<!DOCTYPE html> <html lang='en'> <head> <script async src="https://www.googletagmanager.com/gtag/js?id=UA-62667723-1"></script> <script> window.dataLayer = window.dataLayer || []; function gtag(){dataLayer.push(arguments);} gtag('js', new Date()); gtag('config', 'UA-62667723-1'); </script> <meta name="google-site-verification" content="2oJKLqNN62z6AOCb0A0IXGtbQuj-lev5YPAHFF_cbHQ"/> <meta charset='utf-8'> <meta name='viewport' content='width=device-width, initial-scale=1,shrink-to-fit=no'> <meta http-equiv="X-UA-Compatible" content="IE=edge"> <link rel='shortcut icon' href="/versions/v15/theme/favicon.ico" type='image/x-icon'> <title>Scheduled Task/Job: Scheduled Task, Sub-technique T1053.005 - Enterprise | MITRE ATT&CK&reg;</title> <!-- USWDS CSS --> <!-- Bootstrap CSS --> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap.min.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-tourist.css" /> <link rel='stylesheet' href="/versions/v15/theme/style/bootstrap-select.min.css" /> <!-- Fontawesome CSS --> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/fontawesome.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/brands.min.css"/> <link rel="stylesheet" href="/versions/v15/theme/style/fontawesome-6.5.1/css/solid.min.css"/> <link rel="stylesheet" type="text/css" href="/versions/v15/theme/style.min.css?6689c2db"> </head> <body> <div class="container-fluid attack-website-wrapper d-flex flex-column h-100"> <div class="row sticky-top flex-grow-0 flex-shrink-1"> <!-- header elements --> <header class="col px-0"> <nav class='navbar navbar-expand-lg navbar-dark position-static'> <a class='navbar-brand' href="/versions/v15/"><img src="/versions/v15/theme/images/mitre_attack_logo.png" class="attack-logo"></a> <button class='navbar-toggler' type='button' data-toggle='collapse' data-target='#navbarCollapse' aria-controls='navbarCollapse' aria-expanded='false' aria-label='Toggle navigation'> <span class='navbar-toggler-icon'></span> </button> <div class='collapse navbar-collapse' id='navbarCollapse'> <ul class='nav nav-tabs ml-auto'> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/matrices/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Matrices</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/matrices/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/matrices/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/matrices/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/tactics/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Tactics</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/tactics/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/tactics/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/tactics/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/techniques/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Techniques</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/techniques/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/techniques/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/techniques/ics/">ICS</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/datasources" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Defenses</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/datasources">Data Sources</a> <div class="dropright dropdown"> <a class="dropdown-item dropdown-toggle" href="/versions/v15/mitigations/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Mitigations</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/mitigations/enterprise/">Enterprise</a> <a class="dropdown-item" href="/versions/v15/mitigations/mobile/">Mobile</a> <a class="dropdown-item" href="/versions/v15/mitigations/ics/">ICS</a> </div> </div> <a class="dropdown-item" href="/versions/v15/assets">Assets</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/groups" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>CTI</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/groups">Groups</a> <a class="dropdown-item" href="/versions/v15/software">Software</a> <a class="dropdown-item" href="/versions/v15/campaigns">Campaigns</a> </div> </li> <li class="nav-item dropdown"> <a class="nav-link dropdown-toggle" href="/versions/v15/resources/" id="navbarDropdown" role="button" data-toggle="dropdown" aria-haspopup="true" aria-expanded="false"> <b>Resources</b> </a> <div class="dropdown-menu " aria-labelledby="navbarDropdown"> <a class="dropdown-item" href="/versions/v15/resources/">Get Started</a> <a class="dropdown-item" href="/versions/v15/resources/learn-more-about-attack/">Learn More about ATT&CK</a> <a class="dropdown-item" href="/versions/v15/resources/attackcon/">ATT&CKcon</a> <a class="dropdown-item" href="/versions/v15/resources/attack-data-and-tools/">ATT&CK Data & Tools</a> <a class="dropdown-item" href="/versions/v15/resources/faq/">FAQ</a> <a class="dropdown-item" href="/versions/v15/resources/engage-with-attack/contact/">Engage with ATT&CK</a> <a class="dropdown-item" href="/resources/versions/">Version History</a> <a class="dropdown-item" href="/versions/v15/resources/legal-and-branding/">Legal & Branding</a> </div> </li> <li class="nav-item"> <a href="/versions/v15/resources/engage-with-attack/benefactors/" class="nav-link" ><b>Benefactors</b></a> </li> <li class="nav-item"> <a href="https://medium.com/mitre-attack/" target="_blank" class="nav-link"> <b>Blog</b>&nbsp; <img src="/versions/v15/theme/images/external-site.svg" alt="External site" class="external-icon" /> </a> </li> <li class="nav-item"> <button id="search-button" class="btn search-button">Search <div id="search-icon" class="icon-button search-icon"></div></button> </li> </ul> </div> </nav> </header> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- banner elements --> <div class="col px-0"> <!-- don't edit or remove the line below even though it's commented out, it gets parsed and replaced by the versioning feature --> <div class="container-fluid version-banner"><div class="icon-inline baseline mr-1"><img src="/versions/v15/theme/images/icon-warning-24px.svg"></div>Currently viewing <a href="https://github.com/mitre/cti/releases/tag/ATT%26CK-v15.1" target="_blank">ATT&CK v15.1</a> which was live between April 23, 2024 and October 30, 2024. <a href="/resources/versions/">Learn more about the versioning system</a> or <a href="/">see the live site</a>.</div> </div> </div> <div class="row flex-grow-1 flex-shrink-0"> <!-- main content elements --> <!--start-indexing-for-search--> <div class="sidebar nav sticky-top flex-column pr-0 pt-4 pb-3 pl-3" id="v-tab" role="tablist" aria-orientation="vertical"> <div class="resizer" id="resizer"></div> <!--stop-indexing-for-search--> <div id="sidebars"></div> <!--start-indexing-for-search--> </div> <div class="tab-content col-xl-9 pt-4" id="v-tabContent"> <div class="tab-pane fade show active" id="v-attckmatrix" role="tabpanel" aria-labelledby="v-attckmatrix-tab"> <ol class="breadcrumb"> <li class="breadcrumb-item"><a href="/versions/v15/">Home</a></li> <li class="breadcrumb-item"><a href="/versions/v15/techniques/enterprise">Techniques</a></li> <li class="breadcrumb-item"><a href="/versions/v15/techniques/enterprise">Enterprise</a></li> <li class="breadcrumb-item"><a href="/versions/v15/techniques/T1053">Scheduled Task/Job</a></li> <li class="breadcrumb-item">Scheduled Task</li> </ol> <div class="tab-pane fade show active" id="v-" role="tabpanel" aria-labelledby="v--tab"></div> <div class="row"> <div class="col-xl-12"> <div class="jumbotron jumbotron-fluid"> <div class="container-fluid"> <h1 id=""> <span id="subtechnique-parent-name">Scheduled Task/Job:</span> Scheduled Task </h1> <div class="row"> <div class="col-md-8"> <!--stop-indexing-for-search--> <div class="card-block pb-2"> <div class="card"> <div class="card-header collapsed" id="subtechniques-card-header" data-toggle="collapse" data-target="#subtechniques-card-body" aria-expanded="false" aria-controls="subtechniques-card-body"> <h5 class="mb-0" id ="sub-techniques">Other sub-techniques of Scheduled Task/Job (5)</h5> </div> <div id="subtechniques-card-body" class="card-body p-0 collapse" aria-labelledby="subtechniques-card-header"> <table class="table table-bordered"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v15/techniques/T1053/002/" class="subtechnique-table-item" data-subtechnique_id="T1053.002"> T1053.002 </a> </td> <td> <a href="/versions/v15/techniques/T1053/002/" class="subtechnique-table-item" data-subtechnique_id="T1053.002"> At </a> </td> </tr> <tr> <td> <a href="/versions/v15/techniques/T1053/003/" class="subtechnique-table-item" data-subtechnique_id="T1053.003"> T1053.003 </a> </td> <td> <a href="/versions/v15/techniques/T1053/003/" class="subtechnique-table-item" data-subtechnique_id="T1053.003"> Cron </a> </td> </tr> <tr> <td class="active"> T1053.005 </td> <td class="active"> Scheduled Task </td> </tr> <tr> <td> <a href="/versions/v15/techniques/T1053/006/" class="subtechnique-table-item" data-subtechnique_id="T1053.006"> T1053.006 </a> </td> <td> <a href="/versions/v15/techniques/T1053/006/" class="subtechnique-table-item" data-subtechnique_id="T1053.006"> Systemd Timers </a> </td> </tr> <tr> <td> <a href="/versions/v15/techniques/T1053/007/" class="subtechnique-table-item" data-subtechnique_id="T1053.007"> T1053.007 </a> </td> <td> <a href="/versions/v15/techniques/T1053/007/" class="subtechnique-table-item" data-subtechnique_id="T1053.007"> Container Orchestration Job </a> </td> </tr> </tbody> </table> </div> </div> </div> <!--start-indexing-for-search--> <div class="description-body"> <p>Adversaries may abuse the Windows Task Scheduler to perform task scheduling for initial or recurring execution of malicious code. There are multiple ways to access the Task Scheduler in Windows. The <a href="/versions/v15/software/S0111">schtasks</a> utility can be run directly on the command line, or the Task Scheduler can be opened through the GUI within the Administrator Tools section of the Control Panel. In some cases, adversaries have used a .NET wrapper for the Windows Task Scheduler, and alternatively, adversaries have used the Windows netapi32 library to create a scheduled task.</p><p>The deprecated <a href="/versions/v15/software/S0110">at</a> utility could also be abused by adversaries (ex: <a href="/versions/v15/techniques/T1053/002">At</a>), though <code>at.exe</code> can not access tasks created with <code>schtasks</code> or the Control Panel.</p><p>An adversary may use Windows Task Scheduler to execute programs at system startup or on a scheduled basis for persistence. The Windows Task Scheduler can also be abused to conduct remote Execution as part of Lateral Movement and/or to run a process under the context of a specified account (such as SYSTEM). Similar to <a href="/versions/v15/techniques/T1218">System Binary Proxy Execution</a>, adversaries have also abused the Windows Task Scheduler to potentially mask one-time execution under signed/trusted system processes.<span onclick=scrollToRef('scite-1') id="scite-ref-1-a" class="scite-citeref-number" title="Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain. Retrieved April 11, 2022."data-reference="ProofPoint Serpent">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain" target="_blank" data-hasqtip="0" aria-describedby="qtip-0">[1]</a>}</span></p><p>Adversaries may also create "hidden" scheduled tasks (i.e. <a href="/versions/v15/techniques/T1564">Hide Artifacts</a>) that may not be visible to defender tools and manual queries used to enumerate tasks. Specifically, an adversary may hide a task from <code>schtasks /query</code> and the Task Scheduler by deleting the associated Security Descriptor (SD) registry value (where deletion of this value must be completed using SYSTEM permissions).<span onclick=scrollToRef('scite-2') id="scite-ref-2-a" class="scite-citeref-number" title="Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule Task - Registry. Retrieved June 1, 2022."data-reference="SigmaHQ">^{<a href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml" target="_blank" data-hasqtip="1" aria-describedby="qtip-1">[2]</a>}</span><span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022."data-reference="Tarrask scheduled task">^{<a href="https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span> Adversaries may also employ alternate methods to hide tasks, such as altering the metadata (e.g., <code>Index</code> value) within associated registry keys.<span onclick=scrollToRef('scite-4') id="scite-ref-4-a" class="scite-citeref-number" title="Harshal Tupsamudre. (2022, June 20). Defending Against Scheduled Tasks. Retrieved July 5, 2022."data-reference="Defending Against Scheduled Task Attacks in Windows Environments">^{<a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments" target="_blank" data-hasqtip="3" aria-describedby="qtip-3">[4]</a>}</span> </p> </div> </div> <div class="col-md-4"> <div class="card"> <div class="card-body"> <div class="row card-data" id="card-id"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">ID:&nbsp;</span>T1053.005 </div> </div> <!--stop-indexing-for-search--> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Sub-technique of:&nbsp;</span> <a href="/versions/v15/techniques/T1053">T1053</a> </div> </div> <!--start-indexing-for-search--> <div id="card-tactics" class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The tactic objectives that the (sub-)technique can be used to accomplish">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Tactics:</span> <a href="/versions/v15/tactics/TA0002">Execution</a>, <a href="/versions/v15/tactics/TA0003">Persistence</a>, <a href="/versions/v15/tactics/TA0004">Privilege Escalation</a> </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The system an adversary is operating within; could be an operating system or application">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Platforms:&nbsp;</span>Windows </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="The lowest level of permissions the adversary is required to be operating within to perform the (sub-)technique on a system">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Permissions Required:&nbsp;</span>Administrator </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"> <span data-toggle="tooltip" data-placement="left" title="" data-test-ignore="true" data-original-title="If the (sub-)technique can invoke an instance of itself remotely without relying on external tools/techniques">&#9432;</span> </div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Supports Remote:&nbsp;</span> Yes </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Contributors:&nbsp;</span>Andrew Northern, @ex_raritas; Bryan Campbell, @bry_campbell; Selena Larson, @selenalarson; Sittikorn Sangrattanapitak; Zachary Abzug, @ZackDoesML </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Version:&nbsp;</span>1.5 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Created:&nbsp;</span>27 November 2019 </div> </div> <div class="row card-data"> <div class="col-md-1 px-0 text-center"></div> <div class="col-md-11 pl-0"> <span class="h5 card-title">Last Modified:&nbsp;</span>15 November 2023 </div> </div> </div> </div> <div class="text-center pt-2 version-button permalink"> <div class="live"> <a data-toggle="tooltip" data-placement="bottom" title="Permalink to this version of T1053.005" href="/versions/v15/techniques/T1053/005/" data-test-ignore="true">Version Permalink</a> </div> <div class="permalink"> <a data-toggle="tooltip" data-placement="bottom" title="Go to the live version of T1053.005" href="/techniques/T1053/005/" data-test-ignore="true">Live Version</a><!--do not change this line without also changing versions.py--> </div> </div> </div> </div> <h2 class="pt-3" id ="examples">Procedure Examples</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Name</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v15/campaigns/C0034"> C0034 </a> </td> <td> <a href="/versions/v15/campaigns/C0034"> 2022 Ukraine Electric Power Attack </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0034">2022 Ukraine Electric Power Attack</a>, <a href="/versions/v15/groups/G0034">Sandworm Team</a> leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute <a href="/versions/v15/software/S0693">CaddyWiper</a> at a predetermined time.<span onclick=scrollToRef('scite-5') id="scite-ref-5-a" class="scite-citeref-number" title="Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024."data-reference="Mandiant-Sandworm-Ukraine-2022">^{<a href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank" data-hasqtip="4" aria-describedby="qtip-4">[5]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0331"> S0331 </a> </td> <td> <a href="/versions/v15/software/S0331"> Agent Tesla </a> </td> <td> <p><a href="/versions/v15/software/S0331">Agent Tesla</a> has achieved persistence via scheduled tasks.<span onclick=scrollToRef('scite-6') id="scite-ref-6-a" class="scite-citeref-number" title="Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020."data-reference="SentinelLabs Agent Tesla Aug 2020">^{<a href="https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/" target="_blank" data-hasqtip="5" aria-describedby="qtip-5">[6]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0504"> S0504 </a> </td> <td> <a href="/versions/v15/software/S0504"> Anchor </a> </td> <td> <p><a href="/versions/v15/software/S0504">Anchor</a> can create a scheduled task for persistence.<span onclick=scrollToRef('scite-7') id="scite-ref-7-a" class="scite-citeref-number" title="Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020."data-reference="Cyberreason Anchor December 2019">^{<a href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank" data-hasqtip="6" aria-describedby="qtip-6">[7]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0584"> S0584 </a> </td> <td> <a href="/versions/v15/software/S0584"> AppleJeus </a> </td> <td> <p><a href="/versions/v15/software/S0584">AppleJeus</a> has created a scheduled SYSTEM task that runs when a user logs in.<span onclick=scrollToRef('scite-8') id="scite-ref-8-a" class="scite-citeref-number" title="Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021."data-reference="CISA AppleJeus Feb 2021">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank" data-hasqtip="7" aria-describedby="qtip-7">[8]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0099"> G0099 </a> </td> <td> <a href="/versions/v15/groups/G0099"> APT-C-36 </a> </td> <td> <p><a href="/versions/v15/groups/G0099">APT-C-36</a> has used a macro function to set scheduled tasks, disguised as those used by Google.<span onclick=scrollToRef('scite-9') id="scite-ref-9-a" class="scite-citeref-number" title="QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020."data-reference="QiAnXin APT-C-36 Feb2019">^{<a href="https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" target="_blank" data-hasqtip="8" aria-describedby="qtip-8">[9]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0016"> G0016 </a> </td> <td> <a href="/versions/v15/groups/G0016"> APT29 </a> </td> <td> <p><a href="/versions/v15/groups/G0016">APT29</a> has used named and hijacked scheduled tasks to establish persistence.<span onclick=scrollToRef('scite-10') id="scite-ref-10-a" class="scite-citeref-number" title="Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016."data-reference="Mandiant No Easy Breach">^{<a href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank" data-hasqtip="9" aria-describedby="qtip-9">[10]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0022"> G0022 </a> </td> <td> <a href="/versions/v15/groups/G0022"> APT3 </a> </td> <td> <p>An <a href="/versions/v15/groups/G0022">APT3</a> downloader creates persistence by creating the following scheduled task: <code>schtasks /create /tn "mysc" /tr C:\Users\Public\test.exe /sc ONLOGON /ru "System"</code>.<span onclick=scrollToRef('scite-11') id="scite-ref-11-a" class="scite-citeref-number" title="Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016."data-reference="FireEye Operation Double Tap">^{<a href="https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html" target="_blank" data-hasqtip="10" aria-describedby="qtip-10">[11]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0050"> G0050 </a> </td> <td> <a href="/versions/v15/groups/G0050"> APT32 </a> </td> <td> <p><a href="/versions/v15/groups/G0050">APT32</a> has used scheduled tasks to persist on victim systems.<span onclick=scrollToRef('scite-12') id="scite-ref-12-a" class="scite-citeref-number" title="Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017."data-reference="FireEye APT32 May 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank" data-hasqtip="11" aria-describedby="qtip-11">[12]</a>}</span><span onclick=scrollToRef('scite-13') id="scite-ref-13-a" class="scite-citeref-number" title="Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018."data-reference="Cybereason Oceanlotus May 2017">^{<a href="https://www.cybereason.com/blog/operation-cobalt-kitty-apt" target="_blank" data-hasqtip="12" aria-describedby="qtip-12">[13]</a>}</span><span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017">^{<a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span><span onclick=scrollToRef('scite-15') id="scite-ref-15-a" class="scite-citeref-number" title="Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019."data-reference="ESET OceanLotus Mar 2019">^{<a href="https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" target="_blank" data-hasqtip="14" aria-describedby="qtip-14">[15]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0064"> G0064 </a> </td> <td> <a href="/versions/v15/groups/G0064"> APT33 </a> </td> <td> <p><a href="/versions/v15/groups/G0064">APT33</a> has created a scheduled task to execute a .vbe file multiple times a day.<span onclick=scrollToRef('scite-16') id="scite-ref-16-a" class="scite-citeref-number" title="Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019."data-reference="Symantec Elfin Mar 2019">^{<a href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank" data-hasqtip="15" aria-describedby="qtip-15">[16]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0067"> G0067 </a> </td> <td> <a href="/versions/v15/groups/G0067"> APT37 </a> </td> <td> <p><a href="/versions/v15/groups/G0067">APT37</a> has created scheduled tasks to run malicious scripts on a compromised host.<span onclick=scrollToRef('scite-17') id="scite-ref-17-a" class="scite-citeref-number" title="Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021."data-reference="Volexity InkySquid RokRAT August 2021">^{<a href="https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" target="_blank" data-hasqtip="16" aria-describedby="qtip-16">[17]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0082"> G0082 </a> </td> <td> <a href="/versions/v15/groups/G0082"> APT38 </a> </td> <td> <p><a href="/versions/v15/groups/G0082">APT38</a> has used Task Scheduler to run programs at system startup or on a scheduled basis for persistence.