Stories\",\"/blog/customer-stories\"],[\"Developers and Practitioners\",\"/blog/developers-practitioners\"],[\"Partners\",\"/blog/partners\"],[\"Events\",\"/blog/events\"],[\"Public Sector\",\"/blog/public-sector\"]]]],[\"Product News\",null,[[[\"Gmail\",\"/blog/gmail\"],[\"Meet\",\"/blog/meet\"],[\"Chat and Spaces\",\"/blog/chat-spaces\"],[\"Drive\",\"/blog/drive\"],[\"Docs\",\"/blog/docs\"],[\"Sheets\",\"/blog/sheets\"]]]]]]],[\"fr\",[[[\"Thèmes\",null,[[[\"Product Announcements\",\"/blog/fr/product-announcements\"],[\"IA et Machine Learning\",\"/blog/fr/ai-machine-learning\"],[\"Productivité et Collaboration\",\"/blog/fr/productivity-collaboration\"],[\"Identité et Sécurité\",\"/blog/fr/identity-and-security\"],[\"L\u0027avenir du travail\",\"/blog/fr/future-of-work\"],[\"Travail hybride\",\"/blog/fr/hybrid-work\"],[\"Témoignages Clients\",\"/blog/fr/customer-stories\"],[\"Développeurs et professionnels\",\"/blog/fr/developers-practitioners\"],[\"Partenaires\",\"/blog/fr/partners\"],[\"Événements\",\"/blog/fr/events\"],[\"Secteur Public\",\"/blog/fr/public-sector\"]]]],[\"Annonces sur les produits\",null,[[[\"Gmail\",\"/blog/fr/gmail\"],[\"Meet\",\"/blog/fr/meet\"],[\"Chat et Spaces\",\"/blog/fr/chat-spaces\"],[\"Drive\",\"/blog/fr/drive\"],[\"Docs\",\"/blog/fr/docs\"],[\"Sheets\",\"/blog/fr/sheets\"]]]]]]],[\"ja\",[[[\"トピック\",null,[[[\"プロダクトの発表\",\"/blog/ja/product-announcements\"],[\"AI \\u0026 機械学習\",\"/blog/ja/ai-machine-learning\"],[\"生産性とコラボレーション\",\"/blog/ja/productivity-collaboration\"],[\"アイデンティティとセキュリティ\",\"/blog/ja/identity-and-security\"],[\"未来の働き方\",\"/blog/ja/future-of-work\"],[\"ハイブリッドな働き方\",\"/blog/ja/hybrid-work\"],[\"顧客事例\",\"/blog/ja/customer-stories\"],[\"デベロッパー\",\"/blog/ja/developers-practitioners\"],[\"パートナー\",\"/blog/ja/partners\"],[\"イベント\",\"/blog/ja/events\"],[\"公共部門\",\"/blog/ja/public-sector\"]]]],[\"製品ニュース\",null,[[[\"Gmail\",\"/blog/ja/gmail\"],[\"Meet\",\"/blog/ja/meet\"],[\"Chat and Spaces\",\"/blog/ja/chat-spaces\"],[\"ドライブ\",\"/blog/ja/drive\"],[\"ドキュメント\",\"/blog/ja/docs\"],[\"スプレッドシート\",\"/blog/ja/sheets\"]]]]]]],[\"ko\",[[[\"주제\",null,[[[\"제품 업데이트\",\"/blog/ko/product-announcements\"],[\"AI 및 머신러닝\",\"/blog/ko/ai-machine-learning\"],[\"생산성 및 공동작업\",\"/blog/ko/productivity-collaboration\"],[\"인증 및 보안 \",\"/blog/ko/identity-and-security\"],[\"Future of Work\",\"/blog/ko/future-of-work\"],[\"하이브리드 업무\",\"/blog/ko/hybrid-work\"],[\"고객 사례\",\"/blog/ko/customer-stories\"],[\"개발자\",\"/blog/ko/developers-practitioners\"],[\"파트너\",\"/blog/ko/partners\"],[\"이벤트\",\"/blog/ko/events\"],[\"공공부문\",\"/blog/ko/public-sector\"]]]],[\"제품 소식\",null,[[[\"Gmail\",\"/blog/ko/gmail\"],[\"Meet\",\"/blog/ko/meet\"],[\"Chat 및 Spaces\",\"/blog/ko/chat-spaces\"],[\"Drive\",\"/blog/ko/drive\"],[\"Docs\",\"/blog/ko/docs\"],[\"Sheets\",\"/blog/ko/sheets\"]]]]]]]],null,[[\"de\",[[[[[\"Enthaltene Anwendungen\",\"https://workspace.google.com/intl/de/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/de/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/de/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/de/products/chat/\"],[\"Kalender\",\"https://workspace.google.com/intl/de/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/intl/de/products/drive/\"],[\"Docs\",\"https://workspace.google.com/intl/de/products/docs/\"],[\"Tabellen\",\"https://workspace.google.com/intl/de/products/sheets/\"],[\"Präsentationen\",\"https://workspace.google.com/intl/de/products/slides/\"],[\"Formulare\",\"https://workspace.google.com/intl/de/products/forms/\"],[\"Sites\",\"https://workspace.google.com/intl/de/products/sites/\"],[\"Notizen\",\"https://workspace.google.com/intl/de/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/de/products/apps-script/\"]]]]]],[[[\"Sicherheit und Verwaltung\",\"https://workspace.google.com/intl/de/security/\",[[[\"Admin\",\"https://workspace.google.com/intl/de/products/admin/\"],[\"Endpunkt\",\"https://workspace.google.com/intl/de/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/de/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/de/products/workinsights/\"]]]],[\"Lösungen\",\"https://workspace.google.com/intl/de/solutions/\",[[[\"Neue Unternehmen\",\"https://workspace.google.com/intl/de/business/new-business/\"],[\"Kleine Unternehmen\",\"https://workspace.google.com/intl/de/business/small-business/\"],[\"Große Unternehmen\",\"https://workspace.google.com/intl/de/enterprise/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"Nonprofit-Organisationen\",\"https://www.google.com/nonprofits/\"]]]]]],[[[\"Preise\",\"https://workspace.google.com/intl/de/pricing.html\",[[[\"Version auswählen\",\"https://workspace.google.com/intl/de/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini für Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Google Voice\",\"https://workspace.google.com/intl/de/products/voice/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"Ressourcen\",\"https://workspace.google.com/intl/de/faq/\",[[[\"Telearbeit\",\"https://workspace.google.com/intl/de/resources/working-remotely/\"],[\"Sicherheit\",\"https://workspace.google.com/intl/de/security/\"],[\"FAQ\",\"https://workspace.google.com/intl/de/faq/\"],[\"Partner\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Google Workspace Marketplace\",\"https://workspace.google.com/marketplace/?hl\\u003dde\"],[\"Integrationen\",\"https://workspace.google.com/intl/de/integrations/\"],[\"Schulung \\u0026 Zertifizierung\",\"https://workspace.google.com/intl/de/training/\"]]]]]],[[[\"Schulung und Support\",\"https://workspace.google.com/intl/de/support/\",[[[\"Admin-Hilfe\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"Einrichtungs- und Bereitstellungscenter\",\"https://support.google.com/a/answer/6365252?hl\\u003dde\"],[\"Schulungscenter für Nutzer\",\"https://support.google.com/a/users?hl\\u003dde#topic\\u003d11499463\"],[\"Foren für Administratoren\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace-Dashboard\",\"https://www.google.com/appsstatus\"],[\"Presse\",\"https://cloud.google.com/press/\"]]]],[\"Mehr von Google\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dde\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google Lösungen für Unternehmen\",\"https://www.google.com/intl/de/services/\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dde-de-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"An Nutzerstudien teilnehmen\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"en\",[[[[[\"Included applications\",\"https://workspace.google.com/features/\",[[[\"Gmail\",\"https://workspace.google.com/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/products/meet/\"],[\"Chat\",\"https://workspace.google.com/products/chat/\"],[\"Calendar\",\"https://workspace.google.com/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/products/drive/\"],[\"Docs\",\"https://workspace.google.com/products/docs/\"],[\"Sheets\",\"https://workspace.google.com/products/sheets/\"],[\"Slides\",\"https://workspace.google.com/products/slides/\"],[\"Forms\",\"https://workspace.google.com/products/forms/\"],[\"Sites\",\"https://workspace.google.com/products/sites/\"],[\"Keep\",\"https://workspace.google.com/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/products/apps-script/\"]]]]]],[[[\"Security and management\",\"https://workspace.google.com/security/\",[[[\"Admin\",\"https://workspace.google.com/products/admin/\"],[\"Endpoint\",\"https://workspace.google.com/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/products/workinsights/\"]]]],[\"Solutions\",\"https://workspace.google.com/solutions/\",[[[\"New Business\",\"https://workspace.google.com/business/new-business/\"],[\"Small Business\",\"https://workspace.google.com/business/small-business/\"],[\"Enterprise\",\"https://workspace.google.com/enterprise/\"],[\"Retail\",\"https://workspace.google.com/industries/retail/\"],[\"Manufacturing\",\"https://workspace.google.com/industries/manufacturing/\"],[\"Professional Services\",\"https://workspace.google.com/industries/professional-services/\"],[\"Technology\",\"https://workspace.google.com/industries/technology/\"],[\"Healthcare\",\"https://workspace.google.com/industries/healthcare/\"],[\"Government\",\"https://workspace.google.com/industries/government/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"Nonprofits\",\"https://www.google.com/nonprofits/\"],[\"Artificial Intelligence\",\"https://workspace.google.com/solutions/ai/\"]]]]]],[[[\"Pricing\",\"https://workspace.google.com/pricing.html\",[[[\"Compare pricing plans\",\"https://workspace.google.com/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini for Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Meet hardware\",\"https://workspace.google.com/products/meet-hardware/\"],[\"Google Voice\",\"https://workspace.google.com/products/voice/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"Resources\",\"https://workspace.google.com/faq/\",[[[\"Working remotely\",\"https://workspace.google.com/resources/working-remotely/\"],[\"Security\",\"https://workspace.google.com/security/\"],[\"Customer Stories\",\"https://workspace.google.com/customers/\"],[\"FAQs\",\"https://workspace.google.com/faq/\"],[\"Partners\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/marketplace/\"],[\"Integrations\",\"https://workspace.google.com/integrations/\"],[\"Training \\u0026 Certification\",\"https://workspace.google.com/training/\"],[\"Refer Google Workspace\",\"https://workspace.google.com/landing/partners/referral/\"]]]]]],[[[\"Learning and support\",\"https://workspace.google.com/support/\",[[[\"Admin Help\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"Setup and Deployment Center\",\"https://support.google.com/a/answer/6365252\"],[\"Learning Center for Users\",\"https://support.google.com/a/users#topic\\u003d11499463\"],[\"Forums for Admins\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace Dashboard\",\"https://www.google.com/appsstatus\"],[\"What\u0027s New in Google Workspace\",\"https://workspace.google.com/whatsnew/\"],[\"Find a Google Workspace Partner\",\"https://www.google.com/a/partnersearch/\"],[\"Join the community of IT Admins\",\"https://www.googlecloudcommunity.com/gc/Google-Workspace/ct-p/google-workspace\"],[\"Press\",\"https://cloud.google.com/press/\"]]]],[\"More from Google\",null,[[[\"Google Cloud\",\"https://cloud.google.com/\"],[\"Google Domains\",\"https://domains.google.com/about/?utm_source\\u003dgoogleappsforwork\\u0026utm_medium\\u003dreferral\\u0026utm_campaign\\u003dgooglepromos\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google Business Solutions\",\"https://www.google.com/services/\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dus-en-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"Join User Studies\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"fr\",[[[[[\"Enthaltene Anwendungen\",\"https://workspace.google.com/intl/fr/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/fr/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/fr/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/fr/products/chat/\"],[\"Google Agenda\",\"https://workspace.google.com/intl/fr/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/intl/fr/products/drive/\"],[\"Docs\",\"https://workspace.google.com/intl/fr/products/docs/\"],[\"Sheets\",\"https://workspace.google.com/intl/fr/products/sheets/\"],[\"Slides\",\"https://workspace.google.com/intl/fr/products/slides/\"],[\"Forms\",\"https://workspace.google.com/intl/fr/products/forms/\"],[\"Google Sites\",\"https://workspace.google.com/intl/fr/products/sites/\"],[\"Keep\",\"https://workspace.google.com/intl/fr/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/fr/products/apps-script/\"]]]]]],[[[\"Sécurité et gestion\",\"https://workspace.google.com/intl/fr/security/\",[[[\"Console d\u0027administration\",\"https://workspace.google.com/intl/fr/products/admin/\"],[\"Point de terminaison\",\"https://workspace.google.com/intl/fr/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/fr/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/fr/products/workinsights/\"]]]],[\"Solutions\",\"https://workspace.google.com/intl/fr/solutions/\",[[[\"Nouvelle entreprise\",\"https://workspace.google.com/intl/fr/business/new-business/\"],[\"PME\",\"https://workspace.google.com/intl/fr/business/small-business/\"],[\"Grande entreprise\",\"https://workspace.google.com/intl/fr/enterprise/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"Associations\",\"https://www.google.com/nonprofits/\"]]]]]],[[[\"Tarifs\",\"https://workspace.google.com/intl/fr/pricing.html\",[[[\"Choisissez une édition\",\"https://workspace.google.com/intl/fr/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini pour Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Matériel Meet\",\"https://workspace.google.com/intl/fr/products/meet-hardware/\"],[\"Google Voice\",\"https://workspace.google.com/intl/fr/products/voice/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"Ressources\",\"https://workspace.google.com/intl/fr/faq/\",[[[\"Travail à distance\",\"https://workspace.google.com/intl/fr/resources/working-remotely/\"],[\"Sécurité\",\"https://workspace.google.com/intl/fr/security/\"],[\"Questions fréquentes\",\"https://workspace.google.com/intl/fr/faq/\"],[\"Partenaires\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/marketplace/?hl\\u003dfr\"],[\"Intégrations\",\"https://workspace.google.com/intl/fr/integrations/\"],[\"Formation et certification\",\"https://workspace.google.com/intl/fr/training/\"]]]]]],[[[\"Formation et assistance\",\"https://workspace.google.com/intl/fr/support/\",[[[\"Aide pour les administrateurs\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"Centre de configuration et de déploiement\",\"https://support.google.com/a/answer/6365252?hl\\u003dfr\"],[\"Centre de formation pour les utilisateurs\",\"https://support.google.com/a/users?hl\\u003dfr#topic\\u003d11499463\"],[\"Forums pour les administrateurs\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Tableau de bord Google Workspace\",\"https://www.google.com/appsstatus#hl\\u003dfr\"],[\"Rechercher un partenaire Google Workspace\",\"https://www.google.com/a/partnersearch/?hl\\u003dfr#home\"],[\"Presse\",\"https://cloud.google.com/press/\"]]]],[\"Autres ressources Google\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dfr\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Solutions d\u0027entreprise Google\",\"https://www.google.com/intl/fr/services/\"],[\"Google pour les Pros\",\"https://pourlespros.withgoogle.com/?utm_source\\u003dEngagement\\u0026utm_medium\\u003dep\\u0026utm_term\\u003dSMB\\u0026utm_content\\u003dFR%20Apps%20for%20work%20footert\\u0026utm_campaign\\u003dQ4_2015%20FR%20Apps%20for%20work%20footer\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dfr-fr-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"Participer aux études sur l\u0027expérience utilisateur\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"ja\",[[[[[\"ご利用いただけるアプリケーション\",\"https://workspace.google.com/intl/ja/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/ja/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/ja/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/ja/products/chat/\"],[\"カレンダー\",\"https://workspace.google.com/intl/ja/products/calendar/\"],[\"ドライブ\",\"https://workspace.google.com/intl/ja/products/drive/\"],[\"ドキュメント\",\"https://workspace.google.com/intl/ja/products/docs/\"],[\"スプレッドシート\",\"https://workspace.google.com/intl/ja/products/sheets/\"],[\"スライド\",\"https://workspace.google.com/intl/ja/products/slides/\"],[\"フォーム\",\"https://workspace.google.com/intl/ja/products/forms/\"],[\"サイト\",\"https://workspace.google.com/intl/ja/products/sites/\"],[\"Keep\",\"https://workspace.google.com/intl/ja/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/ja/products/apps-script/\"]]]]]],[[[\"セキュリティと管理\",\"https://workspace.google.com/intl/ja/security/\",[[[\"管理コンソール\",\"https://workspace.google.com/intl/ja/products/admin/\"],[\"エンドポイント\",\"https://workspace.google.com/intl/ja/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/ja/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/ja/products/workinsights/\"]]]],[\"ソリューション\",\"https://workspace.google.com/intl/ja/solutions/\",[[[\"新規ビジネス\",\"https://workspace.google.com/intl/ja/business/new-business/\"],[\"小規模ビジネス\",\"https://workspace.google.com/intl/ja/business/small-business/\"],[\"大規模ビジネス\",\"https://workspace.google.com/intl/ja/enterprise/\"],[\"Education\",\"https://edu.google.com/intl/ja/products/workspace-for-education/education-fundamentals/\"],[\"非営利団体\",\"https://www.google.com/intl/ja/nonprofits/\"]]]]]],[[[\"料金\",\"https://workspace.google.com/intl/ja/pricing.html\",[[[\"エディションを選ぶ\",\"https://workspace.google.com/intl/ja/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Gemini for Workspace\",\"https://workspace.google.com/solutions/ai/\"],[\"Meet ハードウェア\",\"https://workspace.google.com/intl/ja/products/meet-hardware/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"関連情報\",\"https://workspace.google.com/intl/ja/faq/\",[[[\"リモートワーク\",\"https://workspace.google.com/intl/ja/resources/working-remotely/\"],[\"セキュリティ\",\"https://workspace.google.com/intl/ja/security/\"],[\"事例紹介\",\"https://workspace.google.com/intl/ja/customers/\"],[\"よくある質問\",\"https://workspace.google.com/intl/ja/faq/\"],[\"パートナー\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/marketplace/?hl\\u003dja\"],[\"統合\",\"https://workspace.google.com/intl/ja/integrations/\"],[\"トレーニングと認定資格\",\"https://workspace.google.com/intl/ja/training/\"]]]]]],[[[\"学習とサポート\",\"https://workspace.google.com/intl/ja/support/\",[[[\"管理者用ヘルプ\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"設定と導入のガイド\",\"https://support.google.com/a/answer/6365252?hl\\u003dja\"],[\"ユーザー向けラーニング センター\",\"https://support.google.com/a/users?hl\\u003dja#topic\\u003d11499463\"],[\"管理者向けフォーラム\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace ステータス ダッシュボード\",\"https://www.google.com/appsstatus#hl\\u003dja\"],[\"Google Workspace パートナーを探す\",\"https://www.google.com/a/partnersearch/?hl\\u003dja#home\"],[\"プレスリリース\",\"https://cloud.google.com/press/?hl\\u003dja\"]]]],[\"その他の Google サービス\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dja\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google ビジネス ソリューション\",\"https://www.google.com/intl/ja/services/\"],[\"Google 広告\",\"https://ads.google.com/home/?subid\\u003dja-ja-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"ユーザー調査に参加する\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]],[\"ko\",[[[[[\"포함된 애플리케이션\",\"https://workspace.google.com/intl/ko/features/\",[[[\"Gmail\",\"https://workspace.google.com/intl/ko/products/gmail/\"],[\"Meet\",\"https://workspace.google.com/intl/ko/products/meet/\"],[\"Chat\",\"https://workspace.google.com/intl/ko/products/chat/\"],[\"Calendar\",\"https://workspace.google.com/intl/ko/products/calendar/\"],[\"Drive\",\"https://workspace.google.com/intl/ko/products/drive/\"],[\"Docs\",\"https://workspace.google.com/intl/ko/products/docs/\"],[\"Sheets\",\"https://workspace.google.com/intl/ko/products/sheets/\"],[\"Slides\",\"https://workspace.google.com/intl/ko/products/slides/\"],[\"설문지\",\"https://workspace.google.com/intl/ko/products/forms/\"],[\"사이트 도구\",\"https://workspace.google.com/intl/ko/products/sites/\"],[\"Keep\",\"https://workspace.google.com/intl/ko/products/keep/\"],[\"Apps Script\",\"https://workspace.google.com/intl/ko/products/apps-script/\"]]]]]],[[[\"보안 및 