<span onclick=scrollToRef('scite-18') id="scite-ref-18-a" class="scite-citeref-number" title="DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021."data-reference="CISA AA20-239A BeagleBoyz August 2020">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-239a" target="_blank" data-hasqtip="17" aria-describedby="qtip-17">[18]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0087"> G0087 </a> </td> <td> <a href="/versions/v15/groups/G0087"> APT39 </a> </td> <td> <p><a href="/versions/v15/groups/G0087">APT39</a> has created scheduled tasks for persistence.<span onclick=scrollToRef('scite-19') id="scite-ref-19-a" class="scite-citeref-number" title="Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019."data-reference="FireEye APT39 Jan 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" target="_blank" data-hasqtip="18" aria-describedby="qtip-18">[19]</a>}</span><span onclick=scrollToRef('scite-20') id="scite-ref-20-a" class="scite-citeref-number" title="Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020."data-reference="BitDefender Chafer May 2020">^{<a href="https://www.bitdefender.com/blog/labs/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/" target="_blank" data-hasqtip="19" aria-describedby="qtip-19">[20]</a>}</span><span onclick=scrollToRef('scite-21') id="scite-ref-21-a" class="scite-citeref-number" title="FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020."data-reference="FBI FLASH APT39 September 2020">^{<a href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank" data-hasqtip="20" aria-describedby="qtip-20">[21]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0096"> G0096 </a> </td> <td> <a href="/versions/v15/groups/G0096"> APT41 </a> </td> <td> <p><a href="/versions/v15/groups/G0096">APT41</a> used a compromised account to create a scheduled task on a system.<span onclick=scrollToRef('scite-22') id="scite-ref-22-a" class="scite-citeref-number" title="Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019."data-reference="FireEye APT41 Aug 2019">^{<a href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank" data-hasqtip="21" aria-describedby="qtip-21">[22]</a>}</span><span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020."data-reference="Crowdstrike GTR2020 Mar 2020">^{<a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1087"> S1087 </a> </td> <td> <a href="/versions/v15/software/S1087"> AsyncRAT </a> </td> <td> <p><a href="/versions/v15/software/S1087">AsyncRAT</a> can create a scheduled task to maintain persistence on system start-up.<span onclick=scrollToRef('scite-24') id="scite-ref-24-a" class="scite-citeref-number" title="Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023."data-reference="Telefonica Snip3 December 2021">^{<a href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank" data-hasqtip="23" aria-describedby="qtip-23">[24]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0438"> S0438 </a> </td> <td> <a href="/versions/v15/software/S0438"> Attor </a> </td> <td> <p><a href="/versions/v15/software/S0438">Attor</a>'s installer plugin can schedule a new task that loads the dispatcher on boot/logon.<span onclick=scrollToRef('scite-25') id="scite-ref-25-a" class="scite-citeref-number" title="Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020."data-reference="ESET Attor Oct 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank" data-hasqtip="24" aria-describedby="qtip-24">[25]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0414"> S0414 </a> </td> <td> <a href="/versions/v15/software/S0414"> BabyShark </a> </td> <td> <p><a href="/versions/v15/software/S0414">BabyShark</a> has used scheduled tasks to maintain persistence.<span onclick=scrollToRef('scite-23') id="scite-ref-23-a" class="scite-citeref-number" title="Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020."data-reference="Crowdstrike GTR2020 Mar 2020">^{<a href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank" data-hasqtip="22" aria-describedby="qtip-22">[23]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0475"> S0475 </a> </td> <td> <a href="/versions/v15/software/S0475"> BackConfig </a> </td> <td> <p><a href="/versions/v15/software/S0475">BackConfig</a> has the ability to use scheduled tasks to repeatedly execute malicious payloads on a compromised host.<span onclick=scrollToRef('scite-26') id="scite-ref-26-a" class="scite-citeref-number" title="Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020."data-reference="Unit 42 BackConfig May 2020">^{<a href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank" data-hasqtip="25" aria-describedby="qtip-25">[26]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0606"> S0606 </a> </td> <td> <a href="/versions/v15/software/S0606"> Bad Rabbit </a> </td> <td> <p><a href="/versions/v15/software/S0606">Bad Rabbit</a>’s <code>infpub.dat</code> file creates a scheduled task to launch a malicious executable.<span onclick=scrollToRef('scite-27') id="scite-ref-27-a" class="scite-citeref-number" title="Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021."data-reference="Secure List Bad Rabbit">^{<a href="https://securelist.com/bad-rabbit-ransomware/82851/" target="_blank" data-hasqtip="26" aria-describedby="qtip-26">[27]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1081"> S1081 </a> </td> <td> <a href="/versions/v15/software/S1081"> BADHATCH </a> </td> <td> <p><a href="/versions/v15/software/S1081">BADHATCH</a> can use <code>schtasks.exe</code> to gain persistence.<span onclick=scrollToRef('scite-28') id="scite-ref-28-a" class="scite-citeref-number" title="Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021."data-reference="BitDefender BADHATCH Mar 2021">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" target="_blank" data-hasqtip="27" aria-describedby="qtip-27">[28]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0128"> S0128 </a> </td> <td> <a href="/versions/v15/software/S0128"> BADNEWS </a> </td> <td> <p><a href="/versions/v15/software/S0128">BADNEWS</a> creates a scheduled task to establish by executing a malicious payload every subsequent minute.<span onclick=scrollToRef('scite-29') id="scite-ref-29-a" class="scite-citeref-number" title="Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018."data-reference="PaloAlto Patchwork Mar 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" target="_blank" data-hasqtip="28" aria-describedby="qtip-28">[29]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0534"> S0534 </a> </td> <td> <a href="/versions/v15/software/S0534"> Bazar </a> </td> <td> <p><a href="/versions/v15/software/S0534">Bazar</a> can create a scheduled task for persistence.<span onclick=scrollToRef('scite-30') id="scite-ref-30-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020."data-reference="Cybereason Bazar July 2020">^{<a href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank" data-hasqtip="29" aria-describedby="qtip-29">[30]</a>}</span><span onclick=scrollToRef('scite-31') id="scite-ref-31-a" class="scite-citeref-number" title="Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020."data-reference="NCC Group Team9 June 2020">^{<a href="https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/" target="_blank" data-hasqtip="30" aria-describedby="qtip-30">[31]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1002"> G1002 </a> </td> <td> <a href="/versions/v15/groups/G1002"> BITTER </a> </td> <td> <p><a href="/versions/v15/groups/G1002">BITTER</a> has used scheduled tasks for persistence and execution.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022."data-reference="Cisco Talos Bitter Bangladesh May 2022">^{<a href="https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0108"> G0108 </a> </td> <td> <a href="/versions/v15/groups/G0108"> Blue Mockingbird </a> </td> <td> <p><a href="/versions/v15/groups/G0108">Blue Mockingbird</a> has used Windows Scheduled Tasks to establish persistence on local and remote hosts.<span onclick=scrollToRef('scite-33') id="scite-ref-33-a" class="scite-citeref-number" title="Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020."data-reference="RedCanary Mockingbird May 2020">^{<a href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank" data-hasqtip="32" aria-describedby="qtip-32">[33]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0360"> S0360 </a> </td> <td> <a href="/versions/v15/software/S0360"> BONDUPDATER </a> </td> <td> <p><a href="/versions/v15/software/S0360">BONDUPDATER</a> persists using a scheduled task that executes every minute.<span onclick=scrollToRef('scite-34') id="scite-ref-34-a" class="scite-citeref-number" title="Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019."data-reference="Palo Alto OilRig Sep 2018">^{<a href="https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" target="_blank" data-hasqtip="33" aria-describedby="qtip-33">[34]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0060"> G0060 </a> </td> <td> <a href="/versions/v15/groups/G0060"> BRONZE BUTLER </a> </td> <td> <p><a href="/versions/v15/groups/G0060">BRONZE BUTLER</a> has used <a href="/versions/v15/software/S0111">schtasks</a> to register a scheduled task to execute malware during lateral movement.<span onclick=scrollToRef('scite-35') id="scite-ref-35-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018."data-reference="Secureworks BRONZE BUTLER Oct 2017">^{<a href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank" data-hasqtip="34" aria-describedby="qtip-34">[35]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1039"> S1039 </a> </td> <td> <a href="/versions/v15/software/S1039"> Bumblebee </a> </td> <td> <p><a href="/versions/v15/software/S1039">Bumblebee</a> can achieve persistence by copying its DLL to a subdirectory of %APPDATA% and creating a Visual Basic Script that will load the DLL via a scheduled task.<span onclick=scrollToRef('scite-36') id="scite-ref-36-a" class="scite-citeref-number" title="Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022."data-reference="Proofpoint Bumblebee April 2022">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" target="_blank" data-hasqtip="35" aria-describedby="qtip-35">[36]</a>}</span><span onclick=scrollToRef('scite-37') id="scite-ref-37-a" class="scite-citeref-number" title="Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022."data-reference="Symantec Bumblebee June 2022">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime" target="_blank" data-hasqtip="36" aria-describedby="qtip-36">[37]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0017"> C0017 </a> </td> <td> <a href="/versions/v15/campaigns/C0017"> C0017 </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0017">C0017</a>, <a href="/versions/v15/groups/G0096">APT41</a> used the following Windows scheduled tasks for DEADEYE dropper persistence on US state government networks: <code>\Microsoft\Windows\PLA\Server Manager Performance Monitor</code>, <code>\Microsoft\Windows\Ras\ManagerMobility</code>, <code>\Microsoft\Windows\WDI\SrvSetupResults</code>, and <code>\Microsoft\Windows\WDI\USOShared</code>.<span onclick=scrollToRef('scite-38') id="scite-ref-38-a" class="scite-citeref-number" title="Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022."data-reference="Mandiant APT41">^{<a href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank" data-hasqtip="37" aria-describedby="qtip-37">[38]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0032"> C0032 </a> </td> <td> <a href="/versions/v15/campaigns/C0032"> C0032 </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0032">C0032</a> campaign, <a href="/versions/v15/groups/G0088">TEMP.Veles</a> used scheduled task XML triggers.<span onclick=scrollToRef('scite-39') id="scite-ref-39-a" class="scite-citeref-number" title="Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019."data-reference="FireEye TRITON 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" target="_blank" data-hasqtip="38" aria-describedby="qtip-38">[39]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0335"> S0335 </a> </td> <td> <a href="/versions/v15/software/S0335"> Carbon </a> </td> <td> <p><a href="/versions/v15/software/S0335">Carbon</a> creates several tasks for later execution to continue persistence on the victim’s machine.<span onclick=scrollToRef('scite-40') id="scite-ref-40-a" class="scite-citeref-number" title="ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018."data-reference="ESET Carbon Mar 2017">^{<a href="https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" target="_blank" data-hasqtip="39" aria-describedby="qtip-39">[40]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1043"> S1043 </a> </td> <td> <a href="/versions/v15/software/S1043"> ccf32 </a> </td> <td> <p><a href="/versions/v15/software/S1043">ccf32</a> can run on a daily basis using a scheduled task.<span onclick=scrollToRef('scite-41') id="scite-ref-41-a" class="scite-citeref-number" title="Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022."data-reference="Bitdefender FunnyDream Campaign November 2020">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank" data-hasqtip="40" aria-describedby="qtip-40">[41]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0114"> G0114 </a> </td> <td> <a href="/versions/v15/groups/G0114"> Chimera </a> </td> <td> <p><a href="/versions/v15/groups/G0114">Chimera</a> has used scheduled tasks to invoke Cobalt Strike including through batch script <code>schtasks /create /ru "SYSTEM" /tn "update" /tr "cmd /c c:\windows\temp\update.bat" /sc once /f /st</code> and to maintain persistence.<span onclick=scrollToRef('scite-42') id="scite-ref-42-a" class="scite-citeref-number" title="Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020."data-reference="Cycraft Chimera April 2020">^{<a href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank" data-hasqtip="41" aria-describedby="qtip-41">[42]</a>}</span><span onclick=scrollToRef('scite-43') id="scite-ref-43-a" class="scite-citeref-number" title="Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021."data-reference="NCC Group Chimera January 2021">^{<a href="https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank" data-hasqtip="42" aria-describedby="qtip-42">[43]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0080"> G0080 </a> </td> <td> <a href="/versions/v15/groups/G0080"> Cobalt Group </a> </td> <td> <p><a href="/versions/v15/groups/G0080">Cobalt Group</a> has created Windows tasks to establish persistence.<span onclick=scrollToRef('scite-44') id="scite-ref-44-a" class="scite-citeref-number" title="Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018."data-reference="Group IB Cobalt Aug 2017">^{<a href="https://www.group-ib.com/blog/cobalt" target="_blank" data-hasqtip="43" aria-describedby="qtip-43">[44]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0126"> S0126 </a> </td> <td> <a href="/versions/v15/software/S0126"> ComRAT </a> </td> <td> <p><a href="/versions/v15/software/S0126">ComRAT</a> has used a scheduled task to launch its PowerShell loader.<span onclick=scrollToRef('scite-45') id="scite-ref-45-a" class="scite-citeref-number" title="Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020."data-reference="ESET ComRAT May 2020">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank" data-hasqtip="44" aria-describedby="qtip-44">[45]</a>}</span><span onclick=scrollToRef('scite-46') id="scite-ref-46-a" class="scite-citeref-number" title="CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020."data-reference="CISA ComRAT Oct 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a" target="_blank" data-hasqtip="45" aria-describedby="qtip-45">[46]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0142"> G0142 </a> </td> <td> <a href="/versions/v15/groups/G0142"> Confucius </a> </td> <td> <p><a href="/versions/v15/groups/G0142">Confucius</a> has created scheduled tasks to maintain persistence on a compromised host.<span onclick=scrollToRef('scite-47') id="scite-ref-47-a" class="scite-citeref-number" title="Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021."data-reference="TrendMicro Confucius APT Aug 2021">^{<a href="https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" target="_blank" data-hasqtip="46" aria-describedby="qtip-46">[47]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0050"> S0050 </a> </td> <td> <a href="/versions/v15/software/S0050"> CosmicDuke </a> </td> <td> <p><a href="/versions/v15/software/S0050">CosmicDuke</a> uses scheduled tasks typically named "Watchmon Service" for persistence.<span onclick=scrollToRef('scite-48') id="scite-ref-48-a" class="scite-citeref-number" title="F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014."data-reference="F-Secure Cosmicduke">^{<a href="https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf" target="_blank" data-hasqtip="47" aria-describedby="qtip-47">[48]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0004"> C0004 </a> </td> <td> <a href="/versions/v15/campaigns/C0004"> CostaRicto </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0004">CostaRicto</a>, the threat actors used scheduled tasks to download backdoor tools.<span onclick=scrollToRef('scite-49') id="scite-ref-49-a" class="scite-citeref-number" title="The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021."data-reference="BlackBerry CostaRicto November 2020">^{<a href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank" data-hasqtip="48" aria-describedby="qtip-48">[49]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0046"> S0046 </a> </td> <td> <a href="/versions/v15/software/S0046"> CozyCar </a> </td> <td> <p>One persistence mechanism used by <a href="/versions/v15/software/S0046">CozyCar</a> is to register itself as a scheduled task.<span onclick=scrollToRef('scite-50') id="scite-ref-50-a" class="scite-citeref-number" title="F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015."data-reference="F-Secure CozyDuke">^{<a href="https://www.f-secure.com/documents/996508/1030745/CozyDuke" target="_blank" data-hasqtip="49" aria-describedby="qtip-49">[50]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0538"> S0538 </a> </td> <td> <a href="/versions/v15/software/S0538"> Crutch </a> </td> <td> <p><a href="/versions/v15/software/S0538">Crutch</a> has the ability to persist using scheduled tasks.<span onclick=scrollToRef('scite-51') id="scite-ref-51-a" class="scite-citeref-number" title="Faou, M. (2020, December 2). Turla Crutch: Keeping the "back door" open. Retrieved December 4, 2020."data-reference="ESET Crutch December 2020">^{<a href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank" data-hasqtip="50" aria-describedby="qtip-50">[51]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0527"> S0527 </a> </td> <td> <a href="/versions/v15/software/S0527"> CSPY Downloader </a> </td> <td> <p><a href="/versions/v15/software/S0527">CSPY Downloader</a> can use the schtasks utility to bypass UAC.<span onclick=scrollToRef('scite-52') id="scite-ref-52-a" class="scite-citeref-number" title="Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020."data-reference="Cybereason Kimsuky November 2020">^{<a href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank" data-hasqtip="51" aria-describedby="qtip-51">[52]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1014"> S1014 </a> </td> <td> <a href="/versions/v15/software/S1014"> DanBot </a> </td> <td> <p><a href="/versions/v15/software/S1014">DanBot</a> can use a scheduled task for installation.<span onclick=scrollToRef('scite-53') id="scite-ref-53-a" class="scite-citeref-number" title="SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 "data-reference="SecureWorks August 2019">^{<a href="https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" target="_blank" data-hasqtip="52" aria-describedby="qtip-52">[53]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0673"> S0673 </a> </td> <td> <a href="/versions/v15/software/S0673"> DarkWatchman </a> </td> <td> <p><a href="/versions/v15/software/S0673">DarkWatchman</a> has created a scheduled task for persistence.<span onclick=scrollToRef('scite-54') id="scite-ref-54-a" class="scite-citeref-number" title="Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022."data-reference="Prevailion DarkWatchman 2021">^{<a href="https://www.prevailion.com/darkwatchman-new-fileless-techniques/" target="_blank" data-hasqtip="53" aria-describedby="qtip-53">[54]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1088"> S1088 </a> </td> <td> <a href="/versions/v15/software/S1088"> Disco </a> </td> <td> <p><a href="/versions/v15/software/S1088">Disco</a> can create a scheduled task to run every minute for persistence.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023."data-reference="MoustachedBouncer ESET August 2023">^{<a href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0035"> G0035 </a> </td> <td> <a href="/versions/v15/groups/G0035"> Dragonfly </a> </td> <td> <p><a href="/versions/v15/groups/G0035">Dragonfly</a> has used scheduled tasks to automatically log out of created accounts every 8 hours as well as to execute malicious files.<span onclick=scrollToRef('scite-56') id="scite-ref-56-a" class="scite-citeref-number" title="US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018."data-reference="US-CERT TA18-074A">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank" data-hasqtip="55" aria-describedby="qtip-55">[56]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0384"> S0384 </a> </td> <td> <a href="/versions/v15/software/S0384"> Dridex </a> </td> <td> <p><a href="/versions/v15/software/S0384">Dridex</a> can maintain persistence via the creation of scheduled tasks within system directories such as <code>windows\system32\</code>, <code>windows\syswow64,</code> <code>winnt\system32</code>, and <code>winnt\syswow64</code>.<span onclick=scrollToRef('scite-57') id="scite-ref-57-a" class="scite-citeref-number" title="Red Canary. (2021, February 9). Dridex - Red Canary Threat Detection Report. Retrieved August 3, 2023."data-reference="Red Canary Dridex Threat Report 2021">^{<a href="https://redcanary.com/threat-detection-report/threats/dridex/" target="_blank" data-hasqtip="56" aria-describedby="qtip-56">[57]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0038"> S0038 </a> </td> <td> <a href="/versions/v15/software/S0038"> Duqu </a> </td> <td> <p>Adversaries can instruct <a href="/versions/v15/software/S0038">Duqu</a> to spread laterally by copying itself to shares it has enumerated and for which it has obtained legitimate credentials (via keylogging or other means). The remote host is then infected by using the compromised credentials to schedule a task on remote machines that executes the malware.<span onclick=scrollToRef('scite-58') id="scite-ref-58-a" class="scite-citeref-number" title="Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015."data-reference="Symantec W32.Duqu">^{<a href="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank" data-hasqtip="57" aria-describedby="qtip-57">[58]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0024"> S0024 </a> </td> <td> <a href="/versions/v15/software/S0024"> Dyre </a> </td> <td> <p><a href="/versions/v15/software/S0024">Dyre</a> has the ability to achieve persistence by adding a new task in the task scheduler to run every minute.