관리\",\"https://workspace.google.com/intl/ko/security/\",[[[\"관리\",\"https://workspace.google.com/intl/ko/products/admin/\"],[\"엔드포인트\",\"https://workspace.google.com/intl/ko/products/admin/endpoint/\"],[\"Vault\",\"https://workspace.google.com/intl/ko/products/vault/\"],[\"Work Insights\",\"https://workspace.google.com/intl/ko/products/workinsights/\"]]]],[\"솔루션\",\"https://workspace.google.com/intl/ko/solutions/\",[[[\"신규 업체\",\"https://workspace.google.com/intl/ko/business/new-business/\"],[\"중소기업\",\"https://workspace.google.com/intl/ko/business/small-business/\"],[\"엔터프라이즈\",\"https://workspace.google.com/intl/ko/enterprise/\"],[\"Education\",\"https://edu.google.com/products/workspace-for-education/education-fundamentals/\"],[\"비영리단체\",\"https://www.google.com/nonprofits/\"]]]]]],[[[\"가격\",\"https://workspace.google.com/intl/ko/pricing.html\",[[[\"버전 선택\",\"https://workspace.google.com/intl/ko/pricing.html\"]]]],[\"Add-ons\",null,[[[\"Workspace를 위한 Gemini\",\"https://workspace.google.com/solutions/ai/\"],[\"AppSheet\",\"https://about.appsheet.com/home/\"]]]]]],[[[\"리소스\",\"https://workspace.google.com/intl/ko/faq/\",[[[\"원격 근무\",\"https://workspace.google.com/intl/ko/resources/working-remotely/\"],[\"보안\",\"https://workspace.google.com/intl/ko/security/\"],[\"FAQ\",\"https://workspace.google.com/intl/ko/faq/\"],[\"파트너\",\"https://cloud.withgoogle.com/partners/?products\\u003dGOOGLE_WORKSPACE_PRODUCT\"],[\"Marketplace\",\"https://workspace.google.com/marketplace/?hl\\u003dko\"],[\"통합\",\"https://workspace.google.com/intl/ko/integrations/\"],[\"교육 및 인증\",\"https://workspace.google.com/intl/ko/training/\"]]]]]],[[[\"학습 및 지원\",\"https://workspace.google.com/intl/ko/support/\",[[[\"관리자 도움말\",\"https://support.google.com/a/#topic\\u003d29157\"],[\"설치 및 배포 센터\",\"https://support.google.com/a/answer/6365252?hl\\u003dko\"],[\"사용자를 위한 학습 센터\",\"https://support.google.com/a/users?hl\\u003dko#topic\\u003d11499463\"],[\"관리자 포럼\",\"https://productforums.google.com/forum/#!forum/apps\"],[\"Google Workspace 대시보드\",\"https://www.google.com/appsstatus#hl\\u003dko\"],[\"Google Workspace 파트너 찾기\",\"https://www.google.com/a/partnersearch/?hl\\u003dko#home\"],[\"보도자료\",\"https://cloud.google.com/press/\"]]]],[\"Google의 다른 제품\",null,[[[\"Google Cloud\",\"https://cloud.google.com/?hl\\u003dko\"],[\"Chrome Enterprise\",\"https://chromeenterprise.google/\"],[\"Google 비즈니스 솔루션\",\"https://www.google.com/intl/ko_kr/business/\"],[\"Google Ads\",\"https://ads.google.com/home/?subid\\u003dkr-ko-xs-aw-z-a-dyn-accounts_wsft!o3\"],[\"Business Messages\",\"https://businessmessages.google/\"],[\"사용자 연구 참여\",\"https://userresearch.google.com/?reserved\\u003d0\\u0026utm_source\\u003dgsuite.google.com\\u0026Q_Language\\u003den\\u0026utm_medium\\u003down_srch\\u0026utm_campaign\\u003dGlobal-GSuite\\u0026utm_term\\u003d0\\u0026utm_content\\u003d0\\u0026productTag\\u003dgafw\\u0026campaignDate\\u003dnov18\\u0026pType\\u003dbprof\\u0026referral_code\\u003dug422768\"]]]]]]]]]]]","w2btAe":"%.@.null,null,\"\",false,null,null,true,false]","xn5OId":false,"xnI9P":false,"xwAfE":true,"y2FhP":"prod","yFnxrf":1884,"zChJod":"%.@.]"};</script><script nonce="pPuvw5Srdj0z5N266Gn3nw">(function(){'use strict';var a=window,d=a.performance,l=k();a.cc_latency_start_time=d&&d.now?0:d&&d.timing&&d.timing.navigationStart?d.timing.navigationStart:l;function k(){return d&&d.now?d.now():(new Date).getTime()}function n(e){if(d&&d.now&&d.mark){var g=d.mark(e);if(g)return g.startTime;if(d.getEntriesByName&&(e=d.getEntriesByName(e).pop()))return e.startTime}return k()}a.onaft=function(){n("aft")};a._isLazyImage=function(e){return e.hasAttribute("data-src")||e.hasAttribute("data-ils")||e.getAttribute("loading")==="lazy"}; a.l=function(e){function g(b){var c={};c[b]=k();a.cc_latency.push(c)}function m(b){var c=n("iml");b.setAttribute("data-iml",c);return c}a.cc_aid=e;a.iml_start=a.cc_latency_start_time;a.css_size=0;a.cc_latency=[];a.ccTick=g;a.onJsLoad=function(){g("jsl")};a.onCssLoad=function(){g("cssl")};a._isVisible=function(b,c){if(!c||c.style.display=="none")return!1;var f=b.defaultView;if(f&&f.getComputedStyle&&(f=f.getComputedStyle(c),f.height=="0px"||f.width=="0px"||f.visibility=="hidden"))return!1;if(!c.getBoundingClientRect)return!0; var h=c.getBoundingClientRect();c=h.left+a.pageXOffset;f=h.top+a.pageYOffset;if(f+h.height<0||c+h.width<0||h.height<=0||h.width<=0)return!1;b=b.documentElement;return f<=(a.innerHeight||b.clientHeight)&&c<=(a.innerWidth||b.clientWidth)};a._recordImlEl=m;document.documentElement.addEventListener("load",function(b){b=b.target;var c;b.tagName!="IMG"||b.hasAttribute("data-iid")||a._isLazyImage(b)||b.hasAttribute("data-noaft")||(c=m(b));if(a.aft_counter&&(b=a.aft_counter.indexOf(b),b!==-1&&(b=a.aft_counter.splice(b, 1).length===1,a.aft_counter.length===0&&b&&c)))a.onaft(c)},!0);a.prt=-1;a.wiz_tick=function(){var b=n("prt");a.prt=b}};}).call(this); l('DK1zsb')</script><script nonce="pPuvw5Srdj0z5N266Gn3nw">var _F_cssRowKey = 'boq-cloudx-web-blog.TransformBlogUi._rjJeszx9eo.L.X.O';var _F_combinedSignature = 'AHrnUqWA8cP_jilCV7yAayBChVnxd5w68w';function _DumpException(e) {throw e;}</script><link rel="stylesheet" href="https://www.gstatic.com/_/mss/boq-cloudx-web-blog/_/ss/k=boq-cloudx-web-blog.TransformBlogUi._rjJeszx9eo.L.X.O/am=AAbcAg/d=1/ed=1/rs=AHrnUqVRNX4VdnpRO2b_X_3keWCUhfq6nA/m=articleview,_b,_tp" data-id="_cl" nonce="LiYfi195gfJ47_FX0uC9ug"><script nonce="pPuvw5Srdj0z5N266Gn3nw">onCssLoad();</script><style nonce="LiYfi195gfJ47_FX0uC9ug">@font-face{font-family:'Product Sans';font-style:normal;font-weight:400;src:url(https://fonts.gstatic.com/s/productsans/v9/pxiDypQkot1TnFhsFMOfGShVF9eK.eot);}@font-face{font-family:'Google Sans';font-style:normal;font-weight:400;src:url(https://fonts.gstatic.com/s/googlesans/v58/4Ua_rENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iqcsih3SAyH6cAwhX9RFD48TE63OOYKtrwEIJllpy0.eot);}@font-face{font-family:'Google Sans';font-style:normal;font-weight:500;src:url(https://fonts.gstatic.com/s/googlesans/v58/4Ua_rENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iqcsih3SAyH6cAwhX9RFD48TE63OOYKtrw2IJllpy0.eot);}@font-face{font-family:'Google Sans';font-style:normal;font-weight:700;src:url(https://fonts.gstatic.com/s/googlesans/v58/4Ua_rENHsxJlGDuGo1OIlJfC6l_24rlCK1Yo_Iqcsih3SAyH6cAwhX9RFD48TE63OOYKtrzjJ5llpy0.eot);}@font-face{font-family:'Google Sans Display';font-style:normal;font-weight:400;src:url(https://fonts.gstatic.com/s/googlesansdisplay/v13/ea8FacM9Wef3EJPWRrHjgE4B6CnlZxHVDv79pQ.eot);}@font-face{font-family:'Google Sans Display';font-style:normal;font-weight:500;src:url(https://fonts.gstatic.com/s/googlesansdisplay/v13/ea8IacM9Wef3EJPWRrHjgE4B6CnlZxHVBg3etBD7SA.eot);}@font-face{font-family:'Google Sans Display';font-style:normal;font-weight:700;src:url(https://fonts.gstatic.com/s/googlesansdisplay/v13/ea8IacM9Wef3EJPWRrHjgE4B6CnlZxHVBkXYtBD7SA.eot);}</style><script nonce="pPuvw5Srdj0z5N266Gn3nw">(function(){'use strict';function f(){var a=k,b=0;return function(){return b<a.length?{done:!1,value:a[b++]}:{done:!0}}};/* Copyright The Closure Library Authors. SPDX-License-Identifier: Apache-2.0 */ var l=this||self;/* Copyright 2024 Google, Inc SPDX-License-Identifier: MIT */ var m=["focus","blur","error","load","toggle"];function n(a){return a==="mouseenter"?"mouseover":a==="mouseleave"?"mouseout":a==="pointerenter"?"pointerover":a==="pointerleave"?"pointerout":a};function p(a){this.l={};this.m={};this.i=null;this.g=[];this.o=a}p.prototype.handleEvent=function(a,b,c){q(this,{eventType:a,event:b,targetElement:b.target,eic:c,timeStamp:Date.now(),eia:void 0,eirp:void 0,eiack:void 0})};function q(a,b){if(a.i)a.i(b);else{b.eirp=!0;var c;(c=a.g)==null||c.push(b)}} function r(a,b,c){if(!(b in a.l)&&a.o){var d=function(g,e,B){a.handleEvent(g,e,B)};a.l[b]=d;c=n(c||b);if(c!==b){var h=a.m[c]||[];h.push(b);a.m[c]=h}a.o.addEventListener(c,function(g){return function(e){d(b,e,g)}},void 0)}}p.prototype.j=function(a){return this.l[a]};p.prototype.ecrd=function(a){this.i=a;var b;if((b=this.g)==null?0:b.length){for(a=0;a<this.g.length;a++)q(this,this.g[a]);this.g=null}};var t=typeof navigator!=="undefined"&&/iPhone|iPad|iPod/.test(navigator.userAgent);function u(a){this.g=a;this.i=[]}u.prototype.addEventListener=function(a,b,c){t&&(this.g.style.cursor="pointer");var d=this.i,h=d.push,g=this.g;b=b(this.g);var e=!1;m.indexOf(a)>=0&&(e=!0);g.addEventListener(a,b,typeof c==="boolean"?{capture:e,passive:c}:e);h.call(d,{eventType:a,j:b,capture:e,passive:c})};var k="click dblclick focus focusin blur error focusout keydown keyup keypress load mouseover mouseout mouseenter mouseleave mousemove submit toggle touchstart touchend touchmove touchcancel auxclick change compositionstart compositionupdate compositionend beforeinput input select textinput copy cut paste mousedown mouseup wheel contextmenu dragover dragenter dragleave drop dragstart dragend pointerdown pointermove pointerup pointercancel pointerenter pointerleave pointerover pointerout gotpointercapture lostpointercapture ended loadedmetadata pagehide pageshow visibilitychange beforematch".split(" "); if(!(k instanceof Array)){var v;var w=typeof Symbol!="undefined"&&Symbol.iterator&&k[Symbol.iterator];if(w)v=w.call(k);else if(typeof k.length=="number")v={next:f()};else throw Error(String(k)+" is not an iterable or ArrayLike");for(var x,y=[];!(x=v.next()).done;)y.push(x.value)};var z=function(a){return{trigger:function(b){var c=a.j(b.type);c||(r(a,b.type),c=a.j(b.type));var d=b.target||b.srcElement;c&&c(b.type,b,d.ownerDocument.documentElement)},configure:function(b){b(a)}}}(function(){var a=window,b=new u(a.document.documentElement),c=new p(b);k.forEach(function(g){return r(c,g)});var d,h;"onwebkitanimationend"in a&&(d="webkitAnimationEnd");r(c,"animationend",d);"onwebkittransitionend"in a&&(h="webkitTransitionEnd");r(c,"transitionend",h);return{s:c,u:b}}().s),A=["BOQ_wizbind"], C=window||l,D;for(;A.length&&(D=A.shift());)A.length||z===void 0?C[D]&&C[D]!==Object.prototype[D]?C=C[D]:C=C[D]={}:C[D]=z;}).call(this); </script><script noCollect src="https://www.gstatic.com/_/mss/boq-cloudx-web-blog/_/js/k=boq-cloudx-web-blog.TransformBlogUi.en_US.0IckiMf0wwQ.es5.O/am=AAbcAg/d=1/excm=_b,_tp,articleview/ed=1/dg=0/wt=2/ujg=1/rs=AHrnUqXlOUNKsIhFeMjehZWG_IJSmgdtbA/m=_b,_tp" defer id="base-js" fetchpriority="high" nonce="pPuvw5Srdj0z5N266Gn3nw"></script><script nonce="pPuvw5Srdj0z5N266Gn3nw">if (window.BOQ_loadedInitialJS) {onJsLoad();} else {document.getElementById('base-js').addEventListener('load', onJsLoad, false);}</script><script nonce="pPuvw5Srdj0z5N266Gn3nw"> window['_wjdc'] = function (d) {window['_wjdd'] = d}; </script><link rel="alternate" type="application/rss+xml" title="Threat Intelligence" href="https://cloudblog.withgoogle.com/topics/threat-intelligence/rss"><title>TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping | Google Cloud Blog</title><meta name="description" content=""><meta name="robots" content="max-image-preview:large"><meta property="og:title" content="TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping | Google Cloud Blog"><meta property="og:type" content="website"><meta property="og:url" content="https://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections"><meta property="og:image" content="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BA.max-2600x2600.png"><meta property="og:site_name" content="Google Cloud Blog"><meta name="twitter:card" content="summary_large_image"><meta name="twitter:url" content="https://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections"><meta name="twitter:title" content="TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping | Google Cloud Blog"><meta name="twitter:description" content=""><meta name="twitter:image" content="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BA.max-2600x2600.png"><meta name="twitter:site" content="@googlecloud"><script type="application/ld+json">{"@context":"https://schema.org","@type":"BlogPosting","@id":"https://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections","headline":"TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT\u0026CK Mapping","description":"","image":"https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BA.max-2600x2600.png","author":[{"@type":"Person","name":"Mandiant ","url":""}],"datePublished":"2019-04-10","publisher":{"@type":"Organization","name":"Google Cloud","logo":{"@type":"ImageObject","url":"https://www.gstatic.com/devrel-devsite/prod/v8bb8fa0afe9a8c3a776ebeb25d421bb443344d789b3607754dfabea418b8c4be/cloud/images/cloud-logo.svg"}},"url":"https://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections","keywords":["Threat Intelligence","Security \u0026 Identity"],"timeRequired":"PT14M"}</script><link rel="canonical" href="https://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections/"><meta name="track-metadata-page_post_title" content="TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping"><meta name="track-metadata-page_post_labels" content="Threat Intelligence"><meta name="track-metadata-page_first_published" content="2024-03-26 05:03:00"><meta name="track-metadata-page_last_published" content="2019-04-10 15:04:00"><meta name="track-metadata-page_post_author" content="Mandiant "><meta name="track-metadata-page_post_author_role" content=""><header jsaction="rcuQ6b:npT2md" jscontroller="o60eef" class="glue-header nRhiJb-tJHJj-OWXEXe-kFx1Ae" id="kO001e"><a href="./#content" class="glue-header__link glue-header__skip-content">Jump to Content</a><div class="glue-header__bar glue-header__bar--mobile DFb9Jf" track-metadata-module="header"><div class="nRhiJb-mb9u9d"><div class="glue-header__container JF2WI"><div class="nRhiJb-o2XRw-yHKmmc lUwpmd"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/" title="Google Cloud" track-name="google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="header"><div class="nRhiJb-rSCjMe-haAclf"><svg class="glue-header__logo-svg" viewBox="0 0 74 24" role="presentation" aria-hidden="true"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"></path><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3.52 1.74 0 3.1 1.5 3.1 3.54.01 2.03-1.36 3.5-3.1 3.5z"></path><path fill="#FBBC05" d="M38 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#34A853" d="M58 .24h2.51v17.57H58z"></path><path fill="#EA4335" d="M68.26 15.52c-1.3 0-2.22-.59-2.82-1.76l7.77-3.21-.26-.66c-.48-1.3-1.96-3.7-4.97-3.7-2.99 0-5.48 2.35-5.48 5.81 0 3.26 2.46 5.81 5.76 5.81 2.66 0 4.2-1.63 4.84-2.57l-1.98-1.32c-.66.96-1.56 1.6-2.86 1.6zm-.18-7.15c1.03 0 1.91.53 2.2 1.28l-5.25 2.17c0-2.44 1.73-3.45 3.05-3.45z"></path></svg></div><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Cloud</span></a></div></div><div class="glue-header__hamburger s6BfRd"><button class="glue-header__drawer-toggle-btn" aria-label="Open the navigation drawer"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M3 18h18v-2H3v2zm0-5h18v-2H3v2zm0-7v2h18V6H3z"></path></svg></button></div><div class="nRhiJb-o2XRw-yHKmmc UrjqX"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/blog" title="Google Cloud Blog" track-name="blog"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog"track-metadata-module="header"><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Blog</span></a></div></div></div><div class="glue-header__container ca6rub"><div class="nRhiJb-GUI8l"><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-pSzOP-o6Shpd " href="https://cloud.google.com/contact/" track-name="contact sales"track-type="blog nav"track-metadata-eventdetail="cloud.google.com/contact/"track-metadata-module="header" track-name="contact sales"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/contact/">Contact sales </a><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-CNusmb-o6Shpd " href="https://console.cloud.google.com/freetrial/" track-name="get started for free"track-type="blog nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/"track-metadata-module="header" track-name="get started for free"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/">Get started for free </a></div><div class="GKI4ub"><div class="Jhiezd"><form action="/blog/search/" class="A2C6Ob"><input class="BAhdXd" jsname="oJAbI" name="query" type="text" placeholder="Find an article..."><input type="hidden" name="language" value=en hidden><input type="hidden" name="category" value=article hidden><input type="hidden" name="paginate" value="25" hidden><input type="hidden" name="order" value="newest" hidden><input type="hidden" name="hl" value=en hidden><span class="A0lwXc" jsname="D8MWrd" aria-label="Show the search input field." role="button" jsaction="click:jUF4E"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c" viewBox="0 0 24 24" role="presentation" aria-hidden="true" width="40" height="22"><path d="M20.49 19l-5.73-5.73C15.53 12.2 16 10.91 16 9.5A6.5 6.5 0 1 0 9.5 16c1.41 0 2.7-.47 3.77-1.24L19 20.49 20.49 19zM5 9.5C5 7.01 7.01 5 9.5 5S14 7.01 14 9.5 11.99 14 9.5 14 5 11.99 5 9.5z"></path></svg></span></form></div></div></div></div></div><div class="glue-header__bar glue-header__bar--desktop glue-header__drawer YcctDe" track-metadata-module="header"><div class="nRhiJb-mb9u9d M7RUq"><div class="glue-header__container JF2WI"><div class="nRhiJb-o2XRw-yHKmmc lUwpmd"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/" title="Google Cloud" track-name="google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="header"><div class="nRhiJb-rSCjMe-haAclf"><svg class="glue-header__logo-svg" viewBox="0 0 74 24" role="presentation" aria-hidden="true"><path fill="#4285F4" d="M9.24 8.19v2.46h5.88c-.18 1.38-.64 2.39-1.34 3.1-.86.86-2.2 1.8-4.54 1.8-3.62 0-6.45-2.92-6.45-6.54s2.83-6.54 6.45-6.54c1.95 0 3.38.77 4.43 1.76L15.4 2.5C13.94 1.08 11.98 0 9.24 0 4.28 0 .11 4.04.11 9s4.17 9 9.13 9c2.68 0 4.7-.88 6.28-2.52 1.62-1.62 2.13-3.91 2.13-5.75 0-.57-.04-1.1-.13-1.54H9.24z"></path><path fill="#EA4335" d="M25 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#4285F4" d="M53.58 7.49h-.09c-.57-.68-1.67-1.3-3.06-1.3C47.53 6.19 45 8.72 45 12c0 3.26 2.53 5.81 5.43 5.81 1.39 0 2.49-.62 3.06-1.32h.09v.81c0 2.22-1.19 3.41-3.1 3.41-1.56 0-2.53-1.12-2.93-2.07l-2.22.92c.64 1.54 2.33 3.43 5.15 3.43 2.99 0 5.52-1.76 5.52-6.05V6.49h-2.42v1zm-2.93 8.03c-1.76 0-3.1-1.5-3.1-3.52 0-2.05 1.34-3.52 3.1-3.52 1.74 0 3.1 1.5 3.1 3.54.01 2.03-1.36 3.5-3.1 3.5z"></path><path fill="#FBBC05" d="M38 6.19c-3.21 0-5.83 2.44-5.83 5.81 0 3.34 2.62 5.81 5.83 5.81s5.83-2.46 5.83-5.81c0-3.37-2.62-5.81-5.83-5.81zm0 9.33c-1.76 0-3.28-1.45-3.28-3.52 0-2.09 1.52-3.52 3.28-3.52s3.28 1.43 3.28 3.52c0 2.07-1.52 3.52-3.28 3.52z"></path><path fill="#34A853" d="M58 .24h2.51v17.57H58z"></path><path fill="#EA4335" d="M68.26 15.52c-1.3 0-2.22-.59-2.82-1.76l7.77-3.21-.26-.66c-.48-1.3-1.96-3.7-4.97-3.7-2.99 0-5.48 2.35-5.48 5.81 0 3.26 2.46 5.81 5.76 5.81 2.66 0 4.2-1.63 4.84-2.57l-1.98-1.32c-.66.96-1.56 1.6-2.86 1.6zm-.18-7.15c1.03 0 1.91.53 2.2 1.28l-5.25 2.17c0-2.44 1.73-3.45 3.05-3.45z"></path></svg></div><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Cloud</span></a></div></div><div class="nRhiJb-o2XRw-yHKmmc UrjqX"><div class="nRhiJb-rSCjMe"><a class="nRhiJb-rSCjMe-hSRGPd" href="https://cloud.google.com/blog" title="Google Cloud Blog" track-name="blog"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog"track-metadata-module="header"><span class="nRhiJb-rSCjMe-OWXEXe-UBMNlb khBwGd">Blog</span></a></div></div></div><div class="glue-header__container glue-header__stepped-nav LKvi8b" role="navigation"><div