<span onclick=scrollToRef('scite-59') id="scite-ref-59-a" class="scite-citeref-number" title="hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020."data-reference="Malwarebytes Dyreza November 2015">^{<a href="https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" target="_blank" data-hasqtip="58" aria-describedby="qtip-58">[59]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0367"> S0367 </a> </td> <td> <a href="/versions/v15/software/S0367"> Emotet </a> </td> <td> <p><a href="/versions/v15/software/S0367">Emotet</a> has maintained persistence through a scheduled task. <span onclick=scrollToRef('scite-60') id="scite-ref-60-a" class="scite-citeref-number" title="US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019."data-reference="US-CERT Emotet Jul 2018">^{<a href="https://www.us-cert.gov/ncas/alerts/TA18-201A" target="_blank" data-hasqtip="59" aria-describedby="qtip-59">[60]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0363"> S0363 </a> </td> <td> <a href="/versions/v15/software/S0363"> Empire </a> </td> <td> <p><a href="/versions/v15/software/S0363">Empire</a> has modules to interact with the Windows task scheduler.<span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016."data-reference="Github PowerShell Empire">^{<a href="https://github.com/PowerShellEmpire/Empire" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0396"> S0396 </a> </td> <td> <a href="/versions/v15/software/S0396"> EvilBunny </a> </td> <td> <p><a href="/versions/v15/software/S0396">EvilBunny</a> has executed commands via scheduled tasks.<span onclick=scrollToRef('scite-62') id="scite-ref-62-a" class="scite-citeref-number" title="Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019."data-reference="Cyphort EvilBunny Dec 2014">^{<a href="https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/" target="_blank" data-hasqtip="61" aria-describedby="qtip-61">[62]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0051"> G0051 </a> </td> <td> <a href="/versions/v15/groups/G0051"> FIN10 </a> </td> <td> <p><a href="/versions/v15/groups/G0051">FIN10</a> has established persistence by using S4U tasks as well as the Scheduled Task option in PowerShell Empire.<span onclick=scrollToRef('scite-63') id="scite-ref-63-a" class="scite-citeref-number" title="FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017."data-reference="FireEye FIN10 June 2017">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf" target="_blank" data-hasqtip="62" aria-describedby="qtip-62">[63]</a>}</span><span onclick=scrollToRef('scite-61') id="scite-ref-61-a" class="scite-citeref-number" title="Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016."data-reference="Github PowerShell Empire">^{<a href="https://github.com/PowerShellEmpire/Empire" target="_blank" data-hasqtip="60" aria-describedby="qtip-60">[61]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1016"> G1016 </a> </td> <td> <a href="/versions/v15/groups/G1016"> FIN13 </a> </td> <td> <p><a href="/versions/v15/groups/G1016">FIN13</a> has created scheduled tasks in the <code>C:\Windows</code> directory of the compromised network.<span onclick=scrollToRef('scite-64') id="scite-ref-64-a" class="scite-citeref-number" title="Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023."data-reference="Mandiant FIN13 Aug 2022">^{<a href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank" data-hasqtip="63" aria-describedby="qtip-63">[64]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0037"> G0037 </a> </td> <td> <a href="/versions/v15/groups/G0037"> FIN6 </a> </td> <td> <p><a href="/versions/v15/groups/G0037">FIN6</a> has used scheduled tasks to establish persistence for various malware it uses, including downloaders known as HARDTACK and SHIPBREAD and <a href="/versions/v15/software/S0503">FrameworkPOS</a>.<span onclick=scrollToRef('scite-65') id="scite-ref-65-a" class="scite-citeref-number" title="FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016."data-reference="FireEye FIN6 April 2016">^{<a href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" target="_blank" data-hasqtip="64" aria-describedby="qtip-64">[65]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0046"> G0046 </a> </td> <td> <a href="/versions/v15/groups/G0046"> FIN7 </a> </td> <td> <p><a href="/versions/v15/groups/G0046">FIN7</a> malware has created scheduled tasks to establish persistence.<span onclick=scrollToRef('scite-66') id="scite-ref-66-a" class="scite-citeref-number" title="Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017."data-reference="FireEye FIN7 April 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" target="_blank" data-hasqtip="65" aria-describedby="qtip-65">[66]</a>}</span><span onclick=scrollToRef('scite-67') id="scite-ref-67-a" class="scite-citeref-number" title="Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017."data-reference="Morphisec FIN7 June 2017">^{<a href="http://blog.morphisec.com/fin7-attacks-restaurant-industry" target="_blank" data-hasqtip="66" aria-describedby="qtip-66">[67]</a>}</span><span onclick=scrollToRef('scite-68') id="scite-ref-68-a" class="scite-citeref-number" title="Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018."data-reference="FireEye FIN7 Aug 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" target="_blank" data-hasqtip="67" aria-describedby="qtip-67">[68]</a>}</span><span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019."data-reference="Flashpoint FIN 7 March 2019">^{<a href="https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0061"> G0061 </a> </td> <td> <a href="/versions/v15/groups/G0061"> FIN8 </a> </td> <td> <p><a href="/versions/v15/groups/G0061">FIN8</a> has used scheduled tasks to maintain RDP backdoors.<span onclick=scrollToRef('scite-70') id="scite-ref-70-a" class="scite-citeref-number" title="Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018."data-reference="FireEye Know Your Enemy FIN8 Aug 2016">^{<a href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank" data-hasqtip="69" aria-describedby="qtip-69">[70]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0117"> G0117 </a> </td> <td> <a href="/versions/v15/groups/G0117"> Fox Kitten </a> </td> <td> <p><a href="/versions/v15/groups/G0117">Fox Kitten</a> has used Scheduled Tasks for persistence and to load and execute a reverse proxy binary.<span onclick=scrollToRef('scite-71') id="scite-ref-71-a" class="scite-citeref-number" title="CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020."data-reference="CISA AA20-259A Iran-Based Actor September 2020">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank" data-hasqtip="70" aria-describedby="qtip-70">[71]</a>}</span><span onclick=scrollToRef('scite-72') id="scite-ref-72-a" class="scite-citeref-number" title="ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020."data-reference="ClearSky Pay2Kitten December 2020">^{<a href="https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf" target="_blank" data-hasqtip="71" aria-describedby="qtip-71">[72]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0001"> C0001 </a> </td> <td> <a href="/versions/v15/campaigns/C0001"> Frankenstein </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0001">Frankenstein</a>, the threat actors established persistence through a scheduled task using the command: <code>/Create /F /SC DAILY /ST 09:00 /TN WinUpdate /TR</code>, named "WinUpdate" <span onclick=scrollToRef('scite-73') id="scite-ref-73-a" class="scite-citeref-number" title="Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020."data-reference="Talos Frankenstein June 2019">^{<a href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank" data-hasqtip="72" aria-describedby="qtip-72">[73]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0093"> G0093 </a> </td> <td> <a href="/versions/v15/groups/G0093"> GALLIUM </a> </td> <td> <p><a href="/versions/v15/groups/G0093">GALLIUM</a> established persistence for <a href="/versions/v15/software/S0012">PoisonIvy</a> by created a scheduled task.<span onclick=scrollToRef('scite-74') id="scite-ref-74-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019."data-reference="Cybereason Soft Cell June 2019">^{<a href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank" data-hasqtip="73" aria-describedby="qtip-73">[74]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0047"> G0047 </a> </td> <td> <a href="/versions/v15/groups/G0047"> Gamaredon Group </a> </td> <td> <p><a href="/versions/v15/groups/G0047">Gamaredon Group</a> has created scheduled tasks to launch executables after a designated number of minutes have passed.<span onclick=scrollToRef('scite-75') id="scite-ref-75-a" class="scite-citeref-number" title="Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020."data-reference="ESET Gamaredon June 2020">^{<a href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank" data-hasqtip="74" aria-describedby="qtip-74">[75]</a>}</span><span onclick=scrollToRef('scite-76') id="scite-ref-76-a" class="scite-citeref-number" title="CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022."data-reference="CERT-EE Gamaredon January 2021">^{<a href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf" target="_blank" data-hasqtip="75" aria-describedby="qtip-75">[76]</a>}</span><span onclick=scrollToRef('scite-77') id="scite-ref-77-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022."data-reference="Microsoft Actinium February 2022">^{<a href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" target="_blank" data-hasqtip="76" aria-describedby="qtip-76">[77]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0168"> S0168 </a> </td> <td> <a href="/versions/v15/software/S0168"> Gazer </a> </td> <td> <p><a href="/versions/v15/software/S0168">Gazer</a> can establish persistence by creating a scheduled task.<span onclick=scrollToRef('scite-78') id="scite-ref-78-a" class="scite-citeref-number" title="ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017."data-reference="ESET Gazer Aug 2017">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" target="_blank" data-hasqtip="77" aria-describedby="qtip-77">[78]</a>}</span><span onclick=scrollToRef('scite-79') id="scite-ref-79-a" class="scite-citeref-number" title="Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017."data-reference="Securelist WhiteBear Aug 2017">^{<a href="https://securelist.com/introducing-whitebear/81638/" target="_blank" data-hasqtip="78" aria-describedby="qtip-78">[79]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0588"> S0588 </a> </td> <td> <a href="/versions/v15/software/S0588"> GoldMax </a> </td> <td> <p><a href="/versions/v15/software/S0588">GoldMax</a> has used scheduled tasks to maintain persistence.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0477"> S0477 </a> </td> <td> <a href="/versions/v15/software/S0477"> Goopy </a> </td> <td> <p><a href="/versions/v15/software/S0477">Goopy</a> has the ability to maintain persistence by creating scheduled tasks set to run every hour.<span onclick=scrollToRef('scite-14') id="scite-ref-14-a" class="scite-citeref-number" title="Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018."data-reference="Cybereason Cobalt Kitty 2017">^{<a href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank" data-hasqtip="13" aria-describedby="qtip-13">[14]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0237"> S0237 </a> </td> <td> <a href="/versions/v15/software/S0237"> GravityRAT </a> </td> <td> <p><a href="/versions/v15/software/S0237">GravityRAT</a> creates a scheduled task to ensure it is re-executed everyday.<span onclick=scrollToRef('scite-81') id="scite-ref-81-a" class="scite-citeref-number" title="Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018."data-reference="Talos GravityRAT">^{<a href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" target="_blank" data-hasqtip="80" aria-describedby="qtip-80">[81]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0417"> S0417 </a> </td> <td> <a href="/versions/v15/software/S0417"> GRIFFON </a> </td> <td> <p><a href="/versions/v15/software/S0417">GRIFFON</a> has used <code>sctasks</code> for persistence. <span onclick=scrollToRef('scite-82') id="scite-ref-82-a" class="scite-citeref-number" title="Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig "FIN7" continues its activities. Retrieved October 11, 2019."data-reference="SecureList Griffon May 2019">^{<a href="https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/" target="_blank" data-hasqtip="81" aria-describedby="qtip-81">[82]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0632"> S0632 </a> </td> <td> <a href="/versions/v15/software/S0632"> GrimAgent </a> </td> <td> <p><a href="/versions/v15/software/S0632">GrimAgent</a> has the ability to set persistence using the Task Scheduler.<span onclick=scrollToRef('scite-83') id="scite-ref-83-a" class="scite-citeref-number" title="Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021."data-reference="Group IB GrimAgent July 2021">^{<a href="https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer" target="_blank" data-hasqtip="82" aria-describedby="qtip-82">[83]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0170"> S0170 </a> </td> <td> <a href="/versions/v15/software/S0170"> Helminth </a> </td> <td> <p><a href="/versions/v15/software/S0170">Helminth</a> has used a scheduled task for persistence.<span onclick=scrollToRef('scite-84') id="scite-ref-84-a" class="scite-citeref-number" title="ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017."data-reference="ClearSky OilRig Jan 2017">^{<a href="http://www.clearskysec.com/oilrig/" target="_blank" data-hasqtip="83" aria-describedby="qtip-83">[84]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0697"> S0697 </a> </td> <td> <a href="/versions/v15/software/S0697"> HermeticWiper </a> </td> <td> <p><a href="/versions/v15/software/S0697">HermeticWiper</a> has the ability to use scheduled tasks for execution.<span onclick=scrollToRef('scite-85') id="scite-ref-85-a" class="scite-citeref-number" title="Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022."data-reference="Symantec Ukraine Wipers February 2022">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia" target="_blank" data-hasqtip="84" aria-describedby="qtip-84">[85]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1001"> G1001 </a> </td> <td> <a href="/versions/v15/groups/G1001"> HEXANE </a> </td> <td> <p><a href="/versions/v15/groups/G1001">HEXANE</a> has used a scheduled task to establish persistence for a keylogger.<span onclick=scrollToRef('scite-86') id="scite-ref-86-a" class="scite-citeref-number" title="Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022."data-reference="Kaspersky Lyceum October 2021">^{<a href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank" data-hasqtip="85" aria-describedby="qtip-85">[86]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0126"> G0126 </a> </td> <td> <a href="/versions/v15/groups/G0126"> Higaisa </a> </td> <td> <p><a href="/versions/v15/groups/G0126">Higaisa</a> dropped and added <code>officeupdate.exe</code> to scheduled tasks.<span onclick=scrollToRef('scite-87') id="scite-ref-87-a" class="scite-citeref-number" title="Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021."data-reference="Malwarebytes Higaisa 2020">^{<a href="https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" target="_blank" data-hasqtip="86" aria-describedby="qtip-86">[87]</a>}</span><span onclick=scrollToRef('scite-88') id="scite-ref-88-a" class="scite-citeref-number" title="Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021."data-reference="Zscaler Higaisa 2020">^{<a href="https://www.zscaler.com/blogs/security-research/return-higaisa-apt" target="_blank" data-hasqtip="87" aria-describedby="qtip-87">[88]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0431"> S0431 </a> </td> <td> <a href="/versions/v15/software/S0431"> HotCroissant </a> </td> <td> <p><a href="/versions/v15/software/S0431">HotCroissant</a> has attempted to install a scheduled task named "Java Maintenance64" on startup to establish persistence.<span onclick=scrollToRef('scite-89') id="scite-ref-89-a" class="scite-citeref-number" title="Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020."data-reference="Carbon Black HotCroissant April 2020">^{<a href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank" data-hasqtip="88" aria-describedby="qtip-88">[89]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0483"> S0483 </a> </td> <td> <a href="/versions/v15/software/S0483"> IcedID </a> </td> <td> <p><a href="/versions/v15/software/S0483">IcedID</a> has created a scheduled task that executes every hour to establish persistence.<span onclick=scrollToRef('scite-90') id="scite-ref-90-a" class="scite-citeref-number" title="Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020."data-reference="Juniper IcedID June 2020">^{<a href="https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware" target="_blank" data-hasqtip="89" aria-describedby="qtip-89">[90]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0260"> S0260 </a> </td> <td> <a href="/versions/v15/software/S0260"> InvisiMole </a> </td> <td> <p><a href="/versions/v15/software/S0260">InvisiMole</a> has used scheduled tasks named <code>MSST</code> and <code>\Microsoft\Windows\Autochk\Scheduled</code> to establish persistence.<span onclick=scrollToRef('scite-91') id="scite-ref-91-a" class="scite-citeref-number" title="Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020."data-reference="ESET InvisiMole June 2020">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank" data-hasqtip="90" aria-describedby="qtip-90">[91]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0581"> S0581 </a> </td> <td> <a href="/versions/v15/software/S0581"> IronNetInjector </a> </td> <td> <p><a href="/versions/v15/software/S0581">IronNetInjector</a> has used a task XML file named <code>mssch.xml</code> to run an IronPython script when a user logs in or when specific system events are created.<span onclick=scrollToRef('scite-92') id="scite-ref-92-a" class="scite-citeref-number" title="Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021."data-reference="Unit 42 IronNetInjector February 2021 ">^{<a href="https://unit42.paloaltonetworks.com/ironnetinjector/" target="_blank" data-hasqtip="91" aria-describedby="qtip-91">[92]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0189"> S0189 </a> </td> <td> <a href="/versions/v15/software/S0189"> ISMInjector </a> </td> <td> <p><a href="/versions/v15/software/S0189">ISMInjector</a> creates scheduled tasks to establish persistence.<span onclick=scrollToRef('scite-93') id="scite-ref-93-a" class="scite-citeref-number" title="Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018."data-reference="OilRig New Delivery Oct 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/" target="_blank" data-hasqtip="92" aria-describedby="qtip-92">[93]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0044"> S0044 </a> </td> <td> <a href="/versions/v15/software/S0044"> JHUHUGIT </a> </td> <td> <p><a href="/versions/v15/software/S0044">JHUHUGIT</a> has registered itself as a scheduled task to run each time the current user logs in.<span onclick=scrollToRef('scite-94') id="scite-ref-94-a" class="scite-citeref-number" title="ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016."data-reference="ESET Sednit Part 1">^{<a href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" target="_blank" data-hasqtip="93" aria-describedby="qtip-93">[94]</a>}</span><span onclick=scrollToRef('scite-95') id="scite-ref-95-a" class="scite-citeref-number" title="ESET Research. (2015, July 10). Sednit APT Group Meets Hacking Team. Retrieved March 1, 2017."data-reference="ESET Sednit July 2015">^{<a href="http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/" target="_blank" data-hasqtip="94" aria-describedby="qtip-94">[95]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0648"> S0648 </a> </td> <td> <a href="/versions/v15/software/S0648"> JSS Loader </a> </td> <td> <p><a href="/versions/v15/software/S0648">JSS Loader</a> has the ability to launch scheduled tasks to establish persistence.<span onclick=scrollToRef('scite-96') id="scite-ref-96-a" class="scite-citeref-number" title="Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021."data-reference="CrowdStrike Carbon Spider August 2021">^{<a href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank" data-hasqtip="95" aria-describedby="qtip-95">[96]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0094"> G0094 </a> </td> <td> <a href="/versions/v15/groups/G0094"> Kimsuky </a> </td> <td> <p><a href="/versions/v15/groups/G0094">Kimsuky</a> has downloaded additional malware with scheduled tasks.<span onclick=scrollToRef('scite-97') id="scite-ref-97-a" class="scite-citeref-number" title="KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022."data-reference="KISA Operation Muzabi">^{<a href="https://www.boho.or.kr/krcert/publicationView.do?bulletin_writing_sequence=35936" target="_blank" data-hasqtip="96" aria-describedby="qtip-96">[97]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0250"> S0250 </a> </td> <td> <a href="/versions/v15/software/S0250"> Koadic </a> </td> <td> <p><a href="/versions/v15/software/S0250">Koadic</a> has used scheduled tasks to add persistence.<span onclick=scrollToRef('scite-98') id="scite-ref-98-a" class="scite-citeref-number" title="Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021."data-reference="MalwareBytes LazyScripter Feb 2021">^{<a href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank" data-hasqtip="97" aria-describedby="qtip-97">[98]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0032"> G0032 </a> </td> <td> <a href="/versions/v15/groups/G0032"> Lazarus Group </a> </td> <td> <p><a href="/versions/v15/groups/G0032">Lazarus Group</a> has used <code>schtasks</code> for persistence including through the periodic execution of a remote XSL script or a dropped VBS payload.<span onclick=scrollToRef('scite-99') id="scite-ref-99-a" class="scite-citeref-number" title="Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022."data-reference="Qualys LolZarus">^{<a href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank" data-hasqtip="98" aria-describedby="qtip-98">[99]</a>}</span><span onclick=scrollToRef('scite-100') id="scite-ref-100-a" class="scite-citeref-number" title="Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022."data-reference="ESET Twitter Ida Pro Nov 2021">^{<a href="https://twitter.com/ESETresearch/status/1458438155149922312" target="_blank" data-hasqtip="99" aria-describedby="qtip-99">[100]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0680"> S0680 </a> </td> <td> <a href="/versions/v15/software/S0680"> LitePower </a> </td> <td> <p><a href="/versions/v15/software/S0680">LitePower</a> can create a scheduled task to enable persistence mechanisms.<span onclick=scrollToRef('scite-101') id="scite-ref-101-a" class="scite-citeref-number" title="Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022."data-reference="Kaspersky WIRTE November 2021">^{<a href="https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" target="_blank" data-hasqtip="100" aria-describedby="qtip-100">[101]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0447"> S0447 </a> </td> <td> <a href="/versions/v15/software/S0447"> Lokibot </a> </td> <td> <p><a href="/versions/v15/software/S0447">Lokibot</a> embedded the commands <code>schtasks /Run /TN \Microsoft\Windows\DiskCleanup\SilentCleanup /I</code> inside a batch script.<span onclick=scrollToRef('scite-102') id="scite-ref-102-a" class="scite-citeref-number" title="Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021."data-reference="Talos Lokibot Jan 2021">^{<a href="https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html" target="_blank" data-hasqtip="101" aria-describedby="qtip-101">[102]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0532"> S0532 </a> </td> <td> <a href="/versions/v15/software/S0532"> Lucifer </a> </td> <td> <p><a href="/versions/v15/software/S0532">Lucifer</a> has established persistence by creating the following scheduled task <code>schtasks /create /sc minute /mo 1 /tn QQMusic ^ /tr C:Users\%USERPROFILE%\Downloads\spread.exe /F</code>.<span onclick=scrollToRef('scite-103') id="scite-ref-103-a" class="scite-citeref-number" title="Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020."data-reference="Unit 42 Lucifer June 2020">^{<a href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank" data-hasqtip="102" aria-describedby="qtip-102">[103]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1014"> G1014 </a> </td> <td> <a href="/versions/v15/groups/G1014"> LuminousMoth </a> </td> <td> <p><a href="/versions/v15/groups/G1014">LuminousMoth</a> has created scheduled tasks to establish persistence for their tools.<span onclick=scrollToRef('scite-104') id="scite-ref-104-a" class="scite-citeref-number" title="Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022."data-reference="Bitdefender LuminousMoth July 2021">^{<a href="https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" target="_blank" data-hasqtip="103" aria-describedby="qtip-103">[104]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0409"> S0409 </a> </td> <td> <a href="/versions/v15/software/S0409"> Machete </a> </td> <td> <p>The different components of <a href="/versions/v15/software/S0409">Machete</a> are executed by Windows Task Scheduler.<span onclick=scrollToRef('scite-105') id="scite-ref-105-a" class="scite-citeref-number" title="ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019."data-reference="ESET Machete July 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank" data-hasqtip="104" aria-describedby="qtip-104">[105]</a>}</span><span onclick=scrollToRef('scite-106') id="scite-ref-106-a" class="scite-citeref-number" title="Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019."data-reference="Securelist Machete Aug 2014">^{<a href="https://securelist.com/el-machete/66108/" target="_blank" data-hasqtip="105" aria-describedby="qtip-105">[106]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0095"> G0095 </a> </td> <td> <a href="/versions/v15/groups/G0095"> Machete </a> </td> <td> <p><a href="/versions/v15/groups/G0095">Machete</a> has created scheduled tasks to maintain <a href="/versions/v15/software/S0409">Machete</a>'s persistence.<span onclick=scrollToRef('scite-107') id="scite-ref-107-a" class="scite-citeref-number" title="kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020."data-reference="360 Machete Sep 2020">^{<a href="https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" target="_blank" data-hasqtip="106" aria-describedby="qtip-106">[107]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0059"> G0059 </a> </td> <td> <a href="/versions/v15/groups/G0059"> Magic Hound </a> </td> <td> <p><a href="/versions/v15/groups/G0059">Magic Hound</a> has used scheduled tasks to establish persistence and execution.<span onclick=scrollToRef('scite-108') id="scite-ref-108-a" class="scite-citeref-number" title="DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022."data-reference="DFIR Report APT35 ProxyShell March 2022">^{<a href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank" data-hasqtip="107" aria-describedby="qtip-107">[108]</a>}</span><span onclick=scrollToRef('scite-109') id="scite-ref-109-a" class="scite-citeref-number" title="DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023."data-reference="DFIR Phosphorus November 2021">^{<a href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank" data-hasqtip="108" aria-describedby="qtip-108">[109]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0167"> S0167 </a> </td> <td> <a href="/versions/v15/software/S0167"> Matryoshka </a> </td> <td> <p><a href="/versions/v15/software/S0167">Matryoshka</a> can establish persistence by adding a Scheduled Task named "Microsoft Boost Kernel Optimization".<span onclick=scrollToRef('scite-110') id="scite-ref-110-a" class="scite-citeref-number" title="ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017."data-reference="ClearSky Wilted Tulip July 2017">^{<a href="http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" target="_blank" data-hasqtip="109" aria-describedby="qtip-109">[110]</a>}</span><span onclick=scrollToRef('scite-111') id="scite-ref-111-a" class="scite-citeref-number" title="Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017."data-reference="CopyKittens Nov 2015">^{<a href="https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" target="_blank" data-hasqtip="110" aria-describedby="qtip-110">[111]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0449"> S0449 </a> </td> <td> <a href="/versions/v15/software/S0449"> Maze </a> </td> <td> <p><a href="/versions/v15/software/S0449">Maze</a> has created scheduled tasks using name variants such as "Windows Update Security", "Windows Update Security Patches", and "Google Chrome Security Update", to launch <a href="/versions/v15/software/S0449">Maze</a> at a specific time.<span onclick=scrollToRef('scite-112') id="scite-ref-112-a" class="scite-citeref-number" title="Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020."data-reference="Sophos Maze VM September 2020">^{<a href="https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/" target="_blank" data-hasqtip="111" aria-describedby="qtip-111">[112]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0500"> S0500 </a> </td> <td> <a href="/versions/v15/software/S0500"> MCMD </a> </td> <td> <p><a href="/versions/v15/software/S0500">MCMD</a> can use scheduled tasks for persistence.<span onclick=scrollToRef('scite-113') id="scite-ref-113-a" class="scite-citeref-number" title="Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020."data-reference="Secureworks MCMD July 2019">^{<a href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank" data-hasqtip="112" aria-describedby="qtip-112">[113]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0045"> G0045 </a> </td> <td> <a href="/versions/v15/groups/G0045"> menuPass </a> </td> <td> <p><a href="/versions/v15/groups/G0045">menuPass</a> has used a script (atexec.py) to execute a command on a target machine via Task Scheduler.<span onclick=scrollToRef('scite-114') id="scite-ref-114-a" class="scite-citeref-number" title="PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017."data-reference="PWC Cloud Hopper Technical Annex April 2017">^{<a href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank" data-hasqtip="113" aria-describedby="qtip-113">[114]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0688"> S0688 </a> </td> <td> <a href="/versions/v15/software/S0688"> Meteor </a> </td> <td> <p><a href="/versions/v15/software/S0688">Meteor</a> execution begins from a scheduled task named <code>Microsoft\Windows\Power Efficiency Diagnostics\AnalyzeAll</code> and it creates a separate scheduled task called <code>mstask</code> to run the wiper only once at 23:55:00.<span onclick=scrollToRef('scite-115') id="scite-ref-115-a" class="scite-citeref-number" title="Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022."data-reference="Check Point Meteor Aug 2021">^{<a href="https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" target="_blank" data-hasqtip="114" aria-describedby="qtip-114">[115]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1015"> S1015 </a> </td> <td> <a href="/versions/v15/software/S1015"> Milan </a> </td> <td> <p><a href="/versions/v15/software/S1015">Milan</a> can establish persistence on a targeted host with scheduled tasks.<span onclick=scrollToRef('scite-116') id="scite-ref-116-a" class="scite-citeref-number" title="ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By "Siamesekitten" - Lyceum. Retrieved June 6, 2022."data-reference="ClearSky Siamesekitten August 2021">^{<a href="https://www.clearskysec.com/siamesekitten/" target="_blank" data-hasqtip="115" aria-describedby="qtip-115">[116]</a>}</span><span onclick=scrollToRef('scite-117') id="scite-ref-117-a" class="scite-citeref-number" title="Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022."data-reference="Accenture Lyceum Targets November 2021">^{<a href="https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns" target="_blank" data-hasqtip="116" aria-describedby="qtip-116">[117]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0021"> G0021 </a> </td> <td> <a href="/versions/v15/groups/G0021"> Molerats </a> </td> <td> <p><a href="/versions/v15/groups/G0021">Molerats</a> has created scheduled tasks to persistently run VBScripts.<span onclick=scrollToRef('scite-118') id="scite-ref-118-a" class="scite-citeref-number" title="Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020."data-reference="Unit42 Molerat Mar 2020">^{<a href="https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" target="_blank" data-hasqtip="117" aria-describedby="qtip-117">[118]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0069"> G0069 </a> </td> <td> <a href="/versions/v15/groups/G0069"> MuddyWater </a> </td> <td> <p><a href="/versions/v15/groups/G0069">MuddyWater</a> has used scheduled tasks to establish persistence.<span onclick=scrollToRef('scite-119') id="scite-ref-119-a" class="scite-citeref-number" title="Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020."data-reference="Reaqta MuddyWater November 2017">^{<a href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank" data-hasqtip="118" aria-describedby="qtip-118">[119]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0129"> G0129 </a> </td> <td> <a href="/versions/v15/groups/G0129"> Mustang Panda </a> </td> <td> <p><a href="/versions/v15/groups/G0129">Mustang Panda</a> has created a scheduled task to execute additional malicious software, as well as maintain persistence.<span onclick=scrollToRef('scite-120') id="scite-ref-120-a" class="scite-citeref-number" title="Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021."data-reference="Anomali MUSTANG PANDA October 2019">^{<a href="https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations" target="_blank" data-hasqtip="119" aria-describedby="qtip-119">[120]</a>}</span><span onclick=scrollToRef('scite-121') id="scite-ref-121-a" class="scite-citeref-number" title="Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021."data-reference="Secureworks BRONZE PRESIDENT December 2019">^{<a href="https://www.secureworks.com/research/bronze-president-targets-ngos" target="_blank" data-hasqtip="120" aria-describedby="qtip-120">[121]</a>}</span><span onclick=scrollToRef('scite-122') id="scite-ref-122-a" class="scite-citeref-number" title="Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021."data-reference="McAfee Dianxun March 2021">^{<a href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf" target="_blank" data-hasqtip="121" aria-describedby="qtip-121">[122]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0019"> G0019 </a> </td> <td> <a href="/versions/v15/groups/G0019"> Naikon </a> </td> <td> <p><a href="/versions/v15/groups/G0019">Naikon</a> has used schtasks.exe for lateral movement in compromised networks.<span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0198"> S0198 </a> </td> <td> <a href="/versions/v15/software/S0198"> NETWIRE </a> </td> <td> <p><a href="/versions/v15/software/S0198">NETWIRE</a> can create a scheduled task to establish persistence.<span onclick=scrollToRef('scite-124') id="scite-ref-124-a" class="scite-citeref-number" title="Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021."data-reference="FireEye NETWIRE March 2019">^{<a href="https://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing" target="_blank" data-hasqtip="123" aria-describedby="qtip-123">[124]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0368"> S0368 </a> </td> <td> <a href="/versions/v15/software/S0368"> NotPetya </a> </td> <td> <p><a href="/versions/v15/software/S0368">NotPetya</a> creates a task to reboot the system one hour after infection.<span onclick=scrollToRef('scite-125') id="scite-ref-125-a" class="scite-citeref-number" title="Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019."data-reference="Talos Nyetya June 2017">^{<a href="https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" target="_blank" data-hasqtip="124" aria-describedby="qtip-124">[125]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0049"> G0049 </a> </td> <td> <a href="/versions/v15/groups/G0049"> OilRig </a> </td> <td> <p><a href="/versions/v15/groups/G0049">OilRig</a> has created scheduled tasks that run a VBScript to execute a payload on victim machines.<span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018."data-reference="Unit 42 OopsIE! Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a>}</span><span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018."data-reference="Unit 42 QUADAGENT July 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a>}</span><span onclick=scrollToRef('scite-128') id="scite-ref-128-a" class="scite-citeref-number" title="Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019."data-reference="FireEye APT34 July 2019">^{<a href="https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" target="_blank" data-hasqtip="127" aria-describedby="qtip-127">[128]</a>}</span><span onclick=scrollToRef('scite-129') id="scite-ref-129-a" class="scite-citeref-number" title="Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021."data-reference="Check Point APT34 April 2021">^{<a href="https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" target="_blank" data-hasqtip="128" aria-describedby="qtip-128">[129]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0439"> S0439 </a> </td> <td> <a href="/versions/v15/software/S0439"> Okrum </a> </td> <td> <p><a href="/versions/v15/software/S0439">Okrum</a>'s installer can attempt to achieve persistence by creating a scheduled task.<span onclick=scrollToRef('scite-130') id="scite-ref-130-a" class="scite-citeref-number" title="Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020."data-reference="ESET Okrum July 2019">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank" data-hasqtip="129" aria-describedby="qtip-129">[130]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0264"> S0264 </a> </td> <td> <a href="/versions/v15/software/S0264"> OopsIE </a> </td> <td> <p><a href="/versions/v15/software/S0264">OopsIE</a> creates a scheduled task to run itself every three minutes.<span onclick=scrollToRef('scite-126') id="scite-ref-126-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018."data-reference="Unit 42 OopsIE! Feb 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank" data-hasqtip="125" aria-describedby="qtip-125">[126]</a>}</span><span onclick=scrollToRef('scite-131') id="scite-ref-131-a" class="scite-citeref-number" title="Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018."data-reference="Unit 42 OilRig Sept 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" target="_blank" data-hasqtip="130" aria-describedby="qtip-130">[131]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0012"> C0012 </a> </td> <td> <a href="/versions/v15/campaigns/C0012"> Operation CuckooBees </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0012">Operation CuckooBees</a>, the threat actors used scheduled tasks to execute batch scripts for lateral movement with the following command: <code>SCHTASKS /Create /S &lt;IP Address&gt; /U &lt;Username&gt; /p &lt;Password&gt; /SC ONCE /TN test /TR &lt;Path to a Batch File&gt; /ST &lt;Time&gt; /RU SYSTEM.</code><span onclick=scrollToRef('scite-132') id="scite-ref-132-a" class="scite-citeref-number" title="Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022."data-reference="Cybereason OperationCuckooBees May 2022">^{<a href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" target="_blank" data-hasqtip="131" aria-describedby="qtip-131">[132]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0022"> C0022 </a> </td> <td> <a href="/versions/v15/campaigns/C0022"> Operation Dream Job </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0022">Operation Dream Job</a>, <a href="/versions/v15/groups/G0032">Lazarus Group</a> created scheduled tasks to set a periodic execution of a remote XSL script.<span onclick=scrollToRef('scite-133') id="scite-ref-133-a" class="scite-citeref-number" title="Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021."data-reference="ESET Lazarus Jun 2020">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank" data-hasqtip="132" aria-describedby="qtip-132">[133]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0014"> C0014 </a> </td> <td> <a href="/versions/v15/campaigns/C0014"> Operation Wocao </a> </td> <td> <p>During <a href="https://attack.mitre.org/campaigns/C0014">Operation Wocao</a>, threat actors used scheduled tasks to execute malicious PowerShell code on remote systems.<span onclick=scrollToRef('scite-134') id="scite-ref-134-a" class="scite-citeref-number" title="Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020."data-reference="FoxIT Wocao December 2019">^{<a href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank" data-hasqtip="133" aria-describedby="qtip-133">[134]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0040"> G0040 </a> </td> <td> <a href="/versions/v15/groups/G0040"> Patchwork </a> </td> <td> <p>A <a href="/versions/v15/groups/G0040">Patchwork</a> file stealer can run a TaskScheduler DLL to add persistence.<span onclick=scrollToRef('scite-135') id="scite-ref-135-a" class="scite-citeref-number" title="Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018."data-reference="TrendMicro Patchwork Dec 2017">^{<a href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank" data-hasqtip="134" aria-describedby="qtip-134">[135]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0194"> S0194 </a> </td> <td> <a href="/versions/v15/software/S0194"> PowerSploit </a> </td> <td> <p><a href="/versions/v15/software/S0194">PowerSploit</a>'s <code>New-UserPersistenceOption</code> Persistence argument can be used to establish via a <a href="/versions/v15/techniques/T1053">Scheduled Task/Job</a>.<span onclick=scrollToRef('scite-136') id="scite-ref-136-a" class="scite-citeref-number" title="PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018."data-reference="GitHub PowerSploit May 2012">^{<a href="https://github.com/PowerShellMafia/PowerSploit" target="_blank" data-hasqtip="135" aria-describedby="qtip-135">[136]</a>}</span><span onclick=scrollToRef('scite-137') id="scite-ref-137-a" class="scite-citeref-number" title="PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018."data-reference="PowerSploit Documentation">^{<a href="http://powersploit.readthedocs.io" target="_blank" data-hasqtip="136" aria-describedby="qtip-136">[137]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0223"> S0223 </a> </td> <td> <a href="/versions/v15/software/S0223"> POWERSTATS </a> </td> <td> <p><a href="/versions/v15/software/S0223">POWERSTATS</a> has established persistence through a scheduled task using the command <code>"C:\Windows\system32\schtasks.exe" /Create /F /SC DAILY /ST 12:00 /TN MicrosoftEdge /TR "c:\Windows\system32\wscript.exe C:\Windows\temp\Windows.vbe"</code>.<span onclick=scrollToRef('scite-138') id="scite-ref-138-a" class="scite-citeref-number" title="ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018."data-reference="ClearSky MuddyWater Nov 2018">^{<a href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank" data-hasqtip="137" aria-describedby="qtip-137">[138]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0184"> S0184 </a> </td> <td> <a href="/versions/v15/software/S0184"> POWRUNER </a> </td> <td> <p><a href="/versions/v15/software/S0184">POWRUNER</a> persists through a scheduled task that executes it every minute.<span onclick=scrollToRef('scite-139') id="scite-ref-139-a" class="scite-citeref-number" title="Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017."data-reference="FireEye APT34 Dec 2017">^{<a href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank" data-hasqtip="138" aria-describedby="qtip-138">[139]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1058"> S1058 </a> </td> <td> <a href="/versions/v15/software/S1058"> Prestige </a> </td> <td> <p><a href="/versions/v15/software/S1058">Prestige</a> has been executed on a target system through a scheduled task created by <a href="/versions/v15/groups/G0034">Sandworm Team</a> using <a href="/versions/v15/software/S0357">Impacket</a>.<span onclick=scrollToRef('scite-140') id="scite-ref-140-a" class="scite-citeref-number" title="MSTIC. (2022, October 14). New "Prestige" ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023."data-reference="Microsoft Prestige ransomware October 2022">^{<a href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank" data-hasqtip="139" aria-describedby="qtip-139">[140]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0147"> S0147 </a> </td> <td> <a href="/versions/v15/software/S0147"> Pteranodon </a> </td> <td> <p><a href="/versions/v15/software/S0147">Pteranodon</a> schedules tasks to invoke its components in order to establish persistence.<span onclick=scrollToRef('scite-141') id="scite-ref-141-a" class="scite-citeref-number" title="Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017."data-reference="Palo Alto Gamaredon Feb 2017">^{<a href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank" data-hasqtip="140" aria-describedby="qtip-140">[141]</a>}</span><span onclick=scrollToRef('scite-142') id="scite-ref-142-a" class="scite-citeref-number" title="Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022."data-reference="Symantec Shuckworm January 2022">^{<a href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine" target="_blank" data-hasqtip="141" aria-describedby="qtip-141">[142]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0650"> S0650 </a> </td> <td> <a href="/versions/v15/software/S0650"> QakBot </a> </td> <td> <p><a href="/versions/v15/software/S0650">QakBot</a> has the ability to create scheduled tasks for persistence.