class="glue-header__stepped-nav-controls-container"><div class="glue-header__stepped-nav-controls"><div class="glue-header__stepped-nav-controls-arrow"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M16.41 5.41L15 4l-8 8 8 8 1.41-1.41L9.83 12"></path></svg><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G glue-header__stepped-nav-subnav-icon" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M7.59 18.59L9 20l8-8-8-8-1.41 1.41L14.17 12"></path></svg></div><div class="glue-header__stepped-nav-controls-title glue-header__link"></div></div></div><div class="glue-header__stepped-nav-menus"></div></div><div class="glue-header__container nRhiJb-J6KYL-OWXEXe-Q4irje"><nav class="glue-header__link-bar"><ul class="glue-header__list glue-header__list--nested glue-header__deep-nav URiJfb"><li class="glue-header__item "><a class="glue-header__link">Solutions & technology<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M5.41 7.59L4 9l8 8 8-8-1.41-1.41L12 14.17"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/ai-machine-learning" track-name="ai & machine learning"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/ai-machine-learning"track-metadata-module="header"><span>AI & Machine Learning</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/api-management" track-name="api management"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/api-management"track-metadata-module="header"><span>API Management</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/application-development" track-name="application development"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/application-development"track-metadata-module="header"><span>Application Development</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/application-modernization" track-name="application modernization"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/application-modernization"track-metadata-module="header"><span>Application Modernization</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/chrome-enterprise" track-name="chrome enterprise"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/chrome-enterprise"track-metadata-module="header"><span>Chrome Enterprise</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/compute" track-name="compute"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/compute"track-metadata-module="header"><span>Compute</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/containers-kubernetes" track-name="containers & kubernetes"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/containers-kubernetes"track-metadata-module="header"><span>Containers & Kubernetes</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/data-analytics" track-name="data analytics"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/data-analytics"track-metadata-module="header"><span>Data Analytics</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/databases" track-name="databases"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/databases"track-metadata-module="header"><span>Databases</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/devops-sre" track-name="devops & sre"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/devops-sre"track-metadata-module="header"><span>DevOps & SRE</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/maps-geospatial" track-name="maps & geospatial"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/maps-geospatial"track-metadata-module="header"><span>Maps & Geospatial</span></a></li><li class="glue-header__item "><a class="glue-header__link janap">Security<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M7.59 18.59L9 20l8-8-8-8-1.41 1.41L14.17 12"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/identity-security" track-name="security & identity"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/identity-security"track-metadata-module="header"><span>Security & Identity</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/threat-intelligence" track-name="threat intelligence"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence"track-metadata-module="header"><span>Threat Intelligence</span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/infrastructure" track-name="infrastructure"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/infrastructure"track-metadata-module="header"><span>Infrastructure</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/infrastructure-modernization" track-name="infrastructure modernization"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/infrastructure-modernization"track-metadata-module="header"><span>Infrastructure Modernization</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/networking" track-name="networking"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/networking"track-metadata-module="header"><span>Networking</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/productivity-collaboration" track-name="productivity & collaboration"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/productivity-collaboration"track-metadata-module="header"><span>Productivity & Collaboration</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/sap-google-cloud" track-name="sap on google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/sap-google-cloud"track-metadata-module="header"><span>SAP on Google Cloud</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/storage-data-transfer" track-name="storage & data transfer"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/storage-data-transfer"track-metadata-module="header"><span>Storage & Data Transfer</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/sustainability" track-name="sustainability"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/sustainability"track-metadata-module="header"><span>Sustainability</span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link">Ecosystem<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M5.41 7.59L4 9l8 8 8-8-1.41-1.41L12 14.17"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/transform" track-name="it leaders"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/transform"track-metadata-module="header"><span>IT Leaders</span></a></li><li class="glue-header__item "><a class="glue-header__link janap">Industries<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M7.59 18.59L9 20l8-8-8-8-1.41 1.41L14.17 12"></path></svg></a><ul class="glue-header__list NDdrcc"><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/financial-services" track-name="financial services"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/financial-services"track-metadata-module="header"><span>Financial Services</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/healthcare-life-sciences" track-name="healthcare & life sciences"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/healthcare-life-sciences"track-metadata-module="header"><span>Healthcare & Life Sciences</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/manufacturing" track-name="manufacturing"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/manufacturing"track-metadata-module="header"><span>Manufacturing</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/products/media-entertainment" track-name="media & entertainment"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/products/media-entertainment"track-metadata-module="header"><span>Media & Entertainment</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/public-sector" track-name="public sector"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/public-sector"track-metadata-module="header"><span>Public Sector</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/retail" track-name="retail"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/retail"track-metadata-module="header"><span>Retail</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/supply-chain-logistics" track-name="supply chain"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/supply-chain-logistics"track-metadata-module="header"><span>Supply Chain</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/telecommunications" track-name="telecommunications"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/telecommunications"track-metadata-module="header"><span>Telecommunications</span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/partners" track-name="partners"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/partners"track-metadata-module="header"><span>Partners</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/startups" track-name="startups & smb"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/startups"track-metadata-module="header"><span>Startups & SMB</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/training-certifications" track-name="training & certifications"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/training-certifications"track-metadata-module="header"><span>Training & Certifications</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/inside-google-cloud" track-name="inside google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/inside-google-cloud"track-metadata-module="header"><span>Inside Google Cloud</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/google-cloud-next" track-name="google cloud next & events"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/google-cloud-next"track-metadata-module="header"><span>Google Cloud Next & Events</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://cloud.google.com/blog/topics/consulting" track-name="google cloud consulting"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/consulting"track-metadata-module="header"><span>Google Cloud Consulting</span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://mapsplatform.google.com/resources/blog/" track-name="google maps platform"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="mapsplatform.google.com/resources/blog/"track-metadata-module="header" target="_blank"><span>Google Maps Platform<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G FsOzib nRhiJb-tHaKme-AipIyc" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="m8.9 16.075 5.4-5.4v2.675h1.4V8.3h-5.05v1.4h2.65l-5.375 5.375ZM12 21.3q-1.925 0-3.625-.738-1.7-.737-2.95-1.987-1.25-1.25-1.987-2.95Q2.7 13.925 2.7 12t.738-3.625q.737-1.7 1.987-2.95 1.25-1.25 2.95-1.988Q10.075 2.7 12 2.7t3.625.737q1.7.738 2.95 1.988 1.25 1.25 1.987 2.95.738 1.7.738 3.625t-.738 3.625q-.737 1.7-1.987 2.95-1.25 1.25-2.95 1.987-1.7.738-3.625.738Z"></path></svg></span></a></li><li class="glue-header__item "><a class="glue-header__link janap " href="https://workspace.google.com/blog" track-name="google workspace"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="workspace.google.com/blog"track-metadata-module="header" target="_blank"><span>Google Workspace<svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-SFi8G FsOzib nRhiJb-tHaKme-AipIyc" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="m8.9 16.075 5.4-5.4v2.675h1.4V8.3h-5.05v1.4h2.65l-5.375 5.375ZM12 21.3q-1.925 0-3.625-.738-1.7-.737-2.95-1.987-1.25-1.25-1.987-2.95Q2.7 13.925 2.7 12t.738-3.625q.737-1.7 1.987-2.95 1.25-1.25 2.95-1.988Q10.075 2.7 12 2.7t3.625.737q1.7.738 2.95 1.988 1.25 1.25 1.987 2.95.738 1.7.738 3.625t-.738 3.625q-.737 1.7-1.987 2.95-1.25 1.25-2.95 1.987-1.7.738-3.625.738Z"></path></svg></span></a></li></ul></li><li class="glue-header__item "><a class="glue-header__link " href="https://cloud.google.com/blog/topics/developers-practitioners" track-name="developers & practitioners"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/blog/topics/developers-practitioners"track-metadata-module="header"><span>Developers & Practitioners</span></a></li><li class="glue-header__item "><a class="glue-header__link " href="https://cloud.google.com/transform" track-name="transform with google cloud"track-type="blog nav"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/transform"track-metadata-module="header"><span>Transform with Google Cloud</span></a></li></ul></nav></div><div class="glue-header__container ca6rub nRhiJb-J6KYL-OWXEXe-SU0ZEf"><div class="nRhiJb-GUI8l"><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-pSzOP-o6Shpd " href="https://cloud.google.com/contact/" track-name="contact sales"track-type="blog nav"track-metadata-eventdetail="cloud.google.com/contact/"track-metadata-module="header" track-name="contact sales"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="cloud.google.com/contact/">Contact sales </a><a class="nRhiJb-LgbsSe nRhiJb-LgbsSe-OWXEXe-CNusmb-o6Shpd " href="https://console.cloud.google.com/freetrial/" track-name="get started for free"track-type="blog nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/"track-metadata-module="header" track-name="get started for free"track-type="button"track-metadata-position="nav"track-metadata-eventdetail="console.cloud.google.com/freetrial/">Get started for free </a></div><div class="GKI4ub"><div class="Jhiezd"><form action="/blog/search/" class="A2C6Ob"><input class="BAhdXd" jsname="oJAbI" name="query" type="text" placeholder="Find an article..."><input type="hidden" name="language" value=en hidden><input type="hidden" name="category" value=article hidden><input type="hidden" name="paginate" value="25" hidden><input type="hidden" name="order" value="newest" hidden><input type="hidden" name="hl" value=en hidden><span class="A0lwXc" jsname="D8MWrd" aria-label="Show the search input field." role="button" jsaction="click:jUF4E"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c" viewBox="0 0 24 24" role="presentation" aria-hidden="true" width="40" height="22"><path d="M20.49 19l-5.73-5.73C15.53 12.2 16 10.91 16 9.5A6.5 6.5 0 1 0 9.5 16c1.41 0 2.7-.47 3.77-1.24L19 20.49 20.49 19zM5 9.5C5 7.01 7.01 5 9.5 5S14 7.01 14 9.5 11.99 14 9.5 14 5 11.99 5 9.5z"></path></svg></span></form></div></div></div></div></div><div class="glue-header__drawer-backdrop"></div></header><script nonce="pPuvw5Srdj0z5N266Gn3nw">var AF_initDataKeys = ["ds:0"]; var AF_dataServiceRequests = {'ds:0' : {id:'nInjGe',request:["cloudblog","topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections","en"]}}; var AF_initDataChunkQueue = []; var AF_initDataCallback; var AF_initDataInitializeCallback; if (AF_initDataInitializeCallback) {AF_initDataInitializeCallback(AF_initDataKeys, AF_initDataChunkQueue, AF_dataServiceRequests);}if (!AF_initDataCallback) {AF_initDataCallback = function(chunk) {AF_initDataChunkQueue.push(chunk);};}</script></head><body id="yDmH0d" jscontroller="pjICDe" jsaction="rcuQ6b:npT2md; click:FAbpgf; auxclick:FAbpgf" class="tQj5Y ghyPEc IqBfM ecJEib EWZcud nRhiJb-qJTHM" data-has-header="true" data-has-footer="true"><script aria-hidden="true" nonce="pPuvw5Srdj0z5N266Gn3nw">window.wiz_progress&&window.wiz_progress();</script><div class="VUoKZ" aria-hidden="true"><div class="TRHLAc"></div></div><c-wiz jsrenderer="zPZHOe" class="SSPGKf" jsdata="deferred-i1" data-p="%.@."cloudblog","topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections","en"]" data-node-index="0;0" jsmodel="hc6Ubd" view c-wiz data-ogpc><div class="T4LgNb " jsname="a9kxte"><div jsname="qJTHM" class="kFwPee"><article class="nRhiJb-qJTHM" jsaction="rcuQ6b:npT2md" jscontroller="kxO7ab"><section class="nRhiJb-DARUcf"><div class="Wdmc0c nRhiJb-DbgRPb-wNfPc-cGMI2b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-BFbNVe-r8s4j-bMElCd dIsJJe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><div class="nRhiJb-ObfsIf"><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-R6PoUb"></div><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-EehZO nRhiJb-fmcmS-oXtfBe"><h1 class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-ibL1re"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-ibL1re"><span class="FewWi"></span>TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping</div></h1></div></div><div class="nRhiJb-fmcmS-oXtfBe dEogG">April 10, 2019</div></div></section><div class="EKklye"><div class="nRhiJb-DARUcf ZWw7T"><div class="npzWPc"><div class="dzoHJ"><div class="nRhiJb-DX2B6 nRhiJb-DX2B6-OWXEXe-h30Snd"><div class="nRhiJb-j5y3u"><ul class="nRhiJb-Qijihe phRaUe" role="list"><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="https://x.com/intent/tweet?text=TRITON%20Actor%20TTP%20Profile,%20Custom%20Attack%20Tools,%20Detections,%20and%20ATT&CK%20Mapping%20@googlecloud&url=https://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections" track-name="x"track-type="social share"track-metadata-eventdetail="x.com/intent/tweet?text=TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping%20@googlecloud&url=cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M13.9,10.5L21.1,2h-1.7l-6.3,7.4L8,2H2.2l7.6,11.1L2.2,22h1.7l6.7-7.8L16,22h5.8L13.9,10.5L13.9,10.5z M11.5,13.2l-0.8-1.1 L4.6,3.3h2.7l5,7.1l0.8,1.1l6.5,9.2h-2.7L11.5,13.2L11.5,13.2z"></path></svg></a></li><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="https://www.linkedin.com/shareArticle?mini=true&url=https://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections&title=TRITON%20Actor%20TTP%20Profile,%20Custom%20Attack%20Tools,%20Detections,%20and%20ATT&CK%20Mapping" track-name="linkedin"track-type="social share"track-metadata-eventdetail="www.linkedin.com/shareArticle?mini=true&url=cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections&title=TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zM8 19H5v-9h3v9zM6.5 8.31c-1 0-1.81-.81-1.81-1.81S5.5 4.69 6.5 4.69s1.81.81 1.81 1.81S7.5 8.31 6.5 8.31zM19 19h-3v-5.3c0-.83-.67-1.5-1.5-1.5s-1.5.67-1.5 1.5V19h-3v-9h3v1.2c.52-.84 1.59-1.4 2.5-1.4 1.93 0 3.5 1.57 3.5 3.5V19z"></path></svg></a></li><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="https://www.facebook.com/sharer/sharer.php?caption=TRITON%20Actor%20TTP%20Profile,%20Custom%20Attack%20Tools,%20Detections,%20and%20ATT&CK%20Mapping&u=https://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections" track-name="facebook"track-type="social share"track-metadata-eventdetail="www.facebook.com/sharer/sharer.php?caption=TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping&u=cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zm-1 2v3h-2c-.55 0-1 .45-1 1v2h3v3h-3v7h-3v-7h-2v-3h2V7.5C13 5.57 14.57 4 16.5 4H19z"></path></svg></a></li><li class="hpHPGf"><a class="nRhiJb-ARYxNe" href="mailto:?subject=TRITON%20Actor%20TTP%20Profile,%20Custom%20Attack%20Tools,%20Detections,%20and%20ATT&CK%20Mapping&body=Check%20out%20this%20article%20on%20the%20Cloud%20Blog:%0A%0ATRITON%20Actor%20TTP%20Profile,%20Custom%20Attack%20Tools,%20Detections,%20and%20ATT&CK%20Mapping%0A%0A%0A%0Ahttps://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections" track-name="email"track-type="social share"track-metadata-eventdetail="mailto:?subject=TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping&body=Check%20out%20this%20article%20on%20the%20Cloud%20Blog:%0A%0ATRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping%0A%0A%0A%0Acloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections"track-metadata-module="social icons" target="_blank" rel="noopener"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-DX2B6 nRhiJb-Bz112c-OWXEXe-nSuQf" viewBox="0 0 24 24" role="presentation" aria-hidden="true" role="presentation" aria-hidden="true"><path d="M20 4H4c-1.1 0-2 .9-2 2v12c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V6c0-1.1-.9-2-2-2zm-.8 2L12 10.8 4.8 6h14.4zM4 18V7.87l8 5.33 8-5.33V18H4z"></path></svg></a></li></ul></div></div></div></div></div><div><section class="nRhiJb-DARUcf"><div class="nRhiJb-DbgRPb-wNfPc-ma6Yeb nRhiJb-DbgRPb-wNfPc-cGMI2b"><section class="DA9Qj nRhiJb-ObfsIf nRhiJb-fmcmS-oXtfBe"><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf"></div><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c"><h5 class="cHE8Ub Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c">Mandiant </h5><p class="nRhiJb-qJTHM khCp7b"></p></div></section></div></section><div class="nRhiJb-DARUcf"><div class="nRhiJb-ObfsIf nRhiJb-DbgRPb-wNfPc-ma6Yeb nRhiJb-DbgRPb-qWD73c-cGMI2b"><div class="nRhiJb-kR0ZEf-OWXEXe-GV1x9e-ibL1re dzoHJ"></div><div class="OYL9D nRhiJb-kR0ZEf-OWXEXe-GV1x9e-OiUrBf" jsname="tx2NYc"><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Written by: Steve Miller, Nathan Brubaker, Daniel Kapellmann Zafra, Dan Caban</p> <hr></span></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><h4>Overview</h4> <p>FireEye can now confirm that we have uncovered and are responding to <strong>an additional intrusion by the attacker behind TRITON at a different critical infrastructure facility</strong>.</p> <p>In December 2017, FireEye publicly released our first analysis on the TRITON attack where malicious actors used the TRITON custom attack framework to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown. In subsequent <a href="https://cloud.google.com/blog/topics/threat-intelligence/totally-tubular-treatise-triton-and-tristation" rel="noopener" target="_blank">research</a> we examined how the attackers may have gained access to critical components needed to build the TRITON attack framework. In our most recent analysis, we attributed the intrusion activity that led to the deployment of TRITON to a Russian government-owned technical research institute in Moscow.</p> <p>The TRITON intrusion is shrouded in mystery. There has been some public discussion surrounding the TRITON framework and its impact at the target site, yet little to no information has been shared on the tactics, techniques, and procedures (TTPs) related to the intrusion lifecycle, or how the attack made it deep enough to impact the industrial processes. The TRITON framework itself and the intrusion tools the actor used were built and deployed by humans, all of whom had observable human strategies, preferences, and conventions for the custom tooling of the intrusion operation. It is our goal to discuss these adversary methods and highlight exactly how the developer(s), operator(s) and others involved used custom tools in the intrusion.</p> <p>In this report we continue our research of the actor’s operations with a specific focus on a selection of custom information technology (IT) tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle (Figure 1). The information in this report is derived from multiple TRITON-related incident responses carried out by FireEye Mandiant.</p> <p>Using the methodologies described in this post, FireEye Mandiant incident responders have uncovered additional intrusion activity from this threat actor – including new custom tool sets – at a second critical infrastructure facility. As such, we strongly encourage industrial control system (ICS) asset owners to leverage the indicators, TTPs, and detections included in this post to improve their defenses and hunt for related activity in their networks.</p> <p>For IT and operational technology (OT) incident response support, please contact <a href="https://www.mandiant.com/advantage" rel="noopener" target="_blank">FireEye Mandiant</a>. For more in-depth analysis of TRITON and other cyber threats, consider subscribing to <a href="https://cloud.google.com/security/products/threat-intelligence" rel="noopener" target="_blank">FireEye Cyber Threat Intelligence</a>.</p> <p>FireEye’s SmartVision technology, which searches for attackers during lateral movement activities by monitoring east-west traffic in IT and OT networks, reduces the risk of an attack reaching sensitive ICS processes. This is particularly relevant for sophisticated ICS-related intrusions as attackers typically move from corporate IT to OT networks through systems that are accessible to both environments, far beyond perimeter defenses.</p> <h4>Contents</h4> <ul> <li>Tools and TTPs</li> <li>Hunting for ICS-focused threat actors across IT and OT</li> <li>Methodology and discovery strategies</li> <li>Appendix A: Discovery Rules</li> <li>Appendix B: Technical Analysis of Custom Attack Tools</li> <li>Appendix C: MITRE ATT&CK JSON Raw Data</li> <li>Indicators of Compromise</li> </ul></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/triton1_plbv.max-1000x1000.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/triton1_plbv.max-1000x1000.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/triton1_plbv.max-1000x1000.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/triton1_plbv.max-1000x1000.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 1: The FireEye targeted attack lifecycle</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><h4>Actor Leveraged a Variety of Custom and Commodity Intrusion Tools</h4> <p>Throughout the targeted attack lifecycle, the actor leveraged dozens of custom and commodity intrusion tools to gain and maintain access to the target's IT and OT networks. A selection of the custom tools that FireEye Mandiant recovered are listed later in this post in Table 1, and hashes are listed in Table 2 at the end of this post. Discovery rules for and technical analysis of these tools, as well as MITRE ATT&CK JSON raw data, is available in Appendix A, Appendix B, and Appendix C.</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/triton2_ywhx.max-900x900.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/triton2_ywhx.max-900x900.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/triton2_ywhx.max-900x900.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/triton2_ywhx.max-900x900.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 2: Selection of custom tools used by the actor</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>The actor's custom tools frequently mirrored the functionality of commodity tools and appear to be developed with a focus on anti-virus evasion. The group often leveraged custom tools when they appeared to be struggling with anti-virus detection or were at a critical phase in the intrusion (e.g., they switched to custom backdoors in IT and OT DMZ right before gaining access to the engineering workstation). In some instances, the actor leveraged custom and commodity tools for the same function. For example, they used Mimikatz (public) and SecHack (custom) for credential harvesting; both tools provide a very similar output (Figure 2).</p></span></section><section class="QzPuud"><div><section><figure class="NEBdNd"><section class="PBkdHd DhGbH" jscontroller="SCGBie" jsaction="rcuQ6b:npT2md"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/triton3_lwrm.max-1000x1000.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/triton3_lwrm.max-1000x1000.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><section class="glue-modal glue-modal--dark QHdDac" role="dialog" aria-modal="true"><img class="JcsBte mZzdH ZOnyjc" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/triton3_lwrm.max-1000x1000.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/triton3_lwrm.max-1000x1000.png" jsname='P3Vluc' jsaction="click:HTIlC" loading="lazy"/><button class="glue-modal__close-btn" tabindex="0" aria-label="Close this modal"></button></section></section></figure><div class="nRhiJb-cHYyed nRhiJb-DbgRPb-R6PoUb-ma6Yeb ZpqjUe"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><p>Figure 3: Default outputs for Mimikatz (left) and SecHack (right)</p></span></div></section></div></section><section class="Wy08Ac nRhiJb-qJTHM-OWXEXe-hJDwNd nRhiJb-DbgRPb-II5mzb-cGMI2b"><span class="dQQu7c" jsaction="rcuQ6b:npT2md" jscontroller="YSybTb" data-track-type="" soy-skip ssk='5:kbe95'><h4>Tools and TTPs Indicate a Deep Interest in Ensuring Prolonged and Persistent Access to the Target Environment</h4> <p>The targeted attack lifecycle of a sophisticated ICS attack is often measured in years. Attackers require a long time to prepare for such an attack in order to learn about the target’s industrial processes and build custom tools. These attacks are also often carried out by nation states that may be interested in preparing for contingency operations rather than conducting an immediate attack (e.g., installing malware like TRITON and waiting for the right time to use it). During this time, the attacker must ensure continued access to the target environment or risk losing years of effort and potentially expensive custom ICS malware. This attack was no exception. The actor was present in the target networks for almost a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Throughout that period, they appeared to prioritize operational security.</p> <p>After establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network. They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment.</p> <p>The actor used multiple techniques to hide their activities, cover their tracks, and deter forensic examination of their tools and activities.</p> <ul> <li>They renamed their files to make them look like legitimate files, for example, KB77846376.exe, named after Microsoft update files.</li> <li>They routinely used standard tools that would mimic legitimate administrator activities. This included heavy use of RDP and PsExec/WinRM.</li> <li>When planting webshells on the Outlook Exchange servers, they modified already existing legitimate flogon.js and logoff.aspx files.</li> <li>They relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.</li> <li>They used multiple staging folders and opted to use directories that were used infrequently by legitimate users or processes.</li> <li>They routinely deleted dropped attack tools, execution logs, files staged for exfiltration, and other files after they were finished with them.</li> <li>They renamed their tools' filenames in the staging folder so that it would not be possible to identify the malware's purpose, even after it was deleted from the disk through the residual artifacts (e.g., ShimCache entries or WMI Recently Used Apps).</li> <li>They used timestomping to modify the $STANDARD_INFORMATION attribute of the attack tools.</li> </ul> <p>Once the actor gained access to the targeted SIS controllers, they appeared to focus solely on maintaining access while attempting to successfully deploy TRITON. This involved strategically limiting their activities to mitigate the risk of being discovered.</p> <ul> <li>The actor gained a foothold on the distributed control system (DCS) but did not leverage that access to learn about plant operations, exfiltrate sensitive information, tamper with the DCS controllers, or manipulate the process.</li> <li>They then gained access to an SIS engineering workstation. From this point forward, they focused most of their effort on delivering and refining a backdoor payload using the TRITON attack framework.</li> <li>They attempted to reduce the chance of being observed during higher-risk activities by interacting with target controllers during off-hour times. This would ensure fewer workers were on site to react to potential alarms caused by controller manipulation.</li> <li>They renamed their files to make them look like legitimate files, for example, trilog.exe, named after a legitimate Schneider Electric application.</li> </ul> <h4>Operational Since At Least 2014</h4> <p>Based on analysis of the actor’s custom intrusion tools, the group has been operating since as early as 2014. It is worth noting that FireEye had never before encountered any of the actor's custom tools, despite the fact that many of them date to several years before the initial compromise. This fact and the actor's demonstrated interest in operational security suggests there may be other target environments – beyond the second intrusion announced in this blog post – where the actor was or still is present.</p> <ul> <li>A sample of a Cryptcat-based backdoor used to establish the initial foothold was recovered during the investigation; the sample was compiled and uploaded to a malware testing environment by the actor in 2014.</li> <li>Cryptcat- and PLINK-based backdoors were scheduled to execute daily starting from April 28, 2014, using ProgramDataUpdater and NetworkAccessProtectionUpdateDB tasks. This date is unrelated to the observed intrusion timeline and may indicate the date the threat actors first created these persistence mechanisms.</li> <li>NetExec.exe, a custom lateral movement and remote command execution tool, is self-titled "NetExec 2014 by OSA."</li> <li>SecHack.exe "by OSA," a custom credential harvesting and reconnaissance tool, was compiled on Oct. 23, 2014.</li> <li>The attackers used a pirated version of Wii.exe, a public file indexing tool that came with a license from 2010 and has not been updated since 2014.</li> </ul> <h4>ICS Asset Owners Should Prioritize Detection and Defense Across Windows Systems in Both IT and OT</h4> <p>Most sophisticated ICS attacks leveraged Windows, Linux, and other traditionally "IT" systems (located in either IT or OT networks) as a conduit to the ultimate target. Some examples include leveraging computers to gain access to targeted PLCs (e.g., Stuxnet), interacting directly with internet-connected human machine interfaces (HMIs) (e.g., BlackEnergy), and gaining remote access to an engineering station to manipulate a remote terminal unit (RTU) (e.g., INDUSTROYER) or infect SIS programmable logic controllers (PLC) (e.g., TRITON).</p> <p>Defenders who focus on stopping an attacker in these "conduit" systems benefit from a number of key advantages. These advantages will only grow as IT and OT systems continue to converge.</p> <ul> <li>Attackers commonly leave a broad footprint in IT systems across most if not all the attack lifecycle.</li> <li>It is ideal to stop an attacker as early in the attack lifecycle as possible (aka "left of boom"). Once an attacker reaches the targeted ICS, the potential of a negative outcome and its severity for the target increase dramatically.</li> <li>There are many mature security tools, services, and other capabilities already available that can be leveraged to defend and hunt in "conduit" systems.</li> </ul> <h4>Leveraging Known Tools and TTPs To Hunt For the TRITON Actor</h4> <p>Historic activity associated with this actor demonstrates a strong development capability for custom tooling. The developer(s) behind these toolsets leaned heavily on existing software frameworks and modified them to best serve the intrusion operations. The developer(s) had preferences regarding the ports, protocols, persistence mechanisms, and other aspects of how the malware operated.</p> <p>While the preferences of the development team supporting this activity will likely shift and change over time, learning about them is still useful to identify whether their TTPs are applicable to other malware developers and threat actors. Additionally, the actor possibly gained a foothold on other target networks—beyond the two intrusions discussed in this post – using similar strategies. In such cases, retrospective hunting would help defenders identify and remediate malicious activity.</p> <p>Based on the examination of developer(s) preferences and abstracted adversary methodologies, it is possible to build broader visibility of the TTPs using detection and hunting rules of various fidelity and threat density. The compilation of these rules makes it possible to identify and classify potentially malicious samples while building new "haystacks" in which to hunt for adversary activity.</p> <p>The TTPs we extracted from this actor’s activities are not necessarily exclusive, nor are they necessarily malicious in every circumstance. However, the TTP profile built by FireEye can be used to search for patterns of evil in subsets of network and endpoint activity. Not only can these TTPs be used to find evidence of intrusions, but identification of activity that has strong overlaps with the actor's favored techniques can lead to stronger assessments of actor association, further bolstering incident response efforts.</p> <p>The following table provides insights into notable methodologies surrounding the use of custom tools and tips for identifying evidence of this and related activity. Adversary methodologies are also expressed in terms of the MITRE ATT&CK framework (see Appendix C for MITRE ATT&CK JSON raw data).</p> <p> </p> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"> <div style="color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%"><table> <tbody> <tr> <td style="border:1px solid #000000;padding:16px"><strong><u>Adversary Methodology</u></strong></td> <td style="border:1px solid #000000;padding:16px"><strong><u>Discovery Tips</u></strong></td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p>Persistence by Scheduled Tasks by XML trigger</p> <p><a href="https://attack.mitre.org/techniques/T1053/" rel="noopener" target="_blank">ATT&CK: T1053</a></p> </td> <td style="border:1px solid #000000;padding:16px">Look for new and anomalous <a href="https://docs.microsoft.com/en-us/windows/desktop/taskschd/daily-trigger-example--xml-" rel="noopener" target="_blank">Scheduled Tasks XML triggers</a> referencing unsigned .exe files.</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p>Persistence by IFEO injection</p> <p><a href="https://attack.mitre.org/techniques/T1546/012/" rel="noopener" target="_blank">ATT&CK: T1183</a></p> </td> <td style="border:1px solid #000000;padding:16px">Look for modifications and new entries referencing .exe files under registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options.</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Command and control (C2) established using hard-coded DNS servers</td> <td style="border:1px solid #000000;padding:16px">Look for PEs executions with run DNS lookups to 8.8.8.8:53. This may be applicable to sandbox and other malware processing technologies.</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p>C2 using favored C2ports</p> <p><a href="https://attack.mitre.org/techniques/T1043/" rel="noopener" target="_blank">ATT&CK: T1043</a></p> <p><a href="https://attack.mitre.org/techniques/T1571/" rel="noopener" target="_blank">ATT&CK: T1065</a></p> </td> <td style="border:1px solid #000000;padding:16px">Look for outbound connections with port-protocol mismatches on common and uncommon ports such as 443, 4444, 8531, and 50501.</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p>C2 using favored Virtual Private Server (VPS) infrastructure</p> <p><a href="https://attack.mitre.org/techniques/T1329/" rel="noopener" target="_blank">ATT&CK: T1329</a></p> </td> <td style="border:1px solid #000000;padding:16px">Look for inbound and outbound connections from and to non-standard IP ranges, especially from international VPS providers like OVH and UK-2 Limited (uk2.net).</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">C2 domains with hyphen</td> <td style="border:1px solid #000000;padding:16px">Look for newly observed 2LD and 3LD domains that contain hyphens.</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p>C&C using dynamic DNS domains from afraid.org</p> <p><a href="https://attack.mitre.org/techniques/T1311/" rel="noopener" target="_blank">ATT&CK: T1311</a></p> </td> <td style="border:1px solid #000000;padding:16px">Look for newly observed dynamic DNS domains owned or registered with afraid.org.