<span onclick=scrollToRef('scite-143') id="scite-ref-143-a" class="scite-citeref-number" title="Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021."data-reference="Trend Micro Qakbot May 2020">^{<a href="https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files" target="_blank" data-hasqtip="142" aria-describedby="qtip-142">[143]</a>}</span><span onclick=scrollToRef('scite-144') id="scite-ref-144-a" class="scite-citeref-number" title="Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021."data-reference="Kroll Qakbot June 2020">^{<a href="https://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks" target="_blank" data-hasqtip="143" aria-describedby="qtip-143">[144]</a>}</span><span onclick=scrollToRef('scite-145') id="scite-ref-145-a" class="scite-citeref-number" title="CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021."data-reference="Crowdstrike Qakbot October 2020">^{<a href="https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/" target="_blank" data-hasqtip="144" aria-describedby="qtip-144">[145]</a>}</span><span onclick=scrollToRef('scite-146') id="scite-ref-146-a" class="scite-citeref-number" title="Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021."data-reference="Trend Micro Qakbot December 2020">^{<a href="https://success.trendmicro.com/solution/000283381" target="_blank" data-hasqtip="145" aria-describedby="qtip-145">[146]</a>}</span><span onclick=scrollToRef('scite-147') id="scite-ref-147-a" class="scite-citeref-number" title="Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021."data-reference="Red Canary Qbot">^{<a href="https://redcanary.com/threat-detection-report/threats/qbot/" target="_blank" data-hasqtip="146" aria-describedby="qtip-146">[147]</a>}</span><span onclick=scrollToRef('scite-148') id="scite-ref-148-a" class="scite-citeref-number" title="Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021."data-reference="Cyberint Qakbot May 2021">^{<a href="https://blog.cyberint.com/qakbot-banking-trojan" target="_blank" data-hasqtip="147" aria-describedby="qtip-147">[148]</a>}</span><span onclick=scrollToRef('scite-149') id="scite-ref-149-a" class="scite-citeref-number" title="Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021."data-reference="Kaspersky QakBot September 2021">^{<a href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank" data-hasqtip="148" aria-describedby="qtip-148">[149]</a>}</span><span onclick=scrollToRef('scite-150') id="scite-ref-150-a" class="scite-citeref-number" title="Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021."data-reference="Group IB Ransomware September 2020">^{<a href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank" data-hasqtip="149" aria-describedby="qtip-149">[150]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0269"> S0269 </a> </td> <td> <a href="/versions/v15/software/S0269"> QUADAGENT </a> </td> <td> <p><a href="/versions/v15/software/S0269">QUADAGENT</a> creates a scheduled task to maintain persistence on the victim’s machine.<span onclick=scrollToRef('scite-127') id="scite-ref-127-a" class="scite-citeref-number" title="Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018."data-reference="Unit 42 QUADAGENT July 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank" data-hasqtip="126" aria-describedby="qtip-126">[127]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0262"> S0262 </a> </td> <td> <a href="/versions/v15/software/S0262"> QuasarRAT </a> </td> <td> <p><a href="/versions/v15/software/S0262">QuasarRAT</a> contains a .NET wrapper DLL for creating and managing scheduled tasks for maintaining persistence upon reboot.<span onclick=scrollToRef('scite-151') id="scite-ref-151-a" class="scite-citeref-number" title="Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018."data-reference="Volexity Patchwork June 2018">^{<a href="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" target="_blank" data-hasqtip="150" aria-describedby="qtip-150">[151]</a>}</span><span onclick=scrollToRef('scite-152') id="scite-ref-152-a" class="scite-citeref-number" title="CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022."data-reference="CISA AR18-352A Quasar RAT December 2018">^{<a href="https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-352A" target="_blank" data-hasqtip="151" aria-describedby="qtip-151">[152]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0629"> S0629 </a> </td> <td> <a href="/versions/v15/software/S0629"> RainyDay </a> </td> <td> <p><a href="/versions/v15/software/S0629">RainyDay</a> can use scheduled tasks to achieve persistence.<span onclick=scrollToRef('scite-123') id="scite-ref-123-a" class="scite-citeref-number" title="Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021."data-reference="Bitdefender Naikon April 2021">^{<a href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank" data-hasqtip="122" aria-describedby="qtip-122">[123]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0458"> S0458 </a> </td> <td> <a href="/versions/v15/software/S0458"> Ramsay </a> </td> <td> <p><a href="/versions/v15/software/S0458">Ramsay</a> can schedule tasks via the Windows COM API to maintain persistence.<span onclick=scrollToRef('scite-153') id="scite-ref-153-a" class="scite-citeref-number" title="Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020."data-reference="Eset Ramsay May 2020">^{<a href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank" data-hasqtip="152" aria-describedby="qtip-152">[153]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0075"> G0075 </a> </td> <td> <a href="/versions/v15/groups/G0075"> Rancor </a> </td> <td> <p><a href="/versions/v15/groups/G0075">Rancor</a> launched a scheduled task to gain persistence using the <code>schtasks /create /sc</code> command.<span onclick=scrollToRef('scite-154') id="scite-ref-154-a" class="scite-citeref-number" title="Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018."data-reference="Rancor Unit42 June 2018">^{<a href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank" data-hasqtip="153" aria-describedby="qtip-153">[154]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0375"> S0375 </a> </td> <td> <a href="/versions/v15/software/S0375"> Remexi </a> </td> <td> <p><a href="/versions/v15/software/S0375">Remexi</a> utilizes scheduled tasks as a persistence mechanism.<span onclick=scrollToRef('scite-155') id="scite-ref-155-a" class="scite-citeref-number" title="Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019."data-reference="Securelist Remexi Jan 2019">^{<a href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank" data-hasqtip="154" aria-describedby="qtip-154">[155]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0166"> S0166 </a> </td> <td> <a href="/versions/v15/software/S0166"> RemoteCMD </a> </td> <td> <p><a href="/versions/v15/software/S0166">RemoteCMD</a> can execute commands remotely by creating a new schedule task on the remote system<span onclick=scrollToRef('scite-156') id="scite-ref-156-a" class="scite-citeref-number" title="Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016."data-reference="Symantec Buckeye">^{<a href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank" data-hasqtip="155" aria-describedby="qtip-155">[156]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0379"> S0379 </a> </td> <td> <a href="/versions/v15/software/S0379"> Revenge RAT </a> </td> <td> <p><a href="/versions/v15/software/S0379">Revenge RAT</a> schedules tasks to run malicious scripts at different intervals.<span onclick=scrollToRef('scite-157') id="scite-ref-157-a" class="scite-citeref-number" title="Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019."data-reference="Cofense RevengeRAT Feb 2019">^{<a href="https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/" target="_blank" data-hasqtip="156" aria-describedby="qtip-156">[157]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0148"> S0148 </a> </td> <td> <a href="/versions/v15/software/S0148"> RTM </a> </td> <td> <p><a href="/versions/v15/software/S0148">RTM</a> tries to add a scheduled task to establish persistence.<span onclick=scrollToRef('scite-158') id="scite-ref-158-a" class="scite-citeref-number" title="Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017."data-reference="ESET RTM Feb 2017">^{<a href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank" data-hasqtip="157" aria-describedby="qtip-157">[158]</a>}</span><span onclick=scrollToRef('scite-159') id="scite-ref-159-a" class="scite-citeref-number" title="Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020."data-reference="Unit42 Redaman January 2019">^{<a href="https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" target="_blank" data-hasqtip="158" aria-describedby="qtip-158">[159]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0446"> S0446 </a> </td> <td> <a href="/versions/v15/software/S0446"> Ryuk </a> </td> <td> <p><a href="/versions/v15/software/S0446">Ryuk</a> can remotely create a scheduled task to execute itself on a system.<span onclick=scrollToRef('scite-160') id="scite-ref-160-a" class="scite-citeref-number" title="ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021."data-reference="ANSSI RYUK RANSOMWARE">^{<a href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf" target="_blank" data-hasqtip="159" aria-describedby="qtip-159">[160]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1018"> S1018 </a> </td> <td> <a href="/versions/v15/software/S1018"> Saint Bot </a> </td> <td> <p><a href="/versions/v15/software/S1018">Saint Bot</a> has created a scheduled task named "Maintenance" to establish persistence.<span onclick=scrollToRef('scite-161') id="scite-ref-161-a" class="scite-citeref-number" title="Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022."data-reference="Malwarebytes Saint Bot April 2021">^{<a href="https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" target="_blank" data-hasqtip="160" aria-describedby="qtip-160">[161]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0111"> S0111 </a> </td> <td> <a href="/versions/v15/software/S0111"> schtasks </a> </td> <td> <p><a href="/versions/v15/software/S0111">schtasks</a> is used to schedule tasks on a Windows system to run at a specific date and time.<span onclick=scrollToRef('scite-162') id="scite-ref-162-a" class="scite-citeref-number" title="Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016."data-reference="TechNet Schtasks">^{<a href="https://technet.microsoft.com/en-us/library/bb490996.aspx" target="_blank" data-hasqtip="161" aria-describedby="qtip-161">[162]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0382"> S0382 </a> </td> <td> <a href="/versions/v15/software/S0382"> ServHelper </a> </td> <td> <p><a href="/versions/v15/software/S0382">ServHelper</a> contains modules that will use <a href="/versions/v15/software/S0111">schtasks</a> to carry out malicious operations.<span onclick=scrollToRef('scite-163') id="scite-ref-163-a" class="scite-citeref-number" title="Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019."data-reference="Proofpoint TA505 Jan 2019">^{<a href="https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" target="_blank" data-hasqtip="162" aria-describedby="qtip-162">[163]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0140"> S0140 </a> </td> <td> <a href="/versions/v15/software/S0140"> Shamoon </a> </td> <td> <p><a href="/versions/v15/software/S0140">Shamoon</a> copies an executable payload to the target system by using <a href="/versions/v15/techniques/T1021/002">SMB/Windows Admin Shares</a> and then scheduling an unnamed task to execute the malware.<span onclick=scrollToRef('scite-164') id="scite-ref-164-a" class="scite-citeref-number" title="FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017."data-reference="FireEye Shamoon Nov 2016">^{<a href="https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html" target="_blank" data-hasqtip="163" aria-describedby="qtip-163">[164]</a>}</span><span onclick=scrollToRef('scite-165') id="scite-ref-165-a" class="scite-citeref-number" title="Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017."data-reference="Palo Alto Shamoon Nov 2016">^{<a href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" target="_blank" data-hasqtip="164" aria-describedby="qtip-164">[165]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1089"> S1089 </a> </td> <td> <a href="/versions/v15/software/S1089"> SharpDisco </a> </td> <td> <p><a href="/versions/v15/software/S1089">SharpDisco</a> can create scheduled tasks to execute reverse shells that read and write data to and from specified SMB shares.<span onclick=scrollToRef('scite-55') id="scite-ref-55-a" class="scite-citeref-number" title="Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023."data-reference="MoustachedBouncer ESET August 2023">^{<a href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank" data-hasqtip="54" aria-describedby="qtip-54">[55]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0546"> S0546 </a> </td> <td> <a href="/versions/v15/software/S0546"> SharpStage </a> </td> <td> <p><a href="/versions/v15/software/S0546">SharpStage</a> has a persistence component to write a scheduled task for the payload.<span onclick=scrollToRef('scite-166') id="scite-ref-166-a" class="scite-citeref-number" title="Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020."data-reference="Cybereason Molerats Dec 2020">^{<a href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank" data-hasqtip="165" aria-describedby="qtip-165">[166]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0589"> S0589 </a> </td> <td> <a href="/versions/v15/software/S0589"> Sibot </a> </td> <td> <p><a href="/versions/v15/software/S0589">Sibot</a> has been executed via a scheduled task.<span onclick=scrollToRef('scite-80') id="scite-ref-80-a" class="scite-citeref-number" title="Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021."data-reference="MSTIC NOBELIUM Mar 2021">^{<a href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank" data-hasqtip="79" aria-describedby="qtip-79">[80]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0091"> G0091 </a> </td> <td> <a href="/versions/v15/groups/G0091"> Silence </a> </td> <td> <p><a href="/versions/v15/groups/G0091">Silence</a> has used scheduled tasks to stage its operation.<span onclick=scrollToRef('scite-167') id="scite-ref-167-a" class="scite-citeref-number" title="Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019."data-reference="Cyber Forensicator Silence Jan 2019">^{<a href="https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/" target="_blank" data-hasqtip="166" aria-describedby="qtip-166">[167]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0226"> S0226 </a> </td> <td> <a href="/versions/v15/software/S0226"> Smoke Loader </a> </td> <td> <p><a href="/versions/v15/software/S0226">Smoke Loader</a> launches a scheduled task.<span onclick=scrollToRef('scite-168') id="scite-ref-168-a" class="scite-citeref-number" title="Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018."data-reference="Talos Smoke Loader July 2018">^{<a href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank" data-hasqtip="167" aria-describedby="qtip-167">[168]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0024"> C0024 </a> </td> <td> <a href="/versions/v15/campaigns/C0024"> SolarWinds Compromise </a> </td> <td> <p>During the <a href="https://attack.mitre.org/campaigns/C0024">SolarWinds Compromise</a>, <a href="/versions/v15/groups/G0016">APT29</a> used <code>scheduler</code> and <code>schtasks</code> to create new tasks on remote host as part of their lateral movement. They manipulated scheduled tasks by updating an existing legitimate task to execute their tools and then returned the scheduled task to its original configuration. <a href="/versions/v15/groups/G0016">APT29</a> also created a scheduled task to maintain <a href="/versions/v15/software/S0562">SUNSPOT</a> persistence when the host booted.<span onclick=scrollToRef('scite-169') id="scite-ref-169-a" class="scite-citeref-number" title="Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020."data-reference="Volexity SolarWinds">^{<a href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank" data-hasqtip="168" aria-describedby="qtip-168">[169]</a>}</span><span onclick=scrollToRef('scite-170') id="scite-ref-170-a" class="scite-citeref-number" title="FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021."data-reference="FireEye SUNBURST Backdoor December 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank" data-hasqtip="169" aria-describedby="qtip-169">[170]</a>}</span><span onclick=scrollToRef('scite-171') id="scite-ref-171-a" class="scite-citeref-number" title="CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021."data-reference="CrowdStrike SUNSPOT Implant January 2021">^{<a href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank" data-hasqtip="170" aria-describedby="qtip-170">[171]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0516"> S0516 </a> </td> <td> <a href="/versions/v15/software/S0516"> SoreFang </a> </td> <td> <p><a href="/versions/v15/software/S0516">SoreFang</a> can gain persistence through use of scheduled tasks.<span onclick=scrollToRef('scite-172') id="scite-ref-172-a" class="scite-citeref-number" title="CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020."data-reference="CISA SoreFang July 2016">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank" data-hasqtip="171" aria-describedby="qtip-171">[172]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0390"> S0390 </a> </td> <td> <a href="/versions/v15/software/S0390"> SQLRat </a> </td> <td> <p><a href="/versions/v15/software/S0390">SQLRat</a> has created scheduled tasks in <code>%appdata%\Roaming\Microsoft\Templates\</code>.<span onclick=scrollToRef('scite-69') id="scite-ref-69-a" class="scite-citeref-number" title="Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019."data-reference="Flashpoint FIN 7 March 2019">^{<a href="https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" target="_blank" data-hasqtip="68" aria-describedby="qtip-68">[69]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0038"> G0038 </a> </td> <td> <a href="/versions/v15/groups/G0038"> Stealth Falcon </a> </td> <td> <p><a href="/versions/v15/groups/G0038">Stealth Falcon</a> malware creates a scheduled task entitled "IE Web Cache" to execute a malicious file hourly.<span onclick=scrollToRef('scite-173') id="scite-ref-173-a" class="scite-citeref-number" title="Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016."data-reference="Citizen Lab Stealth Falcon May 2016">^{<a href="https://citizenlab.org/2016/05/stealth-falcon/" target="_blank" data-hasqtip="172" aria-describedby="qtip-172">[173]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0603"> S0603 </a> </td> <td> <a href="/versions/v15/software/S0603"> Stuxnet </a> </td> <td> <p><a href="/versions/v15/software/S0603">Stuxnet</a> schedules a network job to execute two minutes after host infection.<span onclick=scrollToRef('scite-174') id="scite-ref-174-a" class="scite-citeref-number" title="Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 "data-reference="Nicolas Falliere, Liam O Murchu, Eric Chien February 2011">^{<a href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank" data-hasqtip="173" aria-describedby="qtip-173">[174]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1042"> S1042 </a> </td> <td> <a href="/versions/v15/software/S1042"> SUGARDUMP </a> </td> <td> <p><a href="/versions/v15/software/S1042">SUGARDUMP</a> has created scheduled tasks called <code>MicrosoftInternetExplorerCrashRepoeterTaskMachineUA</code> and <code>MicrosoftEdgeCrashRepoeterTaskMachineUA</code>, which were configured to execute <code>CrashReporter.exe</code> during user logon.<span onclick=scrollToRef('scite-175') id="scite-ref-175-a" class="scite-citeref-number" title="Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022."data-reference="Mandiant UNC3890 Aug 2022">^{<a href="https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" target="_blank" data-hasqtip="174" aria-describedby="qtip-174">[175]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1064"> S1064 </a> </td> <td> <a href="/versions/v15/software/S1064"> SVCReady </a> </td> <td> <p><a href="/versions/v15/software/S1064">SVCReady</a> can create a scheduled task named <code>RecoveryExTask</code> to gain persistence.<span onclick=scrollToRef('scite-176') id="scite-ref-176-a" class="scite-citeref-number" title="Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022."data-reference="HP SVCReady Jun 2022">^{<a href="https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" target="_blank" data-hasqtip="175" aria-describedby="qtip-175">[176]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1018"> G1018 </a> </td> <td> <a href="/versions/v15/groups/G1018"> TA2541 </a> </td> <td> <p><a href="/versions/v15/groups/G1018">TA2541</a> has used scheduled tasks to establish persistence for installed tools.<span onclick=scrollToRef('scite-177') id="scite-ref-177-a" class="scite-citeref-number" title="Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023."data-reference="Proofpoint TA2541 February 2022">^{<a href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank" data-hasqtip="176" aria-describedby="qtip-176">[177]</a>}</span> </p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1011"> S1011 </a> </td> <td> <a href="/versions/v15/software/S1011"> Tarrask </a> </td> <td> <p><a href="/versions/v15/software/S1011">Tarrask</a> is able to create "hidden" scheduled tasks for persistence.<span onclick=scrollToRef('scite-3') id="scite-ref-3-a" class="scite-citeref-number" title="Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022."data-reference="Tarrask scheduled task">^{<a href="https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/" target="_blank" data-hasqtip="2" aria-describedby="qtip-2">[3]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G1022"> G1022 </a> </td> <td> <a href="/versions/v15/groups/G1022"> ToddyCat </a> </td> <td> <p><a href="/versions/v15/groups/G1022">ToddyCat</a> has used scheduled tasks to execute discovery commands and scripts for collection.<span onclick=scrollToRef('scite-178') id="scite-ref-178-a" class="scite-citeref-number" title="Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024."data-reference="Kaspersky ToddyCat Check Logs October 2023">^{<a href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank" data-hasqtip="177" aria-describedby="qtip-177">[178]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0671"> S0671 </a> </td> <td> <a href="/versions/v15/software/S0671"> Tomiris </a> </td> <td> <p><a href="/versions/v15/software/S0671">Tomiris</a> has used <code>SCHTASKS /CREATE /SC DAILY /TN StartDVL /TR "[path to self]" /ST 10:00</code> to establish persistence.<span onclick=scrollToRef('scite-179') id="scite-ref-179-a" class="scite-citeref-number" title="Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021."data-reference="Kaspersky Tomiris Sep 2021">^{<a href="https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" target="_blank" data-hasqtip="178" aria-describedby="qtip-178">[179]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0266"> S0266 </a> </td> <td> <a href="/versions/v15/software/S0266"> TrickBot </a> </td> <td> <p><a href="/versions/v15/software/S0266">TrickBot</a> creates a scheduled task on the system that provides persistence.<span onclick=scrollToRef('scite-180') id="scite-ref-180-a" class="scite-citeref-number" title="Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018."data-reference="S2 Grupo TrickBot June 2017">^{<a href="https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" target="_blank" data-hasqtip="179" aria-describedby="qtip-179">[180]</a>}</span><span onclick=scrollToRef('scite-181') id="scite-ref-181-a" class="scite-citeref-number" title="Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018."data-reference="Trend Micro Totbrick Oct 2016">^{<a href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n" target="_blank" data-hasqtip="180" aria-describedby="qtip-180">[181]</a>}</span><span onclick=scrollToRef('scite-182') id="scite-ref-182-a" class="scite-citeref-number" title="Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018."data-reference="Microsoft Totbrick Oct 2017">^{<a href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick" target="_blank" data-hasqtip="181" aria-describedby="qtip-181">[182]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/campaigns/C0030"> C0030 </a> </td> <td> <a href="/versions/v15/campaigns/C0030"> Triton Safety Instrumented System Attack </a> </td> <td> <p>In the <a href="https://attack.mitre.org/campaigns/C0030">Triton Safety Instrumented System Attack</a>, <a href="/versions/v15/groups/G0088">TEMP.Veles</a> installed scheduled tasks defined in XML files.<span onclick=scrollToRef('scite-183') id="scite-ref-183-a" class="scite-citeref-number" title="FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019."data-reference="FireEye TEMP.Veles 2018">^{<a href="https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html" target="_blank" data-hasqtip="182" aria-describedby="qtip-182">[183]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0476"> S0476 </a> </td> <td> <a href="/versions/v15/software/S0476"> Valak </a> </td> <td> <p><a href="/versions/v15/software/S0476">Valak</a> has used scheduled tasks to execute additional payloads and to gain persistence on a compromised host.<span onclick=scrollToRef('scite-184') id="scite-ref-184-a" class="scite-citeref-number" title="Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020."data-reference="Cybereason Valak May 2020">^{<a href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank" data-hasqtip="183" aria-describedby="qtip-183">[184]</a>}</span><span onclick=scrollToRef('scite-185') id="scite-ref-185-a" class="scite-citeref-number" title="Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020."data-reference="Unit 42 Valak July 2020">^{<a href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank" data-hasqtip="184" aria-describedby="qtip-184">[185]</a>}</span><span onclick=scrollToRef('scite-186') id="scite-ref-186-a" class="scite-citeref-number" title="Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020."data-reference="SentinelOne Valak June 2020">^{<a href="https://assets.sentinelone.com/labs/sentinel-one-valak-i" target="_blank" data-hasqtip="185" aria-describedby="qtip-185">[186]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/groups/G0102"> G0102 </a> </td> <td> <a href="/versions/v15/groups/G0102"> Wizard Spider </a> </td> <td> <p><a href="/versions/v15/groups/G0102">Wizard Spider</a> has used scheduled tasks to establish persistence for <a href="/versions/v15/software/S0266">TrickBot</a> and other malware.<span onclick=scrollToRef('scite-187') id="scite-ref-187-a" class="scite-citeref-number" title="John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020."data-reference="CrowdStrike Grim Spider May 2019">^{<a href="https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" target="_blank" data-hasqtip="186" aria-describedby="qtip-186">[187]</a>}</span><span onclick=scrollToRef('scite-188') id="scite-ref-188-a" class="scite-citeref-number" title="DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020."data-reference="DHS/CISA Ransomware Targeting Healthcare October 2020">^{<a href="https://us-cert.cisa.gov/ncas/alerts/aa20-302a" target="_blank" data-hasqtip="187" aria-describedby="qtip-187">[188]</a>}</span><span onclick=scrollToRef('scite-189') id="scite-ref-189-a" class="scite-citeref-number" title="Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020."data-reference="FireEye KEGTAP SINGLEMALT October 2020">^{<a href="https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" target="_blank" data-hasqtip="188" aria-describedby="qtip-188">[189]</a>}</span><span onclick=scrollToRef('scite-190') id="scite-ref-190-a" class="scite-citeref-number" title="The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020."data-reference="DFIR Ryuk 2 Hour Speed Run November 2020">^{<a href="https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" target="_blank" data-hasqtip="189" aria-describedby="qtip-189">[190]</a>}</span><span onclick=scrollToRef('scite-191') id="scite-ref-191-a" class="scite-citeref-number" title="Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023."data-reference="Mandiant FIN12 Oct 2021">^{<a href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank" data-hasqtip="190" aria-describedby="qtip-190">[191]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0248"> S0248 </a> </td> <td> <a href="/versions/v15/software/S0248"> yty </a> </td> <td> <p><a href="/versions/v15/software/S0248">yty</a> establishes persistence by creating a scheduled task with the command <code>SchTasks /Create /SC DAILY /TN BigData /TR " + path_file + "/ST 09:30"</code>.<span onclick=scrollToRef('scite-192') id="scite-ref-192-a" class="scite-citeref-number" title="Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018."data-reference="ASERT Donot March 2018">^{<a href="https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" target="_blank" data-hasqtip="191" aria-describedby="qtip-191">[192]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0251"> S0251 </a> </td> <td> <a href="/versions/v15/software/S0251"> Zebrocy </a> </td> <td> <p><a href="/versions/v15/software/S0251">Zebrocy</a> has a command to create a scheduled task for persistence.<span onclick=scrollToRef('scite-193') id="scite-ref-193-a" class="scite-citeref-number" title="CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020."data-reference="CISA Zebrocy Oct 2020">^{<a href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b" target="_blank" data-hasqtip="192" aria-describedby="qtip-192">[193]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S0350"> S0350 </a> </td> <td> <a href="/versions/v15/software/S0350"> zwShell </a> </td> <td> <p><a href="/versions/v15/software/S0350">zwShell</a> has used SchTasks for execution.<span onclick=scrollToRef('scite-194') id="scite-ref-194-a" class="scite-citeref-number" title="McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: "Night Dragon". Retrieved February 19, 2018."data-reference="McAfee Night Dragon">^{<a href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank" data-hasqtip="193" aria-describedby="qtip-193">[194]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/software/S1013"> S1013 </a> </td> <td> <a href="/versions/v15/software/S1013"> ZxxZ </a> </td> <td> <p><a href="/versions/v15/software/S1013">ZxxZ</a> has used scheduled tasks for persistence and execution.<span onclick=scrollToRef('scite-32') id="scite-ref-32-a" class="scite-citeref-number" title="Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022."data-reference="Cisco Talos Bitter Bangladesh May 2022">^{<a href="https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" target="_blank" data-hasqtip="31" aria-describedby="qtip-31">[32]</a>}</span></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id ="mitigations">Mitigations</h2> <div class="tables-mobile"> <table class="table table-bordered table-alternate mt-2"> <thead> <tr> <th scope="col">ID</th> <th scope="col">Mitigation</th> <th scope="col">Description</th> </tr> </thead> <tbody> <tr> <td> <a href="/versions/v15/mitigations/M1047"> M1047 </a> </td> <td> <a href="/versions/v15/mitigations/M1047"> Audit </a> </td> <td> <p>Toolkits like the PowerSploit framework contain PowerUp modules that can be used to explore systems for permission weaknesses in scheduled tasks that could be used to escalate privileges. <span onclick=scrollToRef('scite-195') id="scite-ref-195-a" class="scite-citeref-number" title="PowerSploit. (n.d.). Retrieved December 4, 2014."data-reference="Powersploit">^{<a href="https://github.com/mattifestation/PowerSploit" target="_blank" data-hasqtip="194" aria-describedby="qtip-194">[195]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/mitigations/M1028"> M1028 </a> </td> <td> <a href="/versions/v15/mitigations/M1028"> Operating System Configuration </a> </td> <td> <p>Configure settings for scheduled tasks to force tasks to run under the context of the authenticated account instead of allowing them to run as SYSTEM. The associated Registry key is located at HKLM\SYSTEM\CurrentControlSet\Control\Lsa\SubmitControl. The setting can be configured through GPO: Computer Configuration &gt; [Policies] &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; Security Options: Domain Controller: Allow server operators to schedule tasks, set to disabled. <span onclick=scrollToRef('scite-196') id="scite-ref-196-a" class="scite-citeref-number" title="Microsoft. (2012, November 15). Domain controller: Allow server operators to schedule tasks. Retrieved December 18, 2017."data-reference="TechNet Server Operator Scheduled Task">^{<a href="https://technet.microsoft.com/library/jj852168.aspx" target="_blank" data-hasqtip="195" aria-describedby="qtip-195">[196]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/mitigations/M1026"> M1026 </a> </td> <td> <a href="/versions/v15/mitigations/M1026"> Privileged Account Management </a> </td> <td> <p>Configure the Increase Scheduling Priority option to only allow the Administrators group the rights to schedule a priority process. This can be configured through GPO: Computer Configuration &gt; [Policies] &gt; Windows Settings &gt; Security Settings &gt; Local Policies &gt; User Rights Assignment: Increase scheduling priority. <span onclick=scrollToRef('scite-197') id="scite-ref-197-a" class="scite-citeref-number" title="Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017."data-reference="TechNet Scheduling Priority">^{<a href="https://technet.microsoft.com/library/dn221960.aspx" target="_blank" data-hasqtip="196" aria-describedby="qtip-196">[197]</a>}</span></p> </td> </tr> <tr> <td> <a href="/versions/v15/mitigations/M1018"> M1018 </a> </td> <td> <a href="/versions/v15/mitigations/M1018"> User Account Management </a> </td> <td> <p>Limit privileges of user accounts and remediate Privilege Escalation vectors so only authorized administrators can create scheduled tasks on remote systems. </p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="detection">Detection</h2> <div class="tables-mobile"> <table class="table datasources-table table-bordered"> <thead> <tr> <th class="p-2" scope="col">ID</th> <th class="p-2 nowrap" scope="col">Data Source</th> <th class="p-2 nowrap" scope="col">Data Component</th> <th class="p-2" scope="col">Detects</th> </tr> </thead> <tbody> <tr class="datasource" id="uses-DS0017"> <td> <a href="/versions/v15/datasources/DS0017">DS0017</a> </td> <td class="nowrap"> <a href="/versions/v15/datasources/DS0017">Command</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0017/#Command%20Execution">Command Execution</a> </td> <td> <p>Monitor executed commands and arguments for actions that could be taken to gather tasks may also be created through Windows system management tools such as Windows Management Instrumentation and PowerShell, so additional logging may need to be configured to gather the appropriate data.</p> </td> </tr> <tr class="datasource" id="uses-DS0022"> <td> <a href="/versions/v15/datasources/DS0022">DS0022</a> </td> <td class="nowrap"> <a href="/versions/v15/datasources/DS0022">File</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0022/#File%20Creation">File Creation</a> </td> <td> <p>Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc. In order to gain persistence, privilege escalation, or remote execution, an adversary may use the Windows Task Scheduler to schedule a command to be run at a specified time, date, and even host. Task Scheduler stores tasks as files in two locations - C:\Windows\Tasks (legacy) or C:\Windows\System32\Tasks. Accordingly, this analytic looks for the creation of task files in these two locations.</p><p>Analytic 1 - Scheduled Task - File Creation</p><p><code>(source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="11") (TargetFilename= "C:\Windows\System32\Tasks\</em>" OR TargetFilename "C:\Windows\Tasks\*") AND Image!= "C:\WINDOWS\system32\svchost.exe"</code></p> </td> </tr> <tr class="datacomponent datasource" id="uses-DS0022-File Modification"> <td></td> <td></td> <td> <a href="/datasources/DS0022/#File%20Modification">File Modification</a> </td> <td> <p>Monitor Windows Task Scheduler stores in %systemroot%\System32\Tasks for change entries related to scheduled tasks that do not correlate with known software, patch cycles, etc.</p> </td> </tr> <tr class="datasource" id="uses-DS0029"> <td> <a href="/versions/v15/datasources/DS0029">DS0029</a> </td> <td class="nowrap"> <a href="/versions/v15/datasources/DS0029">Network Traffic</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0029/#Network%20Traffic%20Flow">Network Traffic Flow</a> </td> <td> <p>Monitor network data for uncommon data flows. Processes utilizing the network that do not normally have network communication or have never been seen before are suspicious. Look for RPC traffic after being mapped, which implies a destination port of at least 49152. If network inspection is available via packet captures or a NIDS, then traffic through the <code>ITaskSchedulerService</code> interface can be detected. Microsoft has a list of the possible methods that are implemented for the <code>ITaskSchedulerService</code> interface, which may be useful in differentiating read and query operations from creations and modifications.</p><p>When scheduled tasks are created remotely, Windows uses RPC (135/tcp) to communicate with the Task Scheduler on the remote machine. Once an RPC connection is established, the client communicates with the Scheduled Tasks endpoint, which runs within the service group netsvcs. With packet capture and the right packet decoders or byte-stream based signatures, remote invocations of these functions can be identified.Certain strings can be identifiers of the schtasks, by looking up the interface UUID of ITaskSchedulerService in different formats</p><ul><li>UUID <code>86d35949-83c9-4044-b424-db363231fd0c</code> (decoded)</li><li>Hex <code>49 59 d3 86 c9 83 44 40 b4 24 db 36 32 31 fd 0c</code> (raw)</li><li>ASCII <code>IYD@$621</code> (printable bytes only)</li></ul><p>This identifier is present three times during the RPC request phase. Any sensor that has access to the byte code as raw, decoded, or ASCII could implement an analytic.</p> </td> </tr> <tr class="datasource" id="uses-DS0009"> <td> <a href="/versions/v15/datasources/DS0009">DS0009</a> </td> <td class="nowrap"> <a href="/versions/v15/datasources/DS0009">Process</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0009/#Process%20Creation">Process Creation</a> </td> <td> <p>Monitor for newly constructed processes and/or command-lines that execute from the svchost.exe in Windows 10 and the Windows Task Scheduler taskeng.exe for older versions of Windows. <span onclick=scrollToRef('scite-198') id="scite-ref-198-a" class="scite-citeref-number" title="Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017."data-reference="Twitter Leoloobeek Scheduled Task">^{<a href="https://twitter.com/leoloobeek/status/939248813465853953" target="_blank" data-hasqtip="197" aria-describedby="qtip-197">[198]</a>}</span> If scheduled tasks are not used for persistence, then the adversary is likely to remove the task when the action is complete. Look for instances of <code> schtasks.exe </code> running as processes. The <code> command_line </code> field is necessary to disambiguate between types of schtasks commands. These include the flags <code>/create </code>,<code> /run</code>,<code> /query</code>,<code> /delete</code>,<code> /change</code>, and <code> /end</code>.</p><p>Detection of the creation or modification of Scheduled Tasks with a suspicious script, extension or user writable path. Attackers may create or modify Scheduled Tasks for the persistent execution of malicious code. This detection focuses at the same time on EventIDs 4688 and 1 with process creation (SCHTASKS) and EventID 4698, 4702 for Scheduled Task creation/modification event log.</p><p>Analytic 1 - New processes whose parent processes are svchost.exe or taskeng.exe</p><p><code> (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") AND (ParentImage="<em>svchost.exe</em>" OR ParentImage="<em>taskeng.exe</em>")</code></p><p>Analytic 2 - Scheduled Task Creation or Modification Containing Suspicious Scripts, Extensions or User Writable Paths</p><p><code>( (source="<em>WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="1") OR (source="</em>WinEventLog:Security" EventCode="4688") CommandLine="<em>SCHTASKS</em>" (CommandLine="<em>/CREATE</em>" OR CommandLine="<em>/CHANGE</em>") ) ( ( CommandLine="<em>.cmd</em>" OR CommandLine="<em>.ps1</em>" OR CommandLine="<em>.vbs</em>" OR CommandLine="<em>.py</em>" OR CommandLine="<em>.js</em>" OR CommandLine="<em>.exe</em>" OR CommandLine="<em>.bat</em>" ) OR ( CommandLine="<em>javascript</em>" OR CommandLine="<em>powershell</em>" OR CommandLine="<em>wmic</em>" OR CommandLine="<em>rundll32</em>" OR CommandLine="<em>cmd</em>" OR CommandLine="<em>cscript</em>" OR CommandLine="<em>wscript</em>" OR CommandLine="<em>regsvr32</em>" OR CommandLine="<em>mshta</em>" OR CommandLine="<em>bitsadmin</em>" OR CommandLine="<em>certutil</em>" OR CommandLine="<em>msiexec</em>" OR CommandLine="<em>javaw</em>" ) OR ( CommandLine="<em>%APPDATA%</em>" OR CommandLine="<em>\AppData\Roaming</em>" OR CommandLine="<em>%PUBLIC%</em>" OR CommandLine="<em>C:\Users\Public</em>" OR CommandLine="<em>%ProgramData%</em>" OR CommandLine="<em>C:\ProgramData</em>" OR CommandLine="<em>%TEMP%</em>" OR CommandLine="<em>\AppData\Local\Temp</em>" OR CommandLine="<em>\Windows\PLA\System</em>" OR CommandLine="<em>\tasks</em>" OR CommandLine="<em>\Registration\CRMLog</em>" OR CommandLine="<em>\FxsTmp</em>" OR CommandLine="<em>\spool\drivers\color</em>" OR CommandLine="<em>\tracing</em>" ) )</code></p> </td> </tr> <tr class="datasource" id="uses-DS0003"> <td> <a href="/versions/v15/datasources/DS0003">DS0003</a> </td> <td class="nowrap"> <a href="/versions/v15/datasources/DS0003">Scheduled Job</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0003/#Scheduled%20Job%20Creation">Scheduled Job Creation</a> </td> <td> <p>Monitor for newly constructed scheduled jobs by enabling the "Microsoft-Windows-TaskScheduler/Operational" setting within the event logging service. <span onclick=scrollToRef('scite-199') id="scite-ref-199-a" class="scite-citeref-number" title="Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017."data-reference="TechNet Forum Scheduled Task Operational Setting">^{<a href="https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen" target="_blank" data-hasqtip="198" aria-describedby="qtip-198">[199]</a>}</span> Several events will then be logged on scheduled task activity, including: Event ID 106 on Windows 7, Server 2008 R2 - Scheduled task registered; Event ID 4698 on Windows 10, Server 2016 - Scheduled task created;Event ID 4700 on Windows 10, Server 2016 - Scheduled task enabled;Event ID 4701 on Windows 10, Server 2016 - Scheduled task disabled</p><p>Note: Detection of the creation or modification of Scheduled Tasks with a suspicious script, extension or user writable path. Attackers may create or modify Scheduled Tasks for the persistent execution of malicious code. This detection focuses at the same time on EventIDs 4688 and 1 with process creation (SCHTASKS) and EventID 4698, 4702 for Scheduled Task creation/modification event log.</p><p>Analytic 1 - New schedule tasks whose content includes suspicious scripts, extensions or user writable path</p><p><code> (source="*WinEventLog:Security" EventCode IN (4698, 4702)) | where(JobContent LIKE '%.cmd%' OR JobContent LIKE '%.ps1%' OR JobContent LIKE '%.vbs%' OR JobContent LIKE '%.py%' OR JobContent LIKE '%.js%' OR JobContent LIKE '%.exe%' OR JobContent LIKE '%.bat%' OR JobContent LIKE '%javascript%' OR JobContent LIKE '%powershell%' OR JobContent LIKE '%wmic%' OR JobContent LIKE '%rundll32%' OR JobContent LIKE '%cmd%' OR JobContent LIKE '%cscript%' OR JobContent LIKE '%wscript%' OR JobContent LIKE '%regsvr32%' OR JobContent LIKE '%mshta%' OR JobContent LIKE '%bitsadmin%' OR JobContent LIKE '%certutil%' OR JobContent LIKE '%msiexec%' OR JobContent LIKE '%javaw%' OR JobContent LIKE '%[%]APPDATA[%]%' OR JobContent LIKE '%\AppData\Roaming%' OR JobContent LIKE '%[%]PUBLIC[%]%' OR JobContent LIKE '%C:\Users\Public%' OR JobContent LIKE '%[%]ProgramData[%]%' OR JobContent LIKE '%C:\ProgramData%' OR JobContent LIKE '%[%]TEMP[%]%' OR JobContent LIKE '%\AppData\Local\Temp%' OR JobContent LIKE '%\Windows\PLA\System%' OR JobContent LIKE '%\tasks%' OR JobContent LIKE '%\Registration\CRMLog%' OR JobContent LIKE '%\FxsTmp%' OR JobContent LIKE '%\spool\drivers\color%' OR JobContent LIKE '%\tracing%')</code></p> </td> </tr> <tr class="datasource" id="uses-DS0024"> <td> <a href="/versions/v15/datasources/DS0024">DS0024</a> </td> <td class="nowrap"> <a href="/versions/v15/datasources/DS0024">Windows Registry</a> </td> <!-- Add first data component here --> <td> <a href="/datasources/DS0024/#Windows%20Registry%20Key%20Creation">Windows Registry Key Creation</a> </td> <td> <p>Monitor for newly constructed registry keys upon creation of new task. Deletion of values/keys in the registry may further indicate malicious activity.