</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">C2 domains registered with vfemail.net email addresses</td> <td style="border:1px solid #000000;padding:16px">Look for newly observed domains or DNS resolutions to domains with registrant email information containing vfemail.net</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p>Tunneled RDP using PLINK</p> <p><a href="https://attack.mitre.org/techniques/T1021/001/" rel="noopener" target="_blank">ATT&CK: T1076</a></p> </td> <td style="border:1px solid #000000;padding:16px"> <p>Look for the presence of PLINK and non-standard RDP usage with event logs, firewall logs, and registry keys as described in the FireEye blog post "<a href="https://cloud.google.com/blog/topics/threat-intelligence/bypassing-network-restrictions-through-rdp-tunneling" rel="noopener" target="_blank">Bypassing Network Restrictions Through RDP Tunneling.</a>"</p> <p>Find internal RDP pivoting by looking for bitmap cache files under user accounts that should not be accessing sensitive systems via RDP. Look for bitmap cache files such as bcache22.bmc under default, service, or administrator accounts or any account not expected to be conducting internal RDP accesses to sensitive systems in a protected OT-connected zone, especially in the DMZ or DCS areas like HMIs or engineering workstations.</p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">C2 using hard-coded SSH private keys</td> <td style="border:1px solid #000000;padding:16px">Look for PEs with hard-coded OpenSSH private keys.</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p>Use of direct RDP</p> <p><a href="https://attack.mitre.org/techniques/T1021/001/" rel="noopener" target="_blank">ATT&CK: T1076</a></p> </td> <td style="border:1px solid #000000;padding:16px">Look for inbound RDP connections with default host information, non-standard or unexpected locale IDs, or other metadata. See also the <a href="https://cloud.google.com/blog/topics/threat-intelligence/establishing-baseline-remote-desktop-protocol" rel="noopener" target="_blank">FireEye blog post on baselining RDP</a> activity.</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">C2 using source systems with default Windows hostnames</td> <td style="border:1px solid #000000;padding:16px">Look for default Windows hostnames that fit the structure WIN-[A-Z0-9]{11} (e.g., WIN-ABCDEFGH1JK) in PE certificates, SSL and SSH certificates, and RDP handshakes.</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">C2 using SSH</td> <td style="border:1px solid #000000;padding:16px">Look for new, unique, or unusual SSH sessions. Logging of SSH keys and fingerprints would quickly and easily identify an anomalous session as a result of malware. Look for SSH over non-standard ports.</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p>Compromised VPN accounts</p> <p><a href="https://attack.mitre.org/techniques/T1078/" rel="noopener" target="_blank">ATT&CK: T1078</a></p> </td> <td style="border:1px solid #000000;padding:16px"> <p>Look for VPN logon anomalies based on infeasible patterns such as source account location, IP address, and hostname associations. Check out the FireEye blog post and free toolset for VPN logon analysis, <a href="https://cloud.google.com/blog/topics/threat-intelligence/remote-authentication-geofeasibility-tool-geologonalyzer" rel="noopener" target="_blank">GeoLogonalyzer</a>.</p> <p>If you use SMS-based MFA, look for phone numbers registered outside the country where your employees operate.</p> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Malware masquerading as Microsoft Corporation</td> <td style="border:1px solid #000000;padding:16px">Look for PEs with mismatched PE metadata such as contains "Bitvise" strings and also "Microsoft Corporation" in the metadata. Look for unsigned "Microsoft Corporation" binaries in the group's common staging directories.</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Use of customized Bitvise binaries</td> <td style="border:1px solid #000000;padding:16px">Look for PEs with Bitvise PDB path strings such as d:\repos\main\ssh2\.</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Use of customized OpenSSH binaries</td> <td style="border:1px solid #000000;padding:16px">Look for PEs with content "Microsoft openSSH client."</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Use of customized Cryptcat but with default password</td> <td style="border:1px solid #000000;padding:16px">Look for PEs that drop Cryptcat binaries or contain Cryptcat string content such as the default password "metallica."</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px"> <p>Timestomping via PowerShell</p> <p><a href="https://attack.mitre.org/techniques/T1070/006/" rel="noopener" target="_blank">ATT&CK: T1099</a></p> </td> <td style="border:1px solid #000000;padding:16px">Look for timestomping command strings such as ".CreationTime=" in PowerShell scripts or in PowerShell command-line entries. Look for PEs with NTFS creation time prior to PE compile time.</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Deployment of binaries with debug information from developer workstations with Visual Studio 2010</td> <td style="border:1px solid #000000;padding:16px"> <p>Look for PEs with PDB paths containing default or generic paths such as</p> <ul> <li>\Users\user\Documents\Visual Studio 2010\</li> <li>\Documents\Visual Studio 2010\.</li> </ul> </td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Use of Thinstall for packaging malware</td> <td style="border:1px solid #000000;padding:16px">Look for PE with content "thinstall\modules\boot_loader.pdb." Look for Thinstall binaries that have created virtualized files in the context of the SYSTEM user "C:\Windows\SysWOW64\config\systemprofile\AppData\Roaming\Thinstall\."</td> </tr> <tr> <td style="border:1px solid #000000;padding:16px">Use of favored directories for operating, staging and executing files</td> <td style="border:1px solid #000000;padding:16px"> <p>Look for new, unexpected, or otherwise anomalous binaries in the following directories:</p> <ul> <li>C:\Windows\system32\inetsrv\</li> <li>C:\Windows\temp\</li> <li>C:\Windows\SysWOW64\wbem</li> <li>C:\Windows\SysWOW64\drivers</li> <li>C:\Windows\SysWOW64</li> <li>C:\Windows\system32\wbem\</li> <li>C:\Windows\system32\drivers\</li> <li>C:\Windows\system32\</li> <li>C:\Windows\</li> <li>C:\Users\Public\Libraries\</li> <li>C:\Users\administrator\appdata\local\temp\</li> <li>C:\ssh\</li> <li>C:\perflogs\admin\servermanager\ssh\</li> <li>C:\perflogs\admin\servermanager\</li> <li>C:\perflogs\admin\</li> <li>C:\perflogs\</li> <li>C:\cpqsystem\</li> <li>C:\hp\hpdiags\</li> <li>C:\hp\bin\log\</li> </ul> </td> </tr> </tbody> </table></div> </div> </div> </div> <p style="text-align:center"><span style="color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%">Table 1: TRITON actor methodology and discovery strategies</span></p> <h4>Outlook</h4> <p>There is often a singular focus from the security community on ICS malware largely due to its novel nature and the fact that there are very few examples found in the wild. While this attention is useful for a variety of reasons, we argue that defenders and incident responders should focus more attention on so-called "conduit" systems when trying to identify or stop ICS-focused intrusions.</p> <p>In an attempt to raise community awareness surrounding this actor’s capabilities and activities between 2014 and 2017—an effort compounded in importance by our discovery of the threat actor in a second critical infrastructure facility—we have shared a sampling of what we know about the group's TTPs and custom tooling. We encourage ICS asset owners to leverage the detection rules and other information included in this report to hunt for related activity as we believe there is a good chance the threat actor was or is present in other target networks.</p> <p>For IT and OT incident response support, please contact <a href="https://www.mandiant.com/advantage" rel="noopener" target="_blank">FireEye Mandiant</a>. For more in-depth analysis of TRITON and other cyber threats, consider subscribing to <a href="https://cloud.google.com/security/products/threat-intelligence" rel="noopener" target="_blank">FireEye Cyber Threat Intelligence</a>.</p> <p>FireEye’s SmartVision technology, which searches for attackers during lateral movement activities by monitoring east-west traffic in IT and OT networks, reduces the risk of an attack reaching sensitive ICS processes. This is particularly relevant for sophisticated ICS-related intrusions as attackers typically move from corporate IT to OT networks through systems that were accessible to both environments, far beyond perimeter defenses.</p> <h4>Appendices</h4> <ul> <li>Appendix A: Discovery Rules</li> <li>Appendix B: Technical Analysis of Custom Attack Tools</li> <li>Appendix C: MITRE ATT&CK JSON Raw Data</li> </ul></span></section><section class="kcBhad"><section class="Fabbec"><span class="WrMNjb">Posted in</span><ul class="FzXI4e"><li class="I4B51b"><a href="https://cloud.google.com/blog/topics/threat-intelligence" track-metadata-position="body"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence"track-metadata-module="tag list"track-metadata-module_headline="posted in">Threat Intelligence</a></li><li class="I4B51b"><a href="https://cloud.google.com/blog/products/identity-security" track-metadata-position="body"track-metadata-eventdetail="cloud.google.com/blog/products/identity-security"track-metadata-module="tag list"track-metadata-module_headline="posted in">Security & Identity</a></li></ul></section></section></div></div></div></div></div><section class="nRhiJb-DARUcf " track-metadata-module="related articles" track-metadata-module_headline="related articles"><div class="nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-DbgRPb-wNfPc-cGMI2b"><h5 class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc nRhiJb-DbgRPb-II5mzb-cGMI2b">Related articles</h5><section class="m9cUGf HGev3 nJD2Qe nRhiJb-ObfsIf"><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger" class="lD2oe" track-name="signals of trouble: multiple russia-aligned threat actors actively targeting signal messenger"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Google Threat Intelligence Group • 15-minute read</p></div></div></a></div></div><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat" class="lD2oe" track-name="cybercrime: a multifaceted national security threat"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Cybercrime: A Multifaceted National Security Threat</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Google Threat Intelligence Group • 25-minute read</p></div></div></a></div></div><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/capa-rules-android-malware-detection" class="lD2oe" track-name="using capa rules for android malware detection"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/capa-rules-android-malware-detection"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">Using capa Rules for Android Malware Detection</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Lin Chen • 13-minute read</p></div></div></a></div></div><div class=" QaGyvd nRhiJb-kR0ZEf-OWXEXe-GV1x9e-c5RTEf nRhiJb-kR0ZEf-OWXEXe-GV1x9e-qWD73c-V2iZpe"><div class="mA0uBe"><a href="https://cloud.google.com/blog/topics/threat-intelligence/cve-2023-6080-third-party-installer-abuse" class="lD2oe" track-name="cve-2023-6080: a case study on third-party installer abuse"track-type="card"track-metadata-eventdetail="cloud.google.com/blog/topics/threat-intelligence/cve-2023-6080-third-party-installer-abuse"><div class="AhkbS "><div class="hqnDEf"><section class="PBkdHd "><img class=" D5RK8d" src="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png" alt="https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png" loading="lazy"/></section></div><div class="JUOx5b"><div class="Qwf2Db-MnozTc Qwf2Db-MnozTc-OWXEXe-MnozTc-qWD73c nRhiJb-DbgRPb-c5RTEf-ma6Yeb nRhiJb-BFbNVe-r8s4j-bMElCd FI6Gl nRhiJb-fmcmS-oXtfBe" track-name="threat intelligence"track-type="tag">Threat Intelligence</div><h3 class="Qwf2Db-MnozTc HGFKtc Qwf2Db-MnozTc-OWXEXe-MnozTc-wNfPc">CVE-2023-6080: A Case Study on Third-Party Installer Abuse</h3><p class="nRhiJb-cHYyed dTIXyb nRhiJb-DbgRPb-R6PoUb-ma6Yeb">By Mandiant • 7-minute read</p></div></div></a></div></div></section></div></section></article></div></div><c-data id="i1" jsdata=" n2jFB;_;1"></c-data></c-wiz><script aria-hidden="true" nonce="pPuvw5Srdj0z5N266Gn3nw">window.wiz_progress&&window.wiz_progress();window.wiz_tick&&window.wiz_tick('zPZHOe');</script><script nonce="pPuvw5Srdj0z5N266Gn3nw">(function(){'use strict';var c=window,d=[];c.aft_counter=d;var e=[],f=0;function _recordIsAboveFold(a){if(!c._isLazyImage(a)&&!a.hasAttribute("data-noaft")&&a.src){var b=(c._isVisible||function(){})(c.document,a);a.setAttribute("data-atf",b);b&&(e.indexOf(a)!==-1||d.indexOf(a)!==-1||a.complete||d.push(a),a.hasAttribute("data-iml")&&(a=Number(a.getAttribute("data-iml")),a>f&&(f=a)))}} c.initAft=function(){f=0;e=Array.prototype.slice.call(document.getElementsByTagName("img")).filter(function(a){return!!a.getAttribute("data-iml")});[].forEach.call(document.getElementsByTagName("img"),function(a){try{_recordIsAboveFold(a)}catch(b){throw b.message=a.hasAttribute("data-iid")?b.message+"\nrecordIsAboveFold error for defer inlined image":b.message+("\nrecordIsAboveFold error for img element with <src: "+a.src+">"),b;}});if(d.length===0)c.onaft(f)};}).call(this); initAft()</script><script id="_ij" nonce="pPuvw5Srdj0z5N266Gn3nw">window.IJ_values = [[null,null,"",false,null,null,true,false],'0','https:\/\/cloud.google.com\/blog\/',["cloudblog","topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections",["en","de","fr","ko","ja"],"en",null,"https://cloud.google.com/blog","blog_article","cloud.google.com",["https://console.cloud.google.com/freetrial/","https://cloud.google.com/contact/","https://cloud.google.com/","https://cloud.google.com/blog","https://cloud.google.com/","https://www.google.com/","https://cloud.google.com/products/","https://about.google.com/products/","https://about.google/intl/en/","https://support.google.com"],["googlecloud","googlecloud","showcase/google-cloud","googlecloud/","googlecloud/"],true], null ,'boq_cloudx-web-blog-uiserver_20250220.07_p0','cloud.google.com',["SG",1],[[["bigquery_ftv",["bigquery_ftv",[["control",["control",[97716263,97716264],["/bigquery"]]],["variantA",["variantA",[97716265,97716266],["/bigquery"]]],["variantB",["variantB",[97716267,97716268],["/bigquery"]]],["variantC",["variantC",[97716269,97716270],["/bigquery"]]]]]],["jss",["jss",[["control",["control",[93803230,93804391],["/products/ai","/products/compute","/solutions/web-hosting"]]],["variantA",["variantA",[93803231,93804392],["/products/ai","/products/compute","/solutions/web-hosting"]]],["variantB",["variantB",[93803232,93804393],["/products/ai","/products/compute","/solutions/web-hosting"]]],["variantC",["variantC",[93803233,93804394],["/products/ai","/products/compute","/solutions/web-hosting"]]]]]],["visual_interest",["visual_interest",[["control",["control",[97933470,97933471],["/free"]]],["variantA",["variantA",[97933472,97933473],["/free"]]],["variantB",["variantB",[97933474,97933475],["/free"]]],["variantC",["variantC",[97940381,97940382],["/free"]]]]]]]], 0.0 ,["GTM-5CVQBG",[["en","\u202aEnglish\u202c",true,"en"],["de","\u202aDeutsch\u202c",true,"de"],["es","\u202aEspañol\u202c",true,"es"],["es-419","\u202aEspañol (Latinoamérica)\u202c",true,"es-419"],["fr","\u202aFrançais\u202c",true,"fr"],["id","\u202aIndonesia\u202c",true,"id"],["it","\u202aItaliano\u202c",true,"it"],["pt-BR","\u202aPortuguês (Brasil)\u202c",true,"pt-BR"],["zh-CN","\u202a简体中文\u202c",true,"zh-Hans"],["zh-TW","\u202a繁體中文\u202c",true,"zh-Hant"],["ja","\u202a日本語\u202c",true,"ja"],["ko","\u202a한국어\u202c",true,"ko"]],["83405","AIzaSyD3LJeW4Q6gtdgJlyeFZUp-GhpIoc6EUeg"],"en",null,null,[],[["https://cloud.google.com/innovators","https://cloud.google.com/innovators/plus/activate","https://cloud.google.com/innovators/innovatorsplus"],["https://workspace.google.com/pricing","https://www.x.com/googleworkspace","https://www.facebook.com/googleworkspace","https://www.youtube.com/channel/UCBmwzQnSoj9b6HzNmFrg_yw","https://www.instagram.com/googleworkspace","https://www.linkedin.com/showcase/googleworkspace","https://about.google/?utm_source\u003dworkspace.google.com\u0026utm_medium\u003dreferral\u0026utm_campaign\u003dgsuite-footer-en","https://about.google/products/?tip\u003dexplore","https://workspace.google.com","https://workspace.google.com/contact/?source\u003dgafb-form-globalnav-en","https://workspace.google.com/business/signup/welcome?hl\u003den\u0026source\u003dgafb-form-globalnav-en","https://workspace.google.com/blog"],["https://www.cloudskillsboost.google","https://www.cloudskillsboost.google?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen","https://www.cloudskillsboost.google/subscriptions?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreenlaunchpromo","https://www.cloudskillsboost.google/subscriptions?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen","https://www.cloudskillsboost.google/catalog?