</p><p>Analytic 1 - Suspicious Creations under Schedule Registry Key</p><p><code>(source="*WinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode="12") | WHERE (RegistryKeyPath LIKE "%HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tasks%" OR RegistryKeyPath LIKE "%HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Schedule\TaskCache\Tree%")</code></p> </td> </tr> </tbody> </table> </div> <h2 class="pt-3" id="references">References</h2> <div class="row"> <div class="col"> <ol> <li> <span id="scite-1" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-1" href="https://www.proofpoint.com/us/blog/threat-insight/serpent-no-swiping-new-backdoor-targets-french-entities-unique-attack-chain" target="_blank"> Campbell, B. et al. (2022, March 21). Serpent, No Swiping! New Backdoor Targets French Entities with Unique Attack Chain. Retrieved April 11, 2022. </a> </span> </span> </li> <li> <span id="scite-2" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-2" href="https://github.com/SigmaHQ/sigma/blob/master/rules/windows/registry/registry_delete/registry_delete_schtasks_hide_task_via_sd_value_removal.yml" target="_blank"> Sittikorn S. (2022, April 15). Removal Of SD Value to Hide Schedule Task - Registry. Retrieved June 1, 2022. </a> </span> </span> </li> <li> <span id="scite-3" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-3" href="https://www.microsoft.com/security/blog/2022/04/12/tarrask-malware-uses-scheduled-tasks-for-defense-evasion/" target="_blank"> Microsoft Threat Intelligence Team & Detection and Response Team . (2022, April 12). Tarrask malware uses scheduled tasks for defense evasion. Retrieved June 1, 2022. </a> </span> </span> </li> <li> <span id="scite-4" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-4" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/06/20/defending-against-scheduled-task-attacks-in-windows-environments" target="_blank"> Harshal Tupsamudre. (2022, June 20). Defending Against Scheduled Tasks. Retrieved July 5, 2022. </a> </span> </span> </li> <li> <span id="scite-5" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-5" href="https://www.mandiant.com/resources/blog/sandworm-disrupts-power-ukraine-operational-technology" target="_blank"> Ken Proska, John Wolfram, Jared Wilson, Dan Black, Keith Lunden, Daniel Kapellmann Zafra, Nathan Brubaker, Tyler Mclellan, Chris Sistrunk. (2023, November 9). Sandworm Disrupts Power in Ukraine Using a Novel Attack Against Operational Technology. Retrieved March 28, 2024. </a> </span> </span> </li> <li> <span id="scite-6" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-6" href="https://labs.sentinelone.com/agent-tesla-old-rat-uses-new-tricks-to-stay-on-top/" target="_blank"> Walter, J. (2020, August 10). Agent Tesla | Old RAT Uses New Tricks to Stay on Top. Retrieved December 11, 2020. </a> </span> </span> </li> <li> <span id="scite-7" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-7" href="https://www.cybereason.com/blog/dropping-anchor-from-a-trickbot-infection-to-the-discovery-of-the-anchor-malware" target="_blank"> Dahan, A. et al. (2019, December 11). DROPPING ANCHOR: FROM A TRICKBOT INFECTION TO THE DISCOVERY OF THE ANCHOR MALWARE. Retrieved September 10, 2020. </a> </span> </span> </li> <li> <span id="scite-8" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-8" href="https://us-cert.cisa.gov/ncas/alerts/aa21-048a" target="_blank"> Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. </a> </span> </span> </li> <li> <span id="scite-9" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-9" href="https://web.archive.org/web/20190625182633if_/https://ti.360.net/blog/articles/apt-c-36-continuous-attacks-targeting-colombian-government-institutions-and-corporations-en/" target="_blank"> QiAnXin Threat Intelligence Center. (2019, February 18). APT-C-36: Continuous Attacks Targeting Colombian Government Institutions and Corporations. Retrieved May 5, 2020. </a> </span> </span> </li> <li> <span id="scite-10" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-10" href="http://www.slideshare.net/MatthewDunwoody1/no-easy-breach-derby-con-2016" target="_blank"> Dunwoody, M. and Carr, N.. (2016, September 27). No Easy Breach DerbyCon 2016. Retrieved October 4, 2016. </a> </span> </span> </li> <li> <span id="scite-11" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-11" href="https://www.fireeye.com/blog/threat-research/2014/11/operation_doubletap.html" target="_blank"> Moran, N., et al. (2014, November 21). Operation Double Tap. Retrieved January 14, 2016. </a> </span> </span> </li> <li> <span id="scite-12" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-12" href="https://www.fireeye.com/blog/threat-research/2017/05/cyber-espionage-apt32.html" target="_blank"> Carr, N.. (2017, May 14). Cyber Espionage is Alive and Well: APT32 and the Threat to Global Corporations. Retrieved June 18, 2017. </a> </span> </span> </li> <li> <span id="scite-13" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-13" href="https://www.cybereason.com/blog/operation-cobalt-kitty-apt" target="_blank"> Dahan, A. (2017, May 24). OPERATION COBALT KITTY: A LARGE-SCALE APT IN ASIA CARRIED OUT BY THE OCEANLOTUS GROUP. Retrieved November 5, 2018. </a> </span> </span> </li> <li> <span id="scite-14" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-14" href="https://cdn2.hubspot.net/hubfs/3354902/Cybereason%20Labs%20Analysis%20Operation%20Cobalt%20Kitty.pdf" target="_blank"> Dahan, A. (2017). Operation Cobalt Kitty. Retrieved December 27, 2018. </a> </span> </span> </li> <li> <span id="scite-15" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-15" href="https://www.welivesecurity.com/2019/03/20/fake-or-fake-keeping-up-with-oceanlotus-decoys/" target="_blank"> Dumont, R. (2019, March 20). Fake or Fake: Keeping up with OceanLotus decoys. Retrieved April 1, 2019. </a> </span> </span> </li> <li> <span id="scite-16" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-16" href="https://www.symantec.com/blogs/threat-intelligence/elfin-apt33-espionage" target="_blank"> Security Response attack Investigation Team. (2019, March 27). Elfin: Relentless Espionage Group Targets Multiple Organizations in Saudi Arabia and U.S.. Retrieved April 10, 2019. </a> </span> </span> </li> <li> <span id="scite-17" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-17" href="https://www.volexity.com/blog/2021/08/24/north-korean-bluelight-special-inkysquid-deploys-rokrat/" target="_blank"> Cash, D., Grunzweig, J., Adair, S., Lancaster, T. (2021, August 25). North Korean BLUELIGHT Special: InkySquid Deploys RokRAT. Retrieved October 1, 2021. </a> </span> </span> </li> <li> <span id="scite-18" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-18" href="https://us-cert.cisa.gov/ncas/alerts/aa20-239a" target="_blank"> DHS/CISA. (2020, August 26). FASTCash 2.0: North Korea's BeagleBoyz Robbing Banks. Retrieved September 29, 2021. </a> </span> </span> </li> <li> <span id="scite-19" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-19" href="https://www.fireeye.com/blog/threat-research/2019/01/apt39-iranian-cyber-espionage-group-focused-on-personal-information.html" target="_blank"> Hawley et al. (2019, January 29). APT39: An Iranian Cyber Espionage Group Focused on Personal Information. Retrieved February 19, 2019. </a> </span> </span> </li> <li> <span id="scite-20" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-20" href="https://www.bitdefender.com/blog/labs/iranian-chafer-apt-targeted-air-transportation-and-government-in-kuwait-and-saudi-arabia/" target="_blank"> Rusu, B. (2020, May 21). Iranian Chafer APT Targeted Air Transportation and Government in Kuwait and Saudi Arabia. Retrieved May 22, 2020. </a> </span> </span> </li> <li> <span id="scite-21" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-21" href="https://www.iranwatch.org/sites/default/files/public-intelligence-alert.pdf" target="_blank"> FBI. (2020, September 17). Indicators of Compromise Associated with Rana Intelligence Computing, also known as Advanced Persistent Threat 39, Chafer, Cadelspy, Remexi, and ITG07. Retrieved December 10, 2020. </a> </span> </span> </li> <li> <span id="scite-22" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-22" href="https://www.mandiant.com/sites/default/files/2022-02/rt-apt41-dual-operation.pdf" target="_blank"> Fraser, N., et al. (2019, August 7). Double DragonAPT41, a dual espionage and cyber crime operation APT41. Retrieved September 23, 2019. </a> </span> </span> </li> <li> <span id="scite-23" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-23" href="https://go.crowdstrike.com/rs/281-OBQ-266/images/Report2020CrowdStrikeGlobalThreatReport.pdf" target="_blank"> Crowdstrike. (2020, March 2). 2020 Global Threat Report. Retrieved December 11, 2020. </a> </span> </span> </li> <li> <span id="scite-24" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-24" href="https://telefonicatech.com/blog/snip3-investigacion-malware" target="_blank"> Jornet, A. (2021, December 23). Snip3, an investigation into malware. Retrieved September 19, 2023. </a> </span> </span> </li> <li> <span id="scite-25" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-25" href="https://www.welivesecurity.com/wp-content/uploads/2019/10/ESET_Attor.pdf" target="_blank"> Hromcova, Z. (2019, October). AT COMMANDS, TOR-BASED COMMUNICATIONS: MEET ATTOR, A FANTASY CREATURE AND ALSO A SPY PLATFORM. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-26" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-26" href="https://unit42.paloaltonetworks.com/updated-backconfig-malware-targeting-government-and-military-organizations/" target="_blank"> Hinchliffe, A. and Falcone, R. (2020, May 11). Updated BackConfig Malware Targeting Government and Military Organizations in South Asia. Retrieved June 17, 2020. </a> </span> </span> </li> <li> <span id="scite-27" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-27" href="https://securelist.com/bad-rabbit-ransomware/82851/" target="_blank"> Mamedov, O. Sinitsyn, F. Ivanov, A.. (2017, October 24). Bad Rabbit ransomware. Retrieved January 28, 2021. </a> </span> </span> </li> <li> <span id="scite-28" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-28" href="https://www.bitdefender.com/files/News/CaseStudies/study/394/Bitdefender-PR-Whitepaper-BADHATCH-creat5237-en-EN.pdf" target="_blank"> Vrabie, V., et al. (2021, March 10). FIN8 Returns with Improved BADHATCH Toolkit. Retrieved September 8, 2021. </a> </span> </span> </li> <li> <span id="scite-29" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-29" href="https://researchcenter.paloaltonetworks.com/2018/03/unit42-patchwork-continues-deliver-badnews-indian-subcontinent/" target="_blank"> Levene, B. et al.. (2018, March 7). Patchwork Continues to Deliver BADNEWS to the Indian Subcontinent. Retrieved March 31, 2018. </a> </span> </span> </li> <li> <span id="scite-30" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-30" href="https://www.cybereason.com/blog/a-bazar-of-tricks-following-team9s-development-cycles" target="_blank"> Cybereason Nocturnus. (2020, July 16). A BAZAR OF TRICKS: FOLLOWING TEAM9’S DEVELOPMENT CYCLES. Retrieved November 18, 2020. </a> </span> </span> </li> <li> <span id="scite-31" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-31" href="https://research.nccgroup.com/2020/06/02/in-depth-analysis-of-the-new-team9-malware-family/" target="_blank"> Pantazopoulos, N. (2020, June 2). In-depth analysis of the new Team9 malware family. Retrieved December 1, 2020. </a> </span> </span> </li> <li> <span id="scite-32" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-32" href="https://blog.talosintelligence.com/2022/05/bitter-apt-adds-bangladesh-to-their.html" target="_blank"> Raghuprasad, C . (2022, May 11). Bitter APT adds Bangladesh to their targets. Retrieved June 1, 2022. </a> </span> </span> </li> <li> <span id="scite-33" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-33" href="https://redcanary.com/blog/blue-mockingbird-cryptominer/" target="_blank"> Lambert, T. (2020, May 7). Introducing Blue Mockingbird. Retrieved May 26, 2020. </a> </span> </span> </li> <li> <span id="scite-34" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-34" href="https://unit42.paloaltonetworks.com/unit42-oilrig-uses-updated-bondupdater-target-middle-eastern-government/" target="_blank"> Wilhoit, K. and Falcone, R. (2018, September 12). OilRig Uses Updated BONDUPDATER to Target Middle Eastern Government. Retrieved February 18, 2019. </a> </span> </span> </li> <li> <span id="scite-35" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-35" href="https://www.secureworks.com/research/bronze-butler-targets-japanese-businesses" target="_blank"> Counter Threat Unit Research Team. (2017, October 12). BRONZE BUTLER Targets Japanese Enterprises. Retrieved January 4, 2018. </a> </span> </span> </li> <li> <span id="scite-36" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-36" href="https://www.proofpoint.com/us/blog/threat-insight/bumblebee-is-still-transforming" target="_blank"> Merriman, K. and Trouerbach, P. (2022, April 28). This isn't Optimus Prime's Bumblebee but it's Still Transforming. Retrieved August 22, 2022. </a> </span> </span> </li> <li> <span id="scite-37" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-37" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/bumblebee-loader-cybercrime" target="_blank"> Kamble, V. (2022, June 28). Bumblebee: New Loader Rapidly Assuming Central Position in Cyber-crime Ecosystem. Retrieved August 24, 2022. </a> </span> </span> </li> <li> <span id="scite-38" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-38" href="https://www.mandiant.com/resources/apt41-us-state-governments" target="_blank"> Rufus Brown, Van Ta, Douglas Bienstock, Geoff Ackerman, John Wolfram. (2022, March 8). Does This Look Infected? A Summary of APT41 Targeting U.S. State Governments. Retrieved July 8, 2022. </a> </span> </span> </li> <li> <span id="scite-39" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-39" href="https://www.fireeye.com/blog/threat-research/2019/04/triton-actor-ttp-profile-custom-attack-tools-detections.html" target="_blank"> Miller, S, et al. (2019, April 10). TRITON Actor TTP Profile, Custom Attack Tools, Detections, and ATT&CK Mapping. Retrieved April 16, 2019. </a> </span> </span> </li> <li> <span id="scite-40" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-40" href="https://www.welivesecurity.com/2017/03/30/carbon-paper-peering-turlas-second-stage-backdoor/" target="_blank"> ESET. (2017, March 30). Carbon Paper: Peering into Turla’s second stage backdoor. Retrieved November 7, 2018. </a> </span> </span> </li> <li> <span id="scite-41" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-41" href="https://www.bitdefender.com/files/News/CaseStudies/study/379/Bitdefender-Whitepaper-Chinese-APT.pdf" target="_blank"> Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. </a> </span> </span> </li> <li> <span id="scite-42" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-42" href="https://cycraft.com/download/CyCraft-Whitepaper-Chimera_V4.1.pdf" target="_blank"> Cycraft. (2020, April 15). APT Group Chimera - APT Operation Skeleton key Targets Taiwan Semiconductor Vendors. Retrieved August 24, 2020. </a> </span> </span> </li> <li> <span id="scite-43" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-43" href="https://research.nccgroup.com/2021/01/12/abusing-cloud-services-to-fly-under-the-radar/" target="_blank"> Jansen, W . (2021, January 12). Abusing cloud services to fly under the radar. Retrieved January 19, 2021. </a> </span> </span> </li> <li> <span id="scite-44" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-44" href="https://www.group-ib.com/blog/cobalt" target="_blank"> Matveeva, V. (2017, August 15). Secrets of Cobalt. Retrieved October 10, 2018. </a> </span> </span> </li> <li> <span id="scite-45" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-45" href="https://www.welivesecurity.com/wp-content/uploads/2020/05/ESET_Turla_ComRAT.pdf" target="_blank"> Faou, M. (2020, May). From Agent.btz to ComRAT v4: A ten-year journey. Retrieved June 15, 2020. </a> </span> </span> </li> <li> <span id="scite-46" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-46" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303a" target="_blank"> CISA. (2020, October 29). Malware Analysis Report (AR20-303A). Retrieved December 9, 2020. </a> </span> </span> </li> <li> <span id="scite-47" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-47" href="https://www.trendmicro.com/en_us/research/21/h/confucius-uses-pegasus-spyware-related-lures-to-target-pakistani.html" target="_blank"> Lunghi, D. (2021, August 17). Confucius Uses Pegasus Spyware-related Lures to Target Pakistani Military. Retrieved December 26, 2021. </a> </span> </span> </li> <li> <span id="scite-48" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-48" href="https://blog.f-secure.com/wp-content/uploads/2019/10/CosmicDuke.pdf" target="_blank"> F-Secure Labs. (2014, July). COSMICDUKE Cosmu with a twist of MiniDuke. Retrieved July 3, 2014. </a> </span> </span> </li> <li> <span id="scite-49" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-49" href="https://blogs.blackberry.com/en/2020/11/the-costaricto-campaign-cyber-espionage-outsourced" target="_blank"> The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. </a> </span> </span> </li> <li> <span id="scite-50" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-50" href="https://www.f-secure.com/documents/996508/1030745/CozyDuke" target="_blank"> F-Secure Labs. (2015, April 22). CozyDuke: Malware Analysis. Retrieved December 10, 2015. </a> </span> </span> </li> <li> <span id="scite-51" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-51" href="https://www.welivesecurity.com/2020/12/02/turla-crutch-keeping-back-door-open/" target="_blank"> Faou, M. (2020, December 2). Turla Crutch: Keeping the “back door” open. Retrieved December 4, 2020. </a> </span> </span> </li> <li> <span id="scite-52" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-52" href="https://www.cybereason.com/blog/back-to-the-future-inside-the-kimsuky-kgh-spyware-suite" target="_blank"> Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. </a> </span> </span> </li> <li> <span id="scite-53" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-53" href="https://www.secureworks.com/blog/lyceum-takes-center-stage-in-middle-east-campaign" target="_blank"> SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19 </a> </span> </span> </li> <li> <span id="scite-54" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-54" href="https://www.prevailion.com/darkwatchman-new-fileless-techniques/" target="_blank"> Smith, S., Stafford, M. (2021, December 14). DarkWatchman: A new evolution in fileless techniques. Retrieved January 10, 2022. </a> </span> </span> </li> <li> <span id="scite-55" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-55" href="https://www.welivesecurity.com/en/eset-research/moustachedbouncer-espionage-against-foreign-diplomats-in-belarus/" target="_blank"> Faou, M. (2023, August 10). MoustachedBouncer: Espionage against foreign diplomats in Belarus. Retrieved September 25, 2023. </a> </span> </span> </li> <li> <span id="scite-56" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-56" href="https://www.us-cert.gov/ncas/alerts/TA18-074A" target="_blank"> US-CERT. (2018, March 16). Alert (TA18-074A): Russian Government Cyber Activity Targeting Energy and Other Critical Infrastructure Sectors. Retrieved June 6, 2018. </a> </span> </span> </li> <li> <span id="scite-57" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-57" href="https://redcanary.com/threat-detection-report/threats/dridex/" target="_blank"> Red Canary. (2021, February 9). Dridex - Red Canary Threat Detection Report. Retrieved August 3, 2023. </a> </span> </span> </li> <li> <span id="scite-58" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-58" href="https://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/w32_duqu_the_precursor_to_the_next_stuxnet.pdf" target="_blank"> Symantec Security Response. (2011, November). W32.Duqu: The precursor to the next Stuxnet. Retrieved September 17, 2015. </a> </span> </span> </li> <li> <span id="scite-59" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-59" href="https://blog.malwarebytes.com/threat-analysis/2015/11/a-technical-look-at-dyreza/" target="_blank"> hasherezade. (2015, November 4). A Technical Look At Dyreza. Retrieved June 15, 2020. </a> </span> </span> </li> <li> <span id="scite-60" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-60" href="https://www.us-cert.gov/ncas/alerts/TA18-201A" target="_blank"> US-CERT. (2018, July 20). Alert (TA18-201A) Emotet Malware. Retrieved March 25, 2019. </a> </span> </span> </li> <li> <span id="scite-61" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-61" href="https://github.com/PowerShellEmpire/Empire" target="_blank"> Schroeder, W., Warner, J., Nelson, M. (n.d.). Github PowerShellEmpire. Retrieved April 28, 2016. </a> </span> </span> </li> <li> <span id="scite-62" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-62" href="https://web.archive.org/web/20150311013500/http://www.cyphort.com/evilbunny-malware-instrumented-lua/" target="_blank"> Marschalek, M.. (2014, December 16). EvilBunny: Malware Instrumented By Lua. Retrieved June 28, 2019. </a> </span> </span> </li> <li> <span id="scite-63" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-63" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin10.pdf" target="_blank"> FireEye iSIGHT Intelligence. (2017, June 16). FIN10: Anatomy of a Cyber Extortion Operation. Retrieved June 25, 2017. </a> </span> </span> </li> <li> <span id="scite-64" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-64" href="https://www.mandiant.com/resources/blog/fin13-cybercriminal-mexico" target="_blank"> Ta, V., et al. (2022, August 8). FIN13: A Cybercriminal Threat Actor Focused on Mexico. Retrieved February 9, 2023. </a> </span> </span> </li> <li> <span id="scite-65" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-65" href="https://www2.fireeye.com/rs/848-DID-242/images/rpt-fin6.pdf" target="_blank"> FireEye Threat Intelligence. (2016, April). Follow the Money: Dissecting the Operations of the Cyber Crime Group FIN6. Retrieved June 1, 2016. </a> </span> </span> </li> <li> <span id="scite-66" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-66" href="https://www.fireeye.com/blog/threat-research/2017/04/fin7-phishing-lnk.html" target="_blank"> Carr, N., et al. (2017, April 24). FIN7 Evolution and the Phishing LNK. Retrieved April 24, 2017. </a> </span> </span> </li> <li> <span id="scite-67" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-67" href="http://blog.morphisec.com/fin7-attacks-restaurant-industry" target="_blank"> Gorelik, M.. (2017, June 9). FIN7 Takes Another Bite at the Restaurant Industry. Retrieved July 13, 2017. </a> </span> </span> </li> <li> <span id="scite-68" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-68" href="https://www.fireeye.com/blog/threat-research/2018/08/fin7-pursuing-an-enigmatic-and-evasive-global-criminal-operation.html" target="_blank"> Carr, N., et al. (2018, August 01). On the Hunt for FIN7: Pursuing an Enigmatic and Evasive Global Criminal Operation. Retrieved August 23, 2018. </a> </span> </span> </li> <li> <span id="scite-69" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-69" href="https://www.flashpoint-intel.com/blog/fin7-revisited-inside-astra-panel-and-sqlrat-malware/" target="_blank"> Platt, J. and Reeves, J.. (2019, March). FIN7 Revisited: Inside Astra Panel and SQLRat Malware. Retrieved June 18, 2019. </a> </span> </span> </li> <li> <span id="scite-70" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-70" href="https://www2.fireeye.com/WBNR-Know-Your-Enemy-UNC622-Spear-Phishing.html" target="_blank"> Elovitz, S. & Ahl, I. (2016, August 