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen","https://www.cloudskillsboost.google/paths?utm_source\u003dcgc\u0026utm_medium\u003dwebsite\u0026utm_campaign\u003devergreen"],["https://mapsplatform.google.com"],["https://cloud.google.com/developers","https://cloud.google.com/developers/settings?utm_source\u003dinnovators"],["https://console.cloud.google.com/freetrial","https://console.cloud.google.com/","https://console.cloud.google.com/freetrial?redirectPath\u003dhttps://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections/"],["https://aitestkitchen.withgoogle.com/signup","https://blog.google/technology/ai/join-us-in-the-ai-test-kitchen/","https://cloud.google.com/ai"],["https://googlecloudplatform.blogspot.com/","https://github.com/GoogleCloudPlatform","https://www.linkedin.com/company/google-cloud","https://twitter.com/GoogleCloud_sg","https://www.facebook.com/googlecloud","https://www.youtube.com/GoogleCloudAPAC"]],[2025,2,22],[["en","x-default"],"x-default"],[null,true],null,"/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections/?hl\u003den",["6LcsrxUqAAAAAFhpR1lXsPN2j2nsTwy6JTbRKzJr"]],[],'','pPuvw5Srdj0z5N266Gn3nw','LiYfi195gfJ47_FX0uC9ug','DEFAULT','\/blog', 2025.0 ,'https:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/triton-actor-ttp-profile-custom-attack-tools-detections\/', null ,'ltr', false ,'https:\/\/accounts.google.com\/AccountChooser?continue\x3dhttps:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/triton-actor-ttp-profile-custom-attack-tools-detections\/\x26hl\x3den-US','https:\/\/accounts.google.com\/ServiceLogin?hl\x3den-US\x26continue\x3dhttps:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/triton-actor-ttp-profile-custom-attack-tools-detections\/','https:\/\/accounts.google.com\/SignOutOptions?continue\x3dhttps:\/\/cloud.google.com\/blog\/topics\/threat-intelligence\/triton-actor-ttp-profile-custom-attack-tools-detections\/',[[[1]]], false , false , false ,'en','en-US','en_US','https:\/\/goto2.corp.google.com\/mdtredirect?data_id_filter\x3dcloud.google.com\x26system_name\x3dcloudx-web-blog-uiserver', null , null ,'https:\/\/myaccount.google.com\/privacypolicy?hl\x3den-US', false , null ,'https:\/\/www.gstatic.com\/_\/boq-cloudx-web-blog\/_\/r\/','https:\/\/myaccount.google.com\/termsofservice?hl\x3den-US',[[[["Solutions \u0026 technology",null,[[["AI \u0026 Machine Learning","/blog/products/ai-machine-learning"],["API Management","/blog/products/api-management"],["Application Development","/blog/products/application-development"],["Application Modernization","/blog/products/application-modernization"],["Chrome Enterprise","/blog/products/chrome-enterprise"],["Compute","/blog/products/compute"],["Containers \u0026 Kubernetes","/blog/products/containers-kubernetes"],["Data Analytics","/blog/products/data-analytics"],["Databases","/blog/products/databases"],["DevOps \u0026 SRE","/blog/products/devops-sre"],["Maps \u0026 Geospatial","/blog/topics/maps-geospatial"],["Security",null,[[["Security \u0026 Identity","/blog/products/identity-security"],["Threat Intelligence","/blog/topics/threat-intelligence"]]]],["Infrastructure","/blog/products/infrastructure"],["Infrastructure Modernization","/blog/products/infrastructure-modernization"],["Networking","/blog/products/networking"],["Productivity \u0026 Collaboration","/blog/products/productivity-collaboration"],["SAP on Google Cloud","/blog/products/sap-google-cloud"],["Storage \u0026 Data Transfer","/blog/products/storage-data-transfer"],["Sustainability","/blog/topics/sustainability"]]]],["Ecosystem",null,[[["IT Leaders","/transform"],["Industries",null,[[["Financial Services","/blog/topics/financial-services"],["Healthcare \u0026 Life Sciences","/blog/topics/healthcare-life-sciences"],["Manufacturing","/blog/topics/manufacturing"],["Media \u0026 Entertainment","/blog/products/media-entertainment"],["Public Sector","/blog/topics/public-sector"],["Retail","/blog/topics/retail"],["Supply Chain","/blog/topics/supply-chain-logistics"],["Telecommunications","/blog/topics/telecommunications"]]]],["Partners","/blog/topics/partners"],["Startups \u0026 SMB","/blog/topics/startups"],["Training \u0026 Certifications","/blog/topics/training-certifications"],["Inside Google Cloud","/blog/topics/inside-google-cloud"],["Google Cloud Next \u0026 Events","/blog/topics/google-cloud-next"],["Google Cloud Consulting","/blog/topics/consulting"],["Google Maps Platform","https://mapsplatform.google.com/resources/blog/"],["Google Workspace","https://workspace.google.com/blog"]]]],["Developers \u0026 Practitioners","/blog/topics/developers-practitioners"],["Transform with Google Cloud","/transform"]]],[["de",[[["Neuigkeiten","/blog/de/topics/whats-new/aktuelles-auf-dem-google-cloud-blog"],["Lösungen \u0026 Technologien",null,[[["Anwendungsentwicklung","/blog/de/products/application-development"],["Anwendungsmodernisierung","/blog/de/products/anwendungsmodernisierung"],["API-Verwaltung","/blog/de/products/api-management"],["Chrome Enterprise","/blog/de/products/chrome-enterprise"],["Computing","/blog/de/products/compute"],["Containers \u0026 Kubernetes","/blog/de/products/containers-kubernetes"],["Datenanalysen","/blog/de/products/data-analytics"],["Datenbanken","/blog/de/products/databases"],["DevOps \u0026 SRE","/blog/de/products/devops-sre"],["Infrastruktur","/blog/de/products/infrastructure"],["KI \u0026 Machine Learning","/blog/de/products/ai-machine-learning"],["Maps \u0026 Geospatial","/blog/de/topics/maps-geospatial"],["Modernisierung der Infrastruktur","/blog/de/products/modernisierung-der-infrastruktur"],["Nachhaltigkeit","/blog/de/topics/nachhaltigkeit"],["Netzwerk","/blog/de/products/networking"],["Produktivität und Zusammenarbeit","/blog/de/products/produktivitaet-und-kollaboration"],["SAP in Google Cloud","/blog/de/products/sap-google-cloud"],["Sicherheit \u0026 Identität","/blog/de/products/identity-security"],["Speicher und Datentransfer","/blog/de/products/storage-data-transfer"]]]],["Ökosystem",null,[[["IT Leader","/transform/de"],["Industrien",null,[[["Behörden und öffentlicher Sektor","/blog/de/topics/public-sector"],["Einzelhandel","/blog/de/topics/retail"],["Fertigung","/blog/de/topics/fertigung"],["Finanzdienstleistungen","/blog/de/topics/financial-services"],["Gesundheitswesen und Biowissenschaften","/blog/de/topics/healthcare-life-sciences"],["Lieferkette und Logistik","/blog/de/topics/lieferkette-und-logistik"],["Medien und Unterhaltung","/blog/de/products/media-entertainment"],["Telekommunikation","/blog/de/topics/telecommunications"]]]],["Entwickler*innen \u0026 Fachkräfte","/blog/de/topics/developers-practitioners"],["Google Cloud Next \u0026 Events","/blog/de/topics/events"],["Google Maps Platform","/blog/de/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/de"],["Inside Google Cloud","/blog/de/topics/inside-google-cloud"],["Kunden","/blog/de/topics/kunden"],["Partner","/blog/de/topics/partners"],["Start-ups und KMU","/blog/de/topics/startups"],["Training und Zertifizierung","/blog/de/topics/training-certifications"]]]],["Transformation mit Google Cloud","/transform/de"]]]],["en",[[["Solutions \u0026 technology",null,[[["AI \u0026 Machine Learning","/blog/products/ai-machine-learning"],["API Management","/blog/products/api-management"],["Application Development","/blog/products/application-development"],["Application Modernization","/blog/products/application-modernization"],["Chrome Enterprise","/blog/products/chrome-enterprise"],["Compute","/blog/products/compute"],["Containers \u0026 Kubernetes","/blog/products/containers-kubernetes"],["Data Analytics","/blog/products/data-analytics"],["Databases","/blog/products/databases"],["DevOps \u0026 SRE","/blog/products/devops-sre"],["Maps \u0026 Geospatial","/blog/topics/maps-geospatial"],["Security",null,[[["Security \u0026 Identity","/blog/products/identity-security"],["Threat Intelligence","/blog/topics/threat-intelligence"]]]],["Infrastructure","/blog/products/infrastructure"],["Infrastructure Modernization","/blog/products/infrastructure-modernization"],["Networking","/blog/products/networking"],["Productivity \u0026 Collaboration","/blog/products/productivity-collaboration"],["SAP on Google Cloud","/blog/products/sap-google-cloud"],["Storage \u0026 Data Transfer","/blog/products/storage-data-transfer"],["Sustainability","/blog/topics/sustainability"]]]],["Ecosystem",null,[[["IT Leaders","/transform"],["Industries",null,[[["Financial Services","/blog/topics/financial-services"],["Healthcare \u0026 Life Sciences","/blog/topics/healthcare-life-sciences"],["Manufacturing","/blog/topics/manufacturing"],["Media \u0026 Entertainment","/blog/products/media-entertainment"],["Public Sector","/blog/topics/public-sector"],["Retail","/blog/topics/retail"],["Supply Chain","/blog/topics/supply-chain-logistics"],["Telecommunications","/blog/topics/telecommunications"]]]],["Partners","/blog/topics/partners"],["Startups \u0026 SMB","/blog/topics/startups"],["Training \u0026 Certifications","/blog/topics/training-certifications"],["Inside Google Cloud","/blog/topics/inside-google-cloud"],["Google Cloud Next \u0026 Events","/blog/topics/google-cloud-next"],["Google Cloud Consulting","/blog/topics/consulting"],["Google Maps Platform","https://mapsplatform.google.com/resources/blog/"],["Google Workspace","https://workspace.google.com/blog"]]]],["Developers \u0026 Practitioners","/blog/topics/developers-practitioners"],["Transform with Google Cloud","/transform"]]]],["fr",[[["Les tendances","/blog/fr/topics/les-tendances/quelles-sont-les-nouveautes-de-google-cloud"],["Solutions et Technologie",null,[[["Analyse de données","/blog/fr/products/analyse-de-donnees/"],["Bases de données","/blog/fr/products/databases"],["Calcul","/blog/fr/products/calcul/"],["Chrome Entreprise","/blog/fr/products/chrome-enterprise/"],["Conteneurs et Kubernetes","/blog/fr/products/conteneurs-et-kubernetes/"],["Développement d'Applications","/blog/fr/products/application-development"],["Développement durable","/blog/fr/topics/developpement-durable"],["DevOps et ingénierie SRE","/blog/fr/products/devops-sre"],["Gestion des API","/blog/fr/products/api-management"],["IA et Machine Learning","/blog/fr/products/ai-machine-learning"],["Infrastructure","/blog/fr/products/infrastructure"],["Maps et Géospatial","/blog/fr/topics/maps-geospatial"],["Modernisation d'Applications","/blog/fr/products/modernisation-dapplications/"],["Modernisation d'Infrastructure","/blog/fr/products/modernisation-dinfrastructure/"],["Networking","/blog/fr/products/networking"],["Productivité et Collaboration","/blog/fr/products/productivite-et-collaboration"],["SAP sur Google Cloud","/blog/fr/products/sap-google-cloud"],["Sécurité et Identité","/blog/fr/products/identity-security"],["Stockage et transfert de données","/blog/fr/products/storage-data-transfer"]]]],["Écosystème",null,[[["Responsables IT","/transform/fr"],["Industries",null,[[["Commerce","/blog/fr/topics/retail"],["Manufacturing","/blog/fr/topics/manufacturing"],["Médias et Divertissement","/blog/fr/products/media-entertainment"],["Santé","/blog/fr/topics/healthcare-life-sciences"],["Secteur Public","/blog/fr/topics/public-sector"],["Services Financiers","/blog/fr/topics/financial-services"],["Supply Chain","/blog/fr/topics/supply-chain/"],["Telecommunications","/blog/fr/topics/telecommunications"]]]],["Clients","/blog/fr/topics/clients/"],["Développeurs et professionnels","/blog/fr/topics/developers-practitioners"],["Formations et certifications","/blog/fr/topics/training-certifications"],["Google Cloud Next et Événements","/blog/fr/topics/evenements"],["Google Maps Platform","/blog/fr/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/fr"],["Inside Google Cloud","/blog/fr/topics/inside-google-cloud"],["Partenaires","/blog/fr/topics/partners"],["Start-ups et PME","/blog/fr/topics/startups"]]]],["Transformer avec Google Cloud","/transform/fr"]]]],["ja",[[["ソリューションとテクノロジー",null,[[["AI \u0026 機械学習","/blog/ja/products/ai-machine-learning"],["API 管理","/blog/ja/products/api-management"],["アプリケーション開発","/blog/ja/products/application-development"],["アプリケーション モダナイゼーション","/blog/ja/products/application-modernization"],["Chrome Enterprise","/blog/ja/products/chrome-enterprise"],["コンピューティング","/blog/ja/products/compute"],["Containers \u0026 Kubernetes","/blog/ja/products/containers-kubernetes"],["データ分析","/blog/ja/products/data-analytics"],["データベース","/blog/ja/products/databases"],["DevOps \u0026 SRE","/blog/ja/products/devops-sre"],["Maps \u0026 Geospatial","/blog/ja/products/maps-platform"],["セキュリティ",null,[[["セキュリティ \u0026 アイデンティティ","/blog/ja/products/identity-security"],["脅威インテリジェンス","/blog/ja/topics/threat-intelligence"]]]],["インフラストラクチャ","/blog/ja/products/infrastructure"],["インフラ モダナイゼーション","/blog/ja/products/infrastructure-modernization"],["ネットワーキング","/blog/ja/products/networking"],["生産性とコラボレーション","/blog/ja/products/productivity-collaboration"],["Google Cloud での SAP","/blog/ja/products/sap-google-cloud"],["ストレージとデータ転送","/blog/ja/products/storage-data-transfer"],["サステナビリティ","/blog/ja/topics/sustainability"]]]],["エコシステム",null,[[["ITリーダー","/transform/ja"],["業種",null,[[["金融サービス","/blog/ja/topics/financial-services"],["ヘルスケア、ライフ サイエンス","/blog/ja/topics/healthcare-life-sciences"],["製造","/blog/ja/topics/manufacturing"],["メディア、エンターテイメント","/blog/ja/products/media-entertainment"],["公共部門","/blog/ja/topics/public-sector"],["小売業","/blog/ja/topics/retail"],["サプライ チェーン","/blog/ja/topics/supply-chain-logistics"],["通信","/blog/ja/topics/telecommunications"]]]],["顧客事例","/blog/ja/topics/customers"],["パートナー","/blog/ja/topics/partners"],["スタートアップ \u0026 SMB","/blog/ja/topics/startups"],["トレーニングと認定","/blog/ja/topics/training-certifications"],["Inside Google Cloud","/blog/ja/topics/inside-google-cloud"],["Google Cloud Next と イベント","/blog/ja/topics/google-cloud-next"],["Google Maps Platform","/blog/ja/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/ja"]]]],["デベロッパー","/blog/ja/topics/developers-practitioners"],["Transform with Google Cloud","/transform/ja"]]]],["ko",[[["솔루션 및 기술",null,[[["AI 및 머신러닝","/blog/ko/products/ai-machine-learning"],["API 관리","/blog/ko/products/api-management"],["애플리케이션 개발","/blog/ko/products/application-development"],["애플리케이션 현대화","/blog/ko/products/application-modernization"],["Chrome Enterprise","/blog/products/chrome-enterprise"],["컴퓨팅","/blog/ko/products/compute"],["컨테이너 \u0026 Kubernetes","/blog/ko/products/containers-kubernetes"],["데이터 분석","/blog/ko/products/data-analytics"],["데이터베이스","/blog/ko/products/databases"],["DevOps 및 SRE","/blog/ko/products/devops-sre"],["Maps \u0026 Geospatial","/blog/ko/products/maps-platform"],["보안",null,[[["보안 \u0026 아이덴티티","/blog/ko/products/identity-security"],["위협 인텔리전스","/blog/ko/topics/threat-intelligence"]]]],["인프라","/blog/ko/products/infrastructure"],["Infrastructure Modernization","/blog/ko/products/infrastructure-modernization"],["네트워킹","/blog/ko/products/networking"],["생산성 및 공동작업","/blog/ko/products/productivity-collaboration"],["SAP on Google Cloud","/blog/ko/products/sap-google-cloud"],["스토리지 및 데이터 전송","/blog/ko/products/storage-data-transfer"],["지속가능성","/blog/ko/topics/sustainability"]]]],["에코시스템",null,[[["IT Leaders","/transform/ko"],["업종",null,[[["금융 서비스","/blog/ko/topics/financial-services"],["의료 및 생명과학","/blog/ko/topics/healthcare-life-sciences"],["제조업","/blog/ko/topics/manufacturing"],["미디어 및 엔터테인먼트","/blog/ko/products/media-entertainment"],["공공부문","/blog/ko/topics/public-sector"],["소매업","/blog/ko/topics/retail"],["공급망","/blog/topics/supply-chain-logistics"],["통신","/blog/ko/topics/telecommunications"]]]],["고객 사례","/blog/ko/topics/customers"],["파트너","/blog/ko/topics/partners"],["스타트업 \u0026 SMB","/blog/ko/topics/startups"],["교육 \u0026 인증","/blog/ko/topics/training-certifications"],["Inside Google Cloud","/blog/ko/topics/inside-google-cloud"],["Google Cloud Next 및 이벤트","/blog/ko/topics/google-cloud-next"],["Google Maps Platform","/blog/ko/products/maps-platform"],["Google Workspace","https://workspace.google.com/blog/ko"]]]],["개발 및 IT운영","/blog/ko/topics/developers-practitioners"],["Google Cloud와 함께 하는 디지털 혁신","/transform/ko"]]]]]],'cloud.google.com','https', null , false , null ,[[97496386,97960269,1714258,1706538,97656897,97848710,97953322,97785986,98002146,48830069,93778619,48897392,97535270,97863042,97969449,97960272,97869659,93841509,97442197,48554501,48489826,97940381,97496370,97656881,97785970,93841493,97442181],null,null,null,null,true],]; window.IJ_valuesCb && window.IJ_valuesCb();</script><script class="ds:0" nonce="pPuvw5Srdj0z5N266Gn3nw">AF_initDataCallback({key: 'ds:0', hash: '1', data:[["TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT\u0026CK Mapping",null,[1554879600],"https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BA.max-2600x2600.png","https://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections",[1711401020,963145000]],[["Mandiant "]],[null,"\u003cscript type\u003d\"application/ld+json\"\u003e{\"@context\":\"https://schema.org\",\"@type\":\"BlogPosting\",\"@id\":\"https://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections\",\"headline\":\"TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT\\u0026CK Mapping\",\"description\":\"\",\"image\":\"https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BA.max-2600x2600.png\",\"author\":[{\"@type\":\"Person\",\"name\":\"Mandiant \",\"url\":\"\"}],\"datePublished\":\"2019-04-10\",\"publisher\":{\"@type\":\"Organization\",\"name\":\"Google Cloud\",\"logo\":{\"@type\":\"ImageObject\",\"url\":\"https://www.gstatic.com/devrel-devsite/prod/v8bb8fa0afe9a8c3a776ebeb25d421bb443344d789b3607754dfabea418b8c4be/cloud/images/cloud-logo.svg\"}},\"url\":\"https://cloud.google.com/blog/topics/threat-intelligence/triton-actor-ttp-profile-custom-attack-tools-detections\",\"keywords\":[\"Threat Intelligence\",\"Security \\u0026 Identity\"],\"timeRequired\":\"PT14M\"}\u003c/script\u003e"],["TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT\u0026CK Mapping"],null,null,[[null,null,[null,[null,"\u003cp\u003eWritten by: Steve Miller, Nathan Brubaker, Daniel Kapellmann Zafra, Dan Caban\u003c/p\u003e\n\u003chr\u003e"]]],[null,null,[null,[null,"\u003ch4\u003eOverview\u003c/h4\u003e\n\u003cp\u003eFireEye can now confirm that we have uncovered and are responding to \u003cstrong\u003ean additional intrusion by the attacker behind TRITON at a different critical infrastructure facility\u003c/strong\u003e.\u003c/p\u003e\n\u003cp\u003eIn December 2017, FireEye publicly released our first analysis on the TRITON attack where malicious actors used the TRITON custom attack framework to manipulate industrial safety systems at a critical infrastructure facility and inadvertently caused a process shutdown. In subsequent \u003ca href\u003d\"https://cloud.google.com/blog/topics/threat-intelligence/totally-tubular-treatise-triton-and-tristation\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eresearch\u003c/a\u003e we examined how the attackers may have gained access to critical components needed to build the TRITON attack framework. In our most recent analysis, we attributed the intrusion activity that led to the deployment of TRITON to a Russian government-owned technical research institute in Moscow.\u003c/p\u003e\n\u003cp\u003eThe TRITON intrusion is shrouded in mystery. There has been some public discussion surrounding the TRITON framework and its impact at the target site, yet little to no information has been shared on the tactics, techniques, and procedures (TTPs) related to the intrusion lifecycle, or how the attack made it deep enough to impact the industrial processes. The TRITON framework itself and the intrusion tools the actor used were built and deployed by humans, all of whom had observable human strategies, preferences, and conventions for the custom tooling of the intrusion operation. It is our goal to discuss these adversary methods and highlight exactly how the developer(s), operator(s) and others involved used custom tools in the intrusion.\u003c/p\u003e\n\u003cp\u003eIn this report we continue our research of the actor\u2019s operations with a specific focus on a selection of custom information technology (IT) tools and tactics the threat actor leveraged during the early stages of the targeted attack lifecycle (Figure 1). The information in this report is derived from multiple TRITON-related incident responses carried out by FireEye Mandiant.\u003c/p\u003e\n\u003cp\u003eUsing the methodologies described in this post, FireEye Mandiant incident responders have uncovered additional intrusion activity from this threat actor \u2013 including new custom tool sets \u2013 at a second critical infrastructure facility. As such, we strongly encourage industrial control system (ICS) asset owners to leverage the indicators, TTPs, and detections included in this post to improve their defenses and hunt for related activity in their networks.\u003c/p\u003e\n\u003cp\u003eFor IT and operational technology (OT) incident response support, please contact \u003ca href\u003d\"https://www.mandiant.com/advantage\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eFireEye Mandiant\u003c/a\u003e. For more in-depth analysis of TRITON and other cyber threats, consider subscribing to \u003ca href\u003d\"https://cloud.google.com/security/products/threat-intelligence\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eFireEye Cyber Threat Intelligence\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eFireEye\u2019s SmartVision technology, which searches for attackers during lateral movement activities by monitoring east-west traffic in IT and OT networks, reduces the risk of an attack reaching sensitive ICS processes. This is particularly relevant for sophisticated ICS-related intrusions as attackers typically move from corporate IT to OT networks through systems that are accessible to both environments, far beyond perimeter defenses.\u003c/p\u003e\n\u003ch4\u003eContents\u003c/h4\u003e\n\u003cul\u003e\n\u003cli\u003eTools and TTPs\u003c/li\u003e\n\u003cli\u003eHunting for ICS-focused threat actors across IT and OT\u003c/li\u003e\n\u003cli\u003eMethodology and discovery strategies\u003c/li\u003e\n\u003cli\u003eAppendix A: Discovery Rules\u003c/li\u003e\n\u003cli\u003eAppendix B: Technical Analysis of Custom Attack Tools\u003c/li\u003e\n\u003cli\u003eAppendix C: MITRE ATT\u0026amp;CK JSON Raw Data\u003c/li\u003e\n\u003cli\u003eIndicators of Compromise\u003c/li\u003e\n\u003c/ul\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 1: The FireEye targeted attack lifecycle\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/triton1_plbv.max-1000x1000.png",null,null,"https://storage.googleapis.com/gweb-cloudblog-publish/images/triton1_plbv.max-1000x1000.png"],null,3]]],[null,null,[null,[null,"\u003ch4\u003eActor Leveraged a Variety of Custom and Commodity Intrusion Tools\u003c/h4\u003e\n\u003cp\u003eThroughout the targeted attack lifecycle, the actor leveraged dozens of custom and commodity intrusion tools to gain and maintain access to the target\u0026#39;s IT and OT networks. A selection of the custom tools that FireEye Mandiant recovered are listed later in this post in Table 1, and hashes are listed in Table 2 at the end of this post. Discovery rules for and technical analysis of these tools, as well as MITRE ATT\u0026amp;CK JSON raw data, is available in Appendix A, Appendix B, and Appendix C.\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 2: Selection of custom tools used by the actor\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/triton2_ywhx.max-900x900.png",null,null,"https://storage.googleapis.com/gweb-cloudblog-publish/images/triton2_ywhx.max-900x900.png"],null,3]]],[null,null,[null,[null,"\u003cp\u003eThe actor's custom tools frequently mirrored the functionality of commodity tools and appear to be developed with a focus on anti-virus evasion. The group often leveraged custom tools when they appeared to be struggling with anti-virus detection or were at a critical phase in the intrusion (e.g., they switched to custom backdoors in IT and OT DMZ right before gaining access to the engineering workstation). In some instances, the actor leveraged custom and commodity tools for the same function. For example, they used Mimikatz (public) and SecHack (custom) for credential harvesting; both tools provide a very similar output (Figure 2).\u003c/p\u003e"]]],[null,null,null,null,null,null,null,null,[[[null,"\u003cp\u003eFigure 3: Default outputs for Mimikatz (left) and SecHack (right)\u003c/p\u003e"],["https://storage.googleapis.com/gweb-cloudblog-publish/images/triton3_lwrm.max-1000x1000.png",null,null,"https://storage.googleapis.com/gweb-cloudblog-publish/images/triton3_lwrm.max-1000x1000.png"],null,3]]],[null,null,[null,[null,"\u003ch4\u003eTools and TTPs Indicate a Deep Interest in Ensuring Prolonged and Persistent Access to the Target Environment\u003c/h4\u003e\n\u003cp\u003eThe targeted attack lifecycle of a sophisticated ICS attack is often measured in years. Attackers require a long time to prepare for such an attack in order to learn about the target\u2019s industrial processes and build custom tools. These attacks are also often carried out by nation states that may be interested in preparing for contingency operations rather than conducting an immediate attack (e.g., installing malware like TRITON and waiting for the right time to use it). During this time, the attacker must ensure continued access to the target environment or risk losing years of effort and potentially expensive custom ICS malware. This attack was no exception. The actor was present in the target networks for almost a year before gaining access to the Safety Instrumented System (SIS) engineering workstation. Throughout that period, they appeared to prioritize operational security.\u003c/p\u003e\n\u003cp\u003eAfter establishing an initial foothold on the corporate network, the TRITON actor focused most of their effort on gaining access to the OT network. They did not exhibit activities commonly associated with espionage, such as using key loggers and screenshot grabbers, browsing files, and/or exfiltrating large amounts of information. Most of the attack tools they used were focused on network reconnaissance, lateral movement, and maintaining presence in the target environment.\u003c/p\u003e\n\u003cp\u003eThe actor used multiple techniques to hide their activities, cover their tracks, and deter forensic examination of their tools and activities.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThey renamed their files to make them look like legitimate files, for example, KB77846376.exe, named after Microsoft update files.\u003c/li\u003e\n\u003cli\u003eThey routinely used standard tools that would mimic legitimate administrator activities. This included heavy use of RDP and PsExec/WinRM.\u003c/li\u003e\n\u003cli\u003eWhen planting webshells on the Outlook Exchange servers, they modified already existing legitimate flogon.js and logoff.aspx files.\u003c/li\u003e\n\u003cli\u003eThey relied on encrypted SSH-based tunnels to transfer tools and for remote command/program execution.\u003c/li\u003e\n\u003cli\u003eThey used multiple staging folders and opted to use directories that were used infrequently by legitimate users or processes.\u003c/li\u003e\n\u003cli\u003eThey routinely deleted dropped attack tools, execution logs, files staged for exfiltration, and other files after they were finished with them.\u003c/li\u003e\n\u003cli\u003eThey renamed their tools' filenames in the staging folder so that it would not be possible to identify the malware's purpose, even after it was deleted from the disk through the residual artifacts (e.g., ShimCache entries or WMI Recently Used Apps).\u003c/li\u003e\n\u003cli\u003eThey used timestomping to modify the $STANDARD_INFORMATION attribute of the attack tools.\u003c/li\u003e\n\u003c/ul\u003e\n\u003cp\u003eOnce the actor gained access to the targeted SIS controllers, they appeared to focus solely on maintaining access while attempting to successfully deploy TRITON. This involved strategically limiting their activities to mitigate the risk of being discovered.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eThe actor gained a foothold on the distributed control system (DCS) but did not leverage that access to learn about plant operations, exfiltrate sensitive information, tamper with the DCS controllers, or manipulate the process.\u003c/li\u003e\n\u003cli\u003eThey then gained access to an SIS engineering workstation. From this point forward, they focused most of their effort on delivering and refining a backdoor payload using the TRITON attack framework.\u003c/li\u003e\n\u003cli\u003eThey attempted to reduce the chance of being observed during higher-risk activities by interacting with target controllers during off-hour times. This would ensure fewer workers were on site to react to potential alarms caused by controller manipulation.\u003c/li\u003e\n\u003cli\u003eThey renamed their files to make them look like legitimate files, for example, trilog.exe, named after a legitimate Schneider Electric application.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eOperational Since At Least 2014\u003c/h4\u003e\n\u003cp\u003eBased on analysis of the actor\u2019s custom intrusion tools, the group has been operating since as early as 2014. It is worth noting that FireEye had never before encountered any of the actor's custom tools, despite the fact that many of them date to several years before the initial compromise. This fact and the actor's demonstrated interest in operational security suggests there may be other target environments \u2013 beyond the second intrusion announced in this blog post \u2013 where the actor was or still is present.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eA sample of a Cryptcat-based backdoor used to establish the initial foothold was recovered during the investigation; the sample was compiled and uploaded to a malware testing environment by the actor in 2014.\u003c/li\u003e\n\u003cli\u003eCryptcat- and PLINK-based backdoors were scheduled to execute daily starting from April 28, 2014, using ProgramDataUpdater and NetworkAccessProtectionUpdateDB tasks. This date is unrelated to the observed intrusion timeline and may indicate the date the threat actors first created these persistence mechanisms.\u003c/li\u003e\n\u003cli\u003eNetExec.exe, a custom lateral movement and remote command execution tool, is self-titled \"NetExec 2014 by OSA.\"\u003c/li\u003e\n\u003cli\u003eSecHack.exe \"by OSA,\" a custom credential harvesting and reconnaissance tool, was compiled on Oct. 23, 2014.\u003c/li\u003e\n\u003cli\u003eThe attackers used a pirated version of Wii.exe, a public file indexing tool that came with a license from 2010 and has not been updated since 2014.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eICS Asset Owners Should Prioritize Detection and Defense Across Windows Systems in Both IT and OT\u003c/h4\u003e\n\u003cp\u003eMost sophisticated ICS attacks leveraged Windows, Linux, and other traditionally \"IT\" systems (located in either IT or OT networks) as a conduit to the ultimate target. Some examples include leveraging computers to gain access to targeted PLCs (e.g., Stuxnet), interacting directly with internet-connected human machine interfaces (HMIs) (e.g., BlackEnergy), and gaining remote access to an engineering station to manipulate a remote terminal unit (RTU) (e.g., INDUSTROYER) or infect SIS programmable logic controllers (PLC) (e.g., TRITON).\u003c/p\u003e\n\u003cp\u003eDefenders who focus on stopping an attacker in these \"conduit\" systems benefit from a number of key advantages. These advantages will only grow as IT and OT systems continue to converge.\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eAttackers commonly leave a broad footprint in IT systems across most if not all the attack lifecycle.\u003c/li\u003e\n\u003cli\u003eIt is ideal to stop an attacker as early in the attack lifecycle as possible (aka \"left of boom\"). Once an attacker reaches the targeted ICS, the potential of a negative outcome and its severity for the target increase dramatically.\u003c/li\u003e\n\u003cli\u003eThere are many mature security tools, services, and other capabilities already available that can be leveraged to defend and hunt in \"conduit\" systems.\u003c/li\u003e\n\u003c/ul\u003e\n\u003ch4\u003eLeveraging Known Tools and TTPs To Hunt For the TRITON Actor\u003c/h4\u003e\n\u003cp\u003eHistoric activity associated with this actor demonstrates a strong development capability for custom tooling. The developer(s) behind these toolsets leaned heavily on existing software frameworks and modified them to best serve the intrusion operations. The developer(s) had preferences regarding the ports, protocols, persistence mechanisms, and other aspects of how the malware operated.\u003c/p\u003e\n\u003cp\u003eWhile the preferences of the development team supporting this activity will likely shift and change over time, learning about them is still useful to identify whether their TTPs are applicable to other malware developers and threat actors. Additionally, the actor possibly gained a foothold on other target networks\u2014beyond the two intrusions discussed in this post \u2013 using similar strategies. In such cases, retrospective hunting would help defenders identify and remediate malicious activity.\u003c/p\u003e\n\u003cp\u003eBased on the examination of developer(s) preferences and abstracted adversary methodologies, it is possible to build broader visibility of the TTPs using detection and hunting rules of various fidelity and threat density. The compilation of these rules makes it possible to identify and classify potentially malicious samples while building new \"haystacks\" in which to hunt for adversary activity.\u003c/p\u003e\n\u003cp\u003eThe TTPs we extracted from this actor\u2019s activities are not necessarily exclusive, nor are they necessarily malicious in every circumstance. However, the TTP profile built by FireEye can be used to search for patterns of evil in subsets of network and endpoint activity. Not only can these TTPs be used to find evidence of intrusions, but identification of activity that has strong overlaps with the actor's favored techniques can lead to stronger assessments of actor association, further bolstering incident response efforts.\u003c/p\u003e\n\u003cp\u003eThe following table provides insights into notable methodologies surrounding the use of custom tools and tips for identifying evidence of this and related activity. Adversary methodologies are also expressed in terms of the MITRE ATT\u0026amp;CK framework (see Appendix C for MITRE ATT\u0026amp;CK JSON raw data).\u003c/p\u003e\n\u003cp\u003e\u00a0\u003c/p\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\n\u003cdiv style\u003d\"color:#5f6368;overflow-x:auto;overflow-y:hidden;width:100%\"\u003e\u003ctable\u003e\n\u003ctbody\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\u003cstrong\u003e\u003cu\u003eAdversary Methodology\u003c/u\u003e\u003c/strong\u003e\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\u003cstrong\u003e\u003cu\u003eDiscovery Tips\u003c/u\u003e\u003c/strong\u003e\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003ePersistence by Scheduled Tasks by XML trigger\u003c/p\u003e\n\u003cp\u003e\u003ca href\u003d\"https://attack.mitre.org/techniques/T1053/\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eATT\u0026amp;CK: T1053\u003c/a\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for new and anomalous \u003ca href\u003d\"https://docs.microsoft.com/en-us/windows/desktop/taskschd/daily-trigger-example--xml-\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eScheduled Tasks XML triggers\u003c/a\u003e referencing unsigned .exe files.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003ePersistence by IFEO injection\u003c/p\u003e\n\u003cp\u003e\u003ca href\u003d\"https://attack.mitre.org/techniques/T1546/012/\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eATT\u0026amp;CK: T1183\u003c/a\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for modifications and new entries referencing .exe files under registry key HKEY_LOCAL_MACHINE\\SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Image File Execution Options.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eCommand and control (C2) established using hard-coded DNS servers\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for PEs executions with run DNS lookups to 8.8.8.8:53. This may be applicable to sandbox and other malware processing technologies.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003eC2 using favored C2ports\u003c/p\u003e\n\u003cp\u003e\u003ca href\u003d\"https://attack.mitre.org/techniques/T1043/\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eATT\u0026amp;CK: T1043\u003c/a\u003e\u003c/p\u003e\n\u003cp\u003e\u003ca href\u003d\"https://attack.mitre.org/techniques/T1571/\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eATT\u0026amp;CK: T1065\u003c/a\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for outbound connections with port-protocol mismatches on common and uncommon ports such as 443, 4444, 8531, and 50501.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003eC2 using favored Virtual Private Server (VPS) infrastructure\u003c/p\u003e\n\u003cp\u003e\u003ca href\u003d\"https://attack.mitre.org/techniques/T1329/\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eATT\u0026amp;CK: T1329\u003c/a\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for inbound and outbound connections from and to non-standard IP ranges, especially from international VPS providers like OVH and UK-2 Limited (uk2.net).\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eC2 domains with hyphen\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for newly observed 2LD and 3LD domains that contain hyphens.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003eC\u0026amp;C using dynamic DNS domains from afraid.org\u003c/p\u003e\n\u003cp\u003e\u003ca href\u003d\"https://attack.mitre.org/techniques/T1311/\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eATT\u0026amp;CK: T1311\u003c/a\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for newly observed dynamic DNS domains owned or registered with afraid.org.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eC2 domains registered with vfemail.net email addresses\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for newly observed domains or DNS resolutions to domains with registrant email information containing vfemail.net\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003eTunneled RDP using PLINK\u003c/p\u003e\n\u003cp\u003e\u003ca href\u003d\"https://attack.mitre.org/techniques/T1021/001/\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eATT\u0026amp;CK: T1076\u003c/a\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003eLook for the presence of PLINK and non-standard RDP usage with event logs, firewall logs, and registry keys as described in the FireEye blog post \"\u003ca href\u003d\"https://cloud.google.com/blog/topics/threat-intelligence/bypassing-network-restrictions-through-rdp-tunneling\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eBypassing Network Restrictions Through RDP Tunneling.\u003c/a\u003e\"\u003c/p\u003e\n\u003cp\u003eFind internal RDP pivoting by looking for bitmap cache files under user accounts that should not be accessing sensitive systems via RDP. Look for bitmap cache files such as bcache22.bmc under default, service, or administrator accounts or any account not expected to be conducting internal RDP accesses to sensitive systems in a protected OT-connected zone, especially in the DMZ or DCS areas like HMIs or engineering workstations.\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eC2 using hard-coded SSH private keys\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for PEs with hard-coded OpenSSH private keys.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003eUse of direct RDP\u003c/p\u003e\n\u003cp\u003e\u003ca href\u003d\"https://attack.mitre.org/techniques/T1021/001/\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eATT\u0026amp;CK: T1076\u003c/a\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for inbound RDP connections with default host information, non-standard or unexpected locale IDs, or other metadata. See also the \u003ca href\u003d\"https://cloud.google.com/blog/topics/threat-intelligence/establishing-baseline-remote-desktop-protocol\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eFireEye blog post on baselining RDP\u003c/a\u003e activity.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eC2 using source systems with default Windows hostnames\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for default Windows hostnames that fit the structure WIN-[A-Z0-9]{11} (e.g., WIN-ABCDEFGH1JK) in PE certificates, SSL and SSH certificates, and RDP handshakes.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eC2 using SSH\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for new, unique, or unusual SSH sessions. Logging of SSH keys and fingerprints would quickly and easily identify an anomalous session as a result of malware. Look for SSH over non-standard ports.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003eCompromised VPN accounts\u003c/p\u003e\n\u003cp\u003e\u003ca href\u003d\"https://attack.mitre.org/techniques/T1078/\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eATT\u0026amp;CK: T1078\u003c/a\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003eLook for VPN logon anomalies based on infeasible patterns such as source account location, IP address, and hostname associations. Check out the FireEye blog post and free toolset for VPN logon analysis, \u003ca href\u003d\"https://cloud.google.com/blog/topics/threat-intelligence/remote-authentication-geofeasibility-tool-geologonalyzer\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eGeoLogonalyzer\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eIf you use SMS-based MFA, look for phone numbers registered outside the country where your employees operate.\u003c/p\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eMalware masquerading as Microsoft Corporation\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for PEs with mismatched PE metadata such as contains \"Bitvise\" strings and also \"Microsoft Corporation\" in the metadata. Look for unsigned \"Microsoft Corporation\" binaries in the group's common staging directories.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eUse of customized Bitvise binaries\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for PEs with Bitvise PDB path strings such as d:\\repos\\main\\ssh2\\.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eUse of customized OpenSSH binaries\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for PEs with content \"Microsoft openSSH client.\"\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eUse of customized Cryptcat but with default password\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for PEs that drop Cryptcat binaries or contain Cryptcat string content such as the default password \"metallica.\"\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003eTimestomping via PowerShell\u003c/p\u003e\n\u003cp\u003e\u003ca href\u003d\"https://attack.mitre.org/techniques/T1070/006/\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eATT\u0026amp;CK: T1099\u003c/a\u003e\u003c/p\u003e\n\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for timestomping command strings such as \".CreationTime\u003d\" in PowerShell scripts or in PowerShell command-line entries. Look for PEs with NTFS creation time prior to PE compile time.\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eDeployment of binaries with debug information from developer workstations with Visual Studio 2010\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003eLook for PEs with PDB paths containing default or generic paths such as\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003e\\Users\\user\\Documents\\Visual Studio 2010\\\u003c/li\u003e\n\u003cli\u003e\\Documents\\Visual Studio 2010\\.\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eUse of Thinstall for packaging malware\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eLook for PE with content \"thinstall\\modules\\boot_loader.pdb.\" Look for Thinstall binaries that have created virtualized files in the context of the SYSTEM user \"C:\\Windows\\SysWOW64\\config\\systemprofile\\AppData\\Roaming\\Thinstall\\.\"\u003c/td\u003e\n\u003c/tr\u003e\n\u003ctr\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003eUse of favored directories for operating, staging and executing files\u003c/td\u003e\n\u003ctd style\u003d\"border:1px solid #000000;padding:16px\"\u003e\n\u003cp\u003eLook for new, unexpected, or otherwise anomalous binaries in the following directories:\u003c/p\u003e\n\u003cul\u003e\n\u003cli\u003eC:\\Windows\\system32\\inetsrv\\\u003c/li\u003e\n\u003cli\u003eC:\\Windows\\temp\\\u003c/li\u003e\n\u003cli\u003eC:\\Windows\\SysWOW64\\wbem\u003c/li\u003e\n\u003cli\u003eC:\\Windows\\SysWOW64\\drivers\u003c/li\u003e\n\u003cli\u003eC:\\Windows\\SysWOW64\u003c/li\u003e\n\u003cli\u003eC:\\Windows\\system32\\wbem\\\u003c/li\u003e\n\u003cli\u003eC:\\Windows\\system32\\drivers\\\u003c/li\u003e\n\u003cli\u003eC:\\Windows\\system32\\\u003c/li\u003e\n\u003cli\u003eC:\\Windows\\\u003c/li\u003e\n\u003cli\u003eC:\\Users\\Public\\Libraries\\\u003c/li\u003e\n\u003cli\u003eC:\\Users\\administrator\\appdata\\local\\temp\\\u003c/li\u003e\n\u003cli\u003eC:\\ssh\\\u003c/li\u003e\n\u003cli\u003eC:\\perflogs\\admin\\servermanager\\ssh\\\u003c/li\u003e\n\u003cli\u003eC:\\perflogs\\admin\\servermanager\\\u003c/li\u003e\n\u003cli\u003eC:\\perflogs\\admin\\\u003c/li\u003e\n\u003cli\u003eC:\\perflogs\\\u003c/li\u003e\n\u003cli\u003eC:\\cpqsystem\\\u003c/li\u003e\n\u003cli\u003eC:\\hp\\hpdiags\\\u003c/li\u003e\n\u003cli\u003eC:\\hp\\bin\\log\\\u003c/li\u003e\n\u003c/ul\u003e\n\u003c/td\u003e\n\u003c/tr\u003e\n\u003c/tbody\u003e\n\u003c/table\u003e\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003c/div\u003e\n\u003cp style\u003d\"text-align:center\"\u003e\u003cspan style\u003d\"color:#5f6368;display:block;font-size:16px;font-style:italic;margin-top:8px;width:100%\"\u003eTable 1: TRITON actor methodology and discovery strategies\u003c/span\u003e\u003c/p\u003e\n\u003ch4\u003eOutlook\u003c/h4\u003e\n\u003cp\u003eThere is often a singular focus from the security community on ICS malware largely due to its novel nature and the fact that there are very few examples found in the wild. While this attention is useful for a variety of reasons, we argue that defenders and incident responders should focus more attention on so-called \"conduit\" systems when trying to identify or stop ICS-focused intrusions.\u003c/p\u003e\n\u003cp\u003eIn an attempt to raise community awareness surrounding this actor\u2019s capabilities and activities between 2014 and 2017\u2014an effort compounded in importance by our discovery of the threat actor in a second critical infrastructure facility\u2014we have shared a sampling of what we know about the group's TTPs and custom tooling. We encourage ICS asset owners to leverage the detection rules and other information included in this report to hunt for related activity as we believe there is a good chance the threat actor was or is present in other target networks.\u003c/p\u003e\n\u003cp\u003eFor IT and OT incident response support, please contact \u003ca href\u003d\"https://www.mandiant.com/advantage\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eFireEye Mandiant\u003c/a\u003e. For more in-depth analysis of TRITON and other cyber threats, consider subscribing to \u003ca href\u003d\"https://cloud.google.com/security/products/threat-intelligence\" rel\u003d\"noopener\" target\u003d\"_blank\"\u003eFireEye Cyber Threat Intelligence\u003c/a\u003e.\u003c/p\u003e\n\u003cp\u003eFireEye\u2019s SmartVision technology, which searches for attackers during lateral movement activities by monitoring east-west traffic in IT and OT networks, reduces the risk of an attack reaching sensitive ICS processes. This is particularly relevant for sophisticated ICS-related intrusions as attackers typically move from corporate IT to OT networks through systems that were accessible to both environments, far beyond perimeter defenses.\u003c/p\u003e\n\u003ch4\u003eAppendices\u003c/h4\u003e\n\u003cul\u003e\n\u003cli\u003eAppendix A: Discovery Rules\u003c/li\u003e\n\u003cli\u003eAppendix B: Technical Analysis of Custom Attack Tools\u003c/li\u003e\n\u003cli\u003eAppendix C: MITRE ATT\u0026amp;CK JSON Raw Data\u003c/li\u003e\n\u003c/ul\u003e"]]]],[["Threat Intelligence","Signals of Trouble: Multiple Russia-Aligned Threat Actors Actively Targeting Signal Messenger","Russia state-aligned threat actors target Signal Messenger accounts used by individuals of interest to Russia's intelligence services.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png"],null,15,null,"https://cloud.google.com/blog/topics/threat-intelligence/russia-targeting-signal-messenger",null,1,[["Google Threat Intelligence Group "]],null,"56062"],["Threat Intelligence","Cybercrime: A Multifaceted National Security Threat","Google Threat Intelligence Group discusses the current state of cybercrime, and why it must be considered a national security threat.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png"],null,25,null,"https://cloud.google.com/blog/topics/threat-intelligence/cybercrime-multifaceted-national-security-threat",null,1,[["Google Threat Intelligence Group "]],null,"56023"],["Threat Intelligence","Using capa Rules for Android Malware Detection","Android and Mandiant have improved existing and developed new capa rules to detect capabilities observed in Android malware.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png"],null,13,null,"https://cloud.google.com/blog/topics/threat-intelligence/capa-rules-android-malware-detection",null,1,[["Lin Chen"]],null,"55999"],["Threat Intelligence","CVE-2023-6080: A Case Study on Third-Party Installer Abuse","Mandiant exploited flaws in the Microsoft Software Installer repair action of Lakeside Software's SysTrack installer to obtain arbitrary code execution.",["https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png","https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-400x400.png 324w, https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png 648w"," 324px, 648px","https://storage.googleapis.com/gweb-cloudblog-publish/images/03_ThreatIntelligenceWebsiteBannerIdeas_BANN.max-700x700.png"],null,7,null,"https://cloud.google.com/blog/topics/threat-intelligence/cve-2023-6080-third-party-installer-abuse",null,1,[["Mandiant "]],null,"55981"]],null,"Threat Intelligence",null,[["Threat Intelligence","https://cloud.google.com/blog/topics/threat-intelligence","threat-intelligence"],["Security \u0026 Identity","https://cloud.google.com/blog/products/identity-security","identity-security"]],null,null,14], sideChannel: {}});</script><script id="wiz_jd" nonce="pPuvw5Srdj0z5N266Gn3nw">if (window['_wjdc']) {const wjd = {}; window['_wjdc'](wjd); delete window['_wjdc'];}</script><script aria-hidden="true" id="WIZ-footer" nonce="pPuvw5Srdj0z5N266Gn3nw">window.wiz_progress&&window.wiz_progress(); window.stopScanForCss&&window.stopScanForCss(); ccTick('bl');</script></body></html><footer id="ZCHFDb"><footer class="nRhiJb-RWrDld nRhiJb-yePe5c QJnbF" jscontroller="NsSboe" track-metadata-module="footer"><h3 class="nRhiJb-VqCwd-L6cTce">Footer Links</h3><section class="nRhiJb-haF9Wb r2W5Od"><section class="nRhiJb-DX2B6"><div class="nRhiJb-j5y3u"><h4 class="nRhiJb-BkAck nRhiJb-BkAck-OWXEXe-TzA9Ye">Follow us</h4><ul class="nRhiJb-Qijihe c3Uqdd" role="list"><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.x.com/googlecloud" target="_blank" rel="noopener" track-name="x"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.x.com/googlecloud"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M13.9,10.5L21.1,2h-1.7l-6.3,7.4L8,2H2.2l7.6,11.1L2.2,22h1.7l6.7-7.8L16,22h5.8L13.9,10.5L13.9,10.5z M11.5,13.2l-0.8-1.1 L4.6,3.3h2.7l5,7.1l0.8,1.1l6.5,9.2h-2.7L11.5,13.2L11.5,13.2z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.youtube.com/googlecloud" target="_blank" rel="noopener" track-name="youtube"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.youtube.com/googlecloud"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M23.74 7.1s-.23-1.65-.95-2.37c-.91-.96-1.93-.96-2.4-1.02C17.04 3.47 12 3.5 12 3.5s-5.02-.03-8.37.21c-.46.06-1.48.06-2.39 1.02C.52 5.45.28 7.1.28 7.1S.04 9.05 0 10.98V13c.04 1.94.28 3.87.28 3.87s.24 1.65.96 2.38c.91.95 2.1.92 2.64 1.02 1.88.18 7.91.22 8.12.22 0 0 5.05.01 8.4-.23.46-.06 1.48-.06 2.39-1.02.72-.72.96-2.37.96-2.37s.24-1.94.25-3.87v-2.02c-.02-1.93-.26-3.88-.26-3.88zM9.57 15.5V8.49L16 12.13 9.57 15.5z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.linkedin.com/showcase/google-cloud" target="_blank" rel="noopener" track-name="linkedin"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.linkedin.com/showcase/google-cloud"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zM8 19H5v-9h3v9zM6.5 8.31c-1 0-1.81-.81-1.81-1.81S5.5 4.69 6.5 4.69s1.81.81 1.81 1.81S7.5 8.31 6.5 8.31zM19 19h-3v-5.3c0-.83-.67-1.5-1.5-1.5s-1.5.67-1.5 1.5V19h-3v-9h3v1.2c.52-.84 1.59-1.4 2.5-1.4 1.93 0 3.5 1.57 3.5 3.5V19z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.instagram.com/googlecloud/" target="_blank" rel="noopener" track-name="instagram"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.instagram.com/googlecloud/"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M12,0 C15.3,0 15.7,0 17,0 C18.3,0.1 19.1,0.3 19.9,0.6 C20.7,0.9 21.3,1.3 22,2 C22.7,2.7 23.1,3.4 23.3,4.2 C23.6,5 23.8,5.8 23.9,7.1 C24,8.3 24,8.7 24,12 C24,15.3 24,15.7 23.9,16.9 C23.8,18.2 23.6,19 23.3,19.8 C23,20.6 22.6,21.2 21.9,21.9 C21.3,22.6 20.6,23 19.8,23.3 C19,23.6 18.2,23.8 16.9,23.9 C15.7,24 15.3,24 12,24 C8.7,24 8.3,24 7,24 C5.7,23.9 4.9,23.7 4.1,23.4 C3.3,23.1 2.7,22.7 2,22 C1.3,21.3 0.9,20.6 0.7,19.8 C0.4,19 0.2,18.2 0.1,16.9 C0,15.7 0,15.3 0,12 C0,8.7 0,8.3 0.1,7.1 C0.1,5.8 0.3,4.9 0.6,4.1 C0.9,3.4 1.3,2.7 2,2 C2.7,1.3 3.4,0.9 4.1,0.6 C4.9,0.3 5.8,0.1 7.1,0.1 C8.3,0 8.7,0 12,0 Z M12,2.2 C8.8,2.2 8.4,2.2 7.2,2.2 C6,2.3 5.3,2.5 4.9,2.6 C4.4,2.9 4,3.1 3.5,3.5 C3.1,3.9 2.8,4.3 2.6,4.9 C2.5,5.3 2.3,6 2.3,7.2 C2.2,8.4 2.2,8.8 2.2,12 C2.2,15.2 2.2,15.5 2.3,16.8 C2.3,17.9 2.5,18.6 2.7,19 C2.9,19.6 3.2,20 3.6,20.4 C4,20.8 4.4,21.1 5,21.3 C5.4,21.5 6,21.6 7.2,21.7 C8.4,21.8 8.8,21.8 12,21.8 C15.2,21.8 15.5,21.8 16.8,21.7 C17.9,21.7 18.6,21.5 19,21.3 C19.6,21.1 20,20.8 20.4,20.4 C20.8,20 21.1,19.6 21.3,19 C21.5,18.6 21.6,18 21.7,16.8 C21.8,15.6 21.8,15.2 21.8,12 C21.8,8.8 21.8,8.5 21.7,7.2 C21.7,6.1 21.5,5.4 21.3,5 C21.1,4.4 20.8,4 20.4,3.6 C20,3.2 19.6,2.9 19,2.7 C18.6,2.5 18,2.4 16.8,2.3 C15.6,2.2 15.2,2.2 12,2.2 Z M12,5.8 C15.4,5.8 18.2,8.6 18.2,12 C18.2,15.4 15.4,18.2 12,18.2 C8.6,18.2 5.8,15.4 5.8,12 C5.8,8.6 8.6,5.8 12,5.8 Z M12,16 C14.2,16 16,14.2 16,12 C16,9.8 14.2,8 12,8 C9.8,8 8,9.8 8,12 C8,14.2 9.8,16 12,16 Z M18.4,7 C17.6268014,7 17,6.37319865 17,5.6 C17,4.82680135 17.6268014,4.2 18.4,4.2 C19.1731986,4.2 19.8,4.82680135 19.8,5.6 C19.8,6.37319865 19.1731986,7 18.4,7 Z"></path></svg></a></li><li class="nRhiJb-KKXgde"><a class="nRhiJb-ARYxNe" href="https://www.facebook.com/googlecloud/" target="_blank" rel="noopener" track-name="facebook"track-type="social link"track-metadata-position="footer"track-metadata-eventdetail="www.facebook.com/googlecloud/"track-metadata-module="footer"track-metadata-module_headline="follow us"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-DX2B6" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M20 2H4c-1.1 0-1.99.9-1.99 2L2 20c0 1.1.9 2 2 2h16c1.1 0 2-.9 2-2V4c0-1.1-.9-2-2-2zm-1 2v3h-2c-.55 0-1 .45-1 1v2h3v3h-3v7h-3v-7h-2v-3h2V7.5C13 5.57 14.57 4 16.5 4H19z"></path></svg></a></li></ul></div></section></section><section class="nRhiJb-hlZHHf rtKYfe"><div class="nRhiJb-vQnuyc UXgbsb"><a class="ZOs9zc" href="https://cloud.google.com/" title="Google Cloud" track-name="google"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="footer"><svg class="nRhiJb-vQnuyc-RJLb9c" viewBox="0 0 64 64" role="presentation" aria-hidden="true" width="40" height="40"><path d="M40.37 20.29L42.3333 20.3267L47.67 14.99L47.93 12.73C43.69 8.95667 38.11 6.66 32 6.66C20.9367 6.66 11.6067 14.1833 8.84 24.3833C9.42334 23.98 10.6667 24.28 10.6667 24.28L21.3333 22.5267C21.3333 22.5267 21.8867 21.62 22.1567 21.6767C24.5967 19.0067 28.1067 17.3267 32 17.3267C35.1667 17.3267 38.08 18.44 40.37 20.29Z" fill="#ea4335"/><path d="M55.1667 24.3967C53.93 19.8233 51.37 15.79 47.9267 12.7267L40.3667 20.2867C43.3933 22.7333 45.3333 26.4733 45.3333 30.66V31.9933C49.01 31.9933 52 34.9833 52 38.66C52 42.3367 49.01 45.3267 45.3333 45.3267H32L30.6667 46.6667V54.6667L32 55.9933H45.3333C54.89 55.9933 62.6667 48.2167 62.6667 38.66C62.6667 32.75 59.6933 27.5267 55.1667 24.3967Z" fill="#4285f4"/><path d="M18.6667 55.9933H31.99V45.3267H18.6667C17.6867 45.3267 16.76 45.11 15.92 44.7267L14 45.3167L8.66 50.6567L8.19334 52.46C11.1033 54.6733 14.7333 55.9933 18.6667 55.9933Z" fill="#34a853"/><path d="M18.6667 21.3267C9.11 21.3267 1.33334 29.1033 1.33334 38.66C1.33334 44.2867 4.03 49.2967 8.2 52.4633L15.93 44.7333C13.6167 43.6867 12 41.36 12 38.66C12 34.9833 14.99 31.9933 18.6667 31.9933C21.3667 31.9933 23.6933 33.61 24.74 35.9233L32.47 28.1933C29.3033 24.0233 24.2933 21.3267 18.6667 21.3267Z" fill="#fbbc05"/></svg></a></div><ul class="nRhiJb-hlZHHf-PLDbbf nRhiJb-di8rgd-ZGNLv AXb5J" role="list"><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://cloud.google.com/" track-name="google cloud"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="cloud.google.com/"track-metadata-module="footer">Google Cloud</a></li><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://cloud.google.com/products/" track-name="google cloud products"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="cloud.google.com/products/"track-metadata-module="footer">Google Cloud Products</a></li><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://myaccount.google.com/privacypolicy?hl=en-US" target="_blank" track-name="privacy"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="myaccount.google.com/privacypolicy?hl=en-US"track-metadata-module="footer">Privacy</a></li><li class="glue-footer__global-links-list-item"><a class="nRhiJb-Fx4vi " href="https://myaccount.google.com/termsofservice?hl=en-US" target="_blank" track-name="terms"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="myaccount.google.com/termsofservice?hl=en-US"track-metadata-module="footer">Terms</a></li><li aria-hidden="true" class="glue-footer__global-links-list-item"><a aria-hidden="true" role="button" tabindex="0" class="nRhiJb-Fx4vi glue-footer__link glue-cookie-notification-bar-control" href="#" target="_blank" track-name="cookies management controls"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="#"track-metadata-module="footer">Cookies management controls</a></li></ul><ul class="nRhiJb-hlZHHf-PLDbbf nRhiJb-hlZHHf-PLDbbf-OWXEXe-hOedQd nRhiJb-di8rgd-ZGNLv qkxr1" role="list"><li class="glue-footer__global-links-list-item nRhiJb-hlZHHf-PLDbbf-rymPhb-ibnC6b-OWXEXe-hOedQd"><a class="nRhiJb-Fx4vi" href="https://support.google.com" target="_blank" track-name="help"track-type="footer link"track-metadata-position="footer"track-metadata-eventdetail="support.google.com"track-metadata-module="footer"><svg class="nRhiJb-Bz112c nRhiJb-Bz112c-OWXEXe-xgZe3c nRhiJb-Bz112c-OWXEXe-yePe5c-h9d3hd" viewBox="0 0 24 24" role="presentation" aria-hidden="true"><path d="M12 2C6.48 2 2 6.48 2 12s4.48 10 10 10 10-4.48 10-10S17.52 2 12 2zm1 17h-2v-2h2v2zm2.07-7.75l-.9.92C13.45 12.9 13 13.5 13 15h-2v-.5c0-1.1.45-2.1 1.17-2.83l1.24-1.26c.37-.36.59-.86.59-1.41 0-1.1-.9-2-2-2s-2 .9-2 2H8c0-2.21 1.79-4 4-4s4 1.79 4 4c0 .88-.36 1.68-.93 2.25z"></path></svg>Help</a></li><li class="glue-footer__global-links-list-item nRhiJb-hlZHHf-PLDbbf-rymPhb-ibnC6b-OWXEXe-hOedQd"><select jsaction="change:xU0iy" aria-label="Change language" class="nRhiJb-CL4aqd-j4gsHd"><option value="" selected disabled hidden>Language</option><option value="en" selected>English</option><option value="de">Deutsch</option><option value="fr">Français</option><option value="ko">한국어</option><option value="ja">日本語</option></select></li></ul></section></footer></footer>