18). Know Your Enemy: New Financially-Motivated & Spear-Phishing Group. Retrieved February 26, 2018. </a> </span> </span> </li> <li> <span id="scite-71" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-71" href="https://us-cert.cisa.gov/ncas/alerts/aa20-259a" target="_blank"> CISA. (2020, September 15). Iran-Based Threat Actor Exploits VPN Vulnerabilities. Retrieved December 21, 2020. </a> </span> </span> </li> <li> <span id="scite-72" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-72" href="https://www.clearskysec.com/wp-content/uploads/2020/12/Pay2Kitten.pdf" target="_blank"> ClearSky. (2020, December 17). Pay2Key Ransomware – A New Campaign by Fox Kitten. Retrieved December 21, 2020. </a> </span> </span> </li> <li> <span id="scite-73" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-73" href="https://blog.talosintelligence.com/2019/06/frankenstein-campaign.html" target="_blank"> Adamitis, D. et al. (2019, June 4). It's alive: Threat actors cobble together open-source pieces into monstrous Frankenstein campaign. Retrieved May 11, 2020. </a> </span> </span> </li> <li> <span id="scite-74" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-74" href="https://www.cybereason.com/blog/operation-soft-cell-a-worldwide-campaign-against-telecommunications-providers" target="_blank"> Cybereason Nocturnus. (2019, June 25). Operation Soft Cell: A Worldwide Campaign Against Telecommunications Providers. Retrieved July 18, 2019. </a> </span> </span> </li> <li> <span id="scite-75" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-75" href="https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/" target="_blank"> Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. </a> </span> </span> </li> <li> <span id="scite-76" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-76" href="https://www.ria.ee/sites/default/files/content-editors/kuberturve/tale_of_gamaredon_infection.pdf" target="_blank"> CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. </a> </span> </span> </li> <li> <span id="scite-77" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-77" href="https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/" target="_blank"> Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. </a> </span> </span> </li> <li> <span id="scite-78" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-78" href="https://www.welivesecurity.com/wp-content/uploads/2017/08/eset-gazer.pdf" target="_blank"> ESET. (2017, August). Gazing at Gazer: Turla’s new second stage backdoor. Retrieved September 14, 2017. </a> </span> </span> </li> <li> <span id="scite-79" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-79" href="https://securelist.com/introducing-whitebear/81638/" target="_blank"> Kaspersky Lab's Global Research & Analysis Team. (2017, August 30). Introducing WhiteBear. Retrieved September 21, 2017. </a> </span> </span> </li> <li> <span id="scite-80" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-80" href="https://www.microsoft.com/security/blog/2021/03/04/goldmax-goldfinder-sibot-analyzing-nobelium-malware/" target="_blank"> Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. </a> </span> </span> </li> <li> <span id="scite-81" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-81" href="https://blog.talosintelligence.com/2018/04/gravityrat-two-year-evolution-of-apt.html" target="_blank"> Mercer, W., Rascagneres, P. (2018, April 26). GravityRAT - The Two-Year Evolution Of An APT Targeting India. Retrieved May 16, 2018. </a> </span> </span> </li> <li> <span id="scite-82" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-82" href="https://securelist.com/fin7-5-the-infamous-cybercrime-rig-fin7-continues-its-activities/90703/" target="_blank"> Namestnikov, Y. and Aime, F. (2019, May 8). FIN7.5: the infamous cybercrime rig “FIN7” continues its activities. Retrieved October 11, 2019. </a> </span> </span> </li> <li> <span id="scite-83" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-83" href="https://gibnc.group-ib.com/s/Group-IB_GrimAgent_analysis#pdfviewer" target="_blank"> Priego, A. (2021, July). THE BROTHERS GRIM: THE REVERSING TALE OF GRIMAGENT MALWARE USED BY RYUK. Retrieved July 16, 2021. </a> </span> </span> </li> <li> <span id="scite-84" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-84" href="http://www.clearskysec.com/oilrig/" target="_blank"> ClearSky Cybersecurity. (2017, January 5). Iranian Threat Agent OilRig Delivers Digitally Signed Malware, Impersonates University of Oxford. Retrieved May 3, 2017. </a> </span> </span> </li> <li> <span id="scite-85" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-85" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/ukraine-wiper-malware-russia" target="_blank"> Symantec Threat Hunter Team. (2022, February 24). Ukraine: Disk-wiping Attacks Precede Russian Invasion. Retrieved March 25, 2022. </a> </span> </span> </li> <li> <span id="scite-86" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-86" href="https://vblocalhost.com/uploads/VB2021-Kayal-etal.pdf" target="_blank"> Kayal, A. et al. (2021, October). LYCEUM REBORN: COUNTERINTELLIGENCE IN THE MIDDLE EAST. Retrieved June 14, 2022. </a> </span> </span> </li> <li> <span id="scite-87" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-87" href="https://blog.malwarebytes.com/threat-analysis/2020/06/higaisa/" target="_blank"> Malwarebytes Threat Intelligence Team. (2020, June 4). New LNK attack tied to Higaisa APT discovered. Retrieved March 2, 2021. </a> </span> </span> </li> <li> <span id="scite-88" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-88" href="https://www.zscaler.com/blogs/security-research/return-higaisa-apt" target="_blank"> Singh, S. Singh, A. (2020, June 11). The Return on the Higaisa APT. Retrieved March 2, 2021. </a> </span> </span> </li> <li> <span id="scite-89" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-89" href="https://www.carbonblack.com/2020/04/16/vmware-carbon-black-tau-threat-analysis-the-evolution-of-lazarus/" target="_blank"> Knight, S.. (2020, April 16). VMware Carbon Black TAU Threat Analysis: The Evolution of Lazarus. Retrieved May 1, 2020. </a> </span> </span> </li> <li> <span id="scite-90" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-90" href="https://blogs.juniper.net/en-us/threat-research/covid-19-and-fmla-campaigns-used-to-install-new-icedid-banking-malware" target="_blank"> Kimayong, P. (2020, June 18). COVID-19 and FMLA Campaigns used to install new IcedID banking malware. Retrieved July 14, 2020. </a> </span> </span> </li> <li> <span id="scite-91" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-91" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_InvisiMole.pdf" target="_blank"> Hromcova, Z. and Cherpanov, A. (2020, June). INVISIMOLE: THE HIDDEN PART OF THE STORY. Retrieved July 16, 2020. </a> </span> </span> </li> <li> <span id="scite-92" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-92" href="https://unit42.paloaltonetworks.com/ironnetinjector/" target="_blank"> Reichel, D. (2021, February 19). IronNetInjector: Turla’s New Malware Loading Tool. Retrieved February 24, 2021. </a> </span> </span> </li> <li> <span id="scite-93" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-93" href="https://researchcenter.paloaltonetworks.com/2017/10/unit42-oilrig-group-steps-attacks-new-delivery-documents-new-injector-trojan/" target="_blank"> Falcone, R. and Lee, B. (2017, October 9). OilRig Group Steps Up Attacks with New Delivery Documents and New Injector Trojan. Retrieved January 8, 2018. </a> </span> </span> </li> <li> <span id="scite-94" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-94" href="http://www.welivesecurity.com/wp-content/uploads/2016/10/eset-sednit-part1.pdf" target="_blank"> ESET. (2016, October). En Route with Sednit - Part 1: Approaching the Target. Retrieved November 8, 2016. </a> </span> </span> </li> <li> <span id="scite-95" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-95" href="http://www.welivesecurity.com/2015/07/10/sednit-apt-group-meets-hacking-team/" target="_blank"> ESET Research. (2015, July 10). Sednit APT Group Meets Hacking Team. Retrieved March 1, 2017. </a> </span> </span> </li> <li> <span id="scite-96" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-96" href="https://www.crowdstrike.com/blog/carbon-spider-embraces-big-game-hunting-part-1/" target="_blank"> Loui, E. and Reynolds, J. (2021, August 30). CARBON SPIDER Embraces Big Game Hunting, Part 1. Retrieved September 20, 2021. </a> </span> </span> </li> <li> <span id="scite-97" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-97" href="https://www.boho.or.kr/krcert/publicationView.do?bulletin_writing_sequence=35936" target="_blank"> KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. </a> </span> </span> </li> <li> <span id="scite-98" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-98" href="https://www.malwarebytes.com/resources/files/2021/02/lazyscripter.pdf" target="_blank"> Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. </a> </span> </span> </li> <li> <span id="scite-99" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-99" href="https://blog.qualys.com/vulnerabilities-threat-research/2022/02/08/lolzarus-lazarus-group-incorporating-lolbins-into-campaigns" target="_blank"> Pradhan, A. (2022, February 8). LolZarus: Lazarus Group Incorporating Lolbins into Campaigns. Retrieved March 22, 2022. </a> </span> </span> </li> <li> <span id="scite-100" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-100" href="https://twitter.com/ESETresearch/status/1458438155149922312" target="_blank"> Cherepanov, Anton. (2019, November 10). ESETresearch discovered a trojanized IDA Pro installer. Retrieved March 2, 2022. </a> </span> </span> </li> </ol> </div> <div class="col"> <ol start="101.0"> <li> <span id="scite-101" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-101" href="https://securelist.com/wirtes-campaign-in-the-middle-east-living-off-the-land-since-at-least-2019/105044" target="_blank"> Yamout, M. (2021, November 29). WIRTE’s campaign in the Middle East ‘living off the land’ since at least 2019. Retrieved February 1, 2022. </a> </span> </span> </li> <li> <span id="scite-102" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-102" href="https://blog.talosintelligence.com/2021/01/a-deep-dive-into-lokibot-infection-chain.html" target="_blank"> Muhammad, I., Unterbrink, H.. (2021, January 6). A Deep Dive into Lokibot Infection Chain. Retrieved August 31, 2021. </a> </span> </span> </li> <li> <span id="scite-103" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-103" href="https://unit42.paloaltonetworks.com/lucifer-new-cryptojacking-and-ddos-hybrid-malware/" target="_blank"> Hsu, K. et al. (2020, June 24). Lucifer: New Cryptojacking and DDoS Hybrid Malware Exploiting High and Critical Vulnerabilities to Infect Windows Devices. Retrieved November 16, 2020. </a> </span> </span> </li> <li> <span id="scite-104" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-104" href="https://www.bitdefender.com/blog/labs/luminousmoth-plugx-file-exfiltration-and-persistence-revisited" target="_blank"> Botezatu, B and etl. (2021, July 21). LuminousMoth - PlugX, File Exfiltration and Persistence Revisited. Retrieved October 20, 2022. </a> </span> </span> </li> <li> <span id="scite-105" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-105" href="https://www.welivesecurity.com/wp-content/uploads/2019/08/ESET_Machete.pdf" target="_blank"> ESET. (2019, July). MACHETE JUST GOT SHARPER Venezuelan government institutions under attack. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-106" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-106" href="https://securelist.com/el-machete/66108/" target="_blank"> Kaspersky Global Research and Analysis Team. (2014, August 20). El Machete. Retrieved September 13, 2019. </a> </span> </span> </li> <li> <span id="scite-107" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-107" href="https://blog.360totalsecurity.com/en/apt-c-43-steals-venezuelan-military-secrets-to-provide-intelligence-support-for-the-reactionaries-hpreact-campaign/" target="_blank"> kate. (2020, September 25). APT-C-43 steals Venezuelan military secrets to provide intelligence support for the reactionaries — HpReact campaign. Retrieved November 20, 2020. </a> </span> </span> </li> <li> <span id="scite-108" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-108" href="https://thedfirreport.com/2022/03/21/apt35-automates-initial-access-using-proxyshell" target="_blank"> DFIR Report. (2022, March 21). APT35 Automates Initial Access Using ProxyShell. Retrieved May 25, 2022. </a> </span> </span> </li> <li> <span id="scite-109" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-109" href="https://thedfirreport.com/2021/11/15/exchange-exploit-leads-to-domain-wide-ransomware/" target="_blank"> DFIR Report. (2021, November 15). Exchange Exploit Leads to Domain Wide Ransomware. Retrieved January 5, 2023. </a> </span> </span> </li> <li> <span id="scite-110" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-110" href="http://www.clearskysec.com/wp-content/uploads/2017/07/Operation_Wilted_Tulip.pdf" target="_blank"> ClearSky Cyber Security and Trend Micro. (2017, July). Operation Wilted Tulip: Exposing a cyber espionage apparatus. Retrieved August 21, 2017. </a> </span> </span> </li> <li> <span id="scite-111" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-111" href="https://s3-eu-west-1.amazonaws.com/minervaresearchpublic/CopyKittens/CopyKittens.pdf" target="_blank"> Minerva Labs LTD and ClearSky Cyber Security. (2015, November 23). CopyKittens Attack Group. Retrieved September 11, 2017. </a> </span> </span> </li> <li> <span id="scite-112" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-112" href="https://news.sophos.com/en-us/2020/09/17/maze-attackers-adopt-ragnar-locker-virtual-machine-technique/" target="_blank"> Brandt, A., Mackenzie, P.. (2020, September 17). Maze Attackers Adopt Ragnar Locker Virtual Machine Technique. Retrieved October 9, 2020. </a> </span> </span> </li> <li> <span id="scite-113" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-113" href="https://www.secureworks.com/research/mcmd-malware-analysis" target="_blank"> Secureworks. (2019, July 24). MCMD Malware Analysis. Retrieved August 13, 2020. </a> </span> </span> </li> <li> <span id="scite-114" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-114" href="https://www.pwc.co.uk/cyber-security/pdf/pwc-uk-operation-cloud-hopper-technical-annex-april-2017.pdf" target="_blank"> PwC and BAE Systems. (2017, April). Operation Cloud Hopper: Technical Annex. Retrieved April 13, 2017. </a> </span> </span> </li> <li> <span id="scite-115" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-115" href="https://research.checkpoint.com/2021/indra-hackers-behind-recent-attacks-on-iran/" target="_blank"> Check Point Research Team. (2021, August 14). Indra - Hackers Behind Recent Attacks on Iran. Retrieved February 17, 2022. </a> </span> </span> </li> <li> <span id="scite-116" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-116" href="https://www.clearskysec.com/siamesekitten/" target="_blank"> ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. </a> </span> </span> </li> <li> <span id="scite-117" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-117" href="https://www.accenture.com/us-en/blogs/cyber-defense/iran-based-lyceum-campaigns" target="_blank"> Accenture. (2021, November 9). Who are latest targets of cyber group Lyceum?. Retrieved June 16, 2022. </a> </span> </span> </li> <li> <span id="scite-118" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-118" href="https://unit42.paloaltonetworks.com/molerats-delivers-spark-backdoor/" target="_blank"> Falcone, R., et al. (2020, March 3). Molerats Delivers Spark Backdoor to Government and Telecommunications Organizations. Retrieved December 14, 2020. </a> </span> </span> </li> <li> <span id="scite-119" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-119" href="https://reaqta.com/2017/11/muddywater-apt-targeting-middle-east/" target="_blank"> Reaqta. (2017, November 22). A dive into MuddyWater APT targeting Middle-East. Retrieved May 18, 2020. </a> </span> </span> </li> <li> <span id="scite-120" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-120" href="https://www.anomali.com/blog/china-based-apt-mustang-panda-targets-minority-groups-public-and-private-sector-organizations" target="_blank"> Anomali Threat Research. (2019, October 7). China-Based APT Mustang Panda Targets Minority Groups, Public and Private Sector Organizations. Retrieved April 12, 2021. </a> </span> </span> </li> <li> <span id="scite-121" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-121" href="https://www.secureworks.com/research/bronze-president-targets-ngos" target="_blank"> Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-122" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-122" href="https://www.mcafee.com/enterprise/en-us/assets/reports/rp-operation-dianxun.pdf" target="_blank"> Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021. </a> </span> </span> </li> <li> <span id="scite-123" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-123" href="https://www.bitdefender.com/files/News/CaseStudies/study/396/Bitdefender-PR-Whitepaper-NAIKON-creat5397-en-EN.pdf" target="_blank"> Vrabie, V. (2021, April 23). NAIKON – Traces from a Military Cyber-Espionage Operation. Retrieved June 29, 2021. </a> </span> </span> </li> <li> <span id="scite-124" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-124" href="https://www.mandiant.com/resources/blog/dissecting-netwire-phishing-campaigns-usage-process-hollowing" target="_blank"> Maniath, S. and Kadam P. (2019, March 19). Dissecting a NETWIRE Phishing Campaign's Usage of Process Hollowing. Retrieved January 7, 2021. </a> </span> </span> </li> <li> <span id="scite-125" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-125" href="https://blog.talosintelligence.com/2017/06/worldwide-ransomware-variant.html" target="_blank"> Chiu, A. (2016, June 27). New Ransomware Variant "Nyetya" Compromises Systems Worldwide. Retrieved March 26, 2019. </a> </span> </span> </li> <li> <span id="scite-126" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-126" href="https://researchcenter.paloaltonetworks.com/2018/02/unit42-oopsie-oilrig-uses-threedollars-deliver-new-trojan/" target="_blank"> Lee, B., Falcone, R. (2018, February 23). OopsIE! OilRig Uses ThreeDollars to Deliver New Trojan. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-127" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-127" href="https://researchcenter.paloaltonetworks.com/2018/07/unit42-oilrig-targets-technology-service-provider-government-agency-quadagent/" target="_blank"> Lee, B., Falcone, R. (2018, July 25). OilRig Targets Technology Service Provider and Government Agency with QUADAGENT. Retrieved August 9, 2018. </a> </span> </span> </li> <li> <span id="scite-128" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-128" href="https://www.fireeye.com/blog/threat-research/2019/07/hard-pass-declining-apt34-invite-to-join-their-professional-network.html" target="_blank"> Bromiley, M., et al.. (2019, July 18). Hard Pass: Declining APT34’s Invite to Join Their Professional Network. Retrieved August 26, 2019. </a> </span> </span> </li> <li> <span id="scite-129" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-129" href="https://research.checkpoint.com/2021/irans-apt34-returns-with-an-updated-arsenal/" target="_blank"> Check Point. (2021, April 8). Iran’s APT34 Returns with an Updated Arsenal. Retrieved May 5, 2021. </a> </span> </span> </li> <li> <span id="scite-130" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-130" href="https://www.welivesecurity.com/wp-content/uploads/2019/07/ESET_Okrum_and_Ketrican.pdf" target="_blank"> Hromcova, Z. (2019, July). OKRUM AND KETRICAN: AN OVERVIEW OF RECENT KE3CHANG GROUP ACTIVITY. Retrieved May 6, 2020. </a> </span> </span> </li> <li> <span id="scite-131" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-131" href="https://researchcenter.paloaltonetworks.com/2018/09/unit42-oilrig-targets-middle-eastern-government-adds-evasion-techniques-oopsie/" target="_blank"> Falcone, R., et al. (2018, September 04). OilRig Targets a Middle Eastern Government and Adds Evasion Techniques to OopsIE. Retrieved September 24, 2018. </a> </span> </span> </li> <li> <span id="scite-132" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-132" href="https://www.cybereason.com/blog/operation-cuckoobees-deep-dive-into-stealthy-winnti-techniques" target="_blank"> Cybereason Nocturnus. (2022, May 4). Operation CuckooBees: Deep-Dive into Stealthy Winnti Techniques. Retrieved September 22, 2022. </a> </span> </span> </li> <li> <span id="scite-133" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-133" href="https://www.welivesecurity.com/wp-content/uploads/2020/06/ESET_Operation_Interception.pdf" target="_blank"> Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. </a> </span> </span> </li> <li> <span id="scite-134" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-134" href="https://www.fox-it.com/media/kadlze5c/201912_report_operation_wocao.pdf" target="_blank"> Dantzig, M. v., Schamper, E. (2019, December 19). Operation Wocao: Shining a light on one of China’s hidden hacking groups. Retrieved October 8, 2020. </a> </span> </span> </li> <li> <span id="scite-135" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-135" href="https://documents.trendmicro.com/assets/tech-brief-untangling-the-patchwork-cyberespionage-group.pdf" target="_blank"> Lunghi, D., et al. (2017, December). Untangling the Patchwork Cyberespionage Group. Retrieved July 10, 2018. </a> </span> </span> </li> <li> <span id="scite-136" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-136" href="https://github.com/PowerShellMafia/PowerSploit" target="_blank"> PowerShellMafia. (2012, May 26). PowerSploit - A PowerShell Post-Exploitation Framework. Retrieved February 6, 2018. </a> </span> </span> </li> <li> <span id="scite-137" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-137" href="http://powersploit.readthedocs.io" target="_blank"> PowerSploit. (n.d.). PowerSploit. Retrieved February 6, 2018. </a> </span> </span> </li> <li> <span id="scite-138" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-138" href="https://www.clearskysec.com/wp-content/uploads/2018/11/MuddyWater-Operations-in-Lebanon-and-Oman.pdf" target="_blank"> ClearSky Cyber Security. (2018, November). MuddyWater Operations in Lebanon and Oman: Using an Israeli compromised domain for a two-stage campaign. Retrieved November 29, 2018. </a> </span> </span> </li> <li> <span id="scite-139" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-139" href="https://www.fireeye.com/blog/threat-research/2017/12/targeted-attack-in-middle-east-by-apt34.html" target="_blank"> Sardiwal, M, et al. (2017, December 7). New Targeted Attack in the Middle East by APT34, a Suspected Iranian Threat Group, Using CVE-2017-11882 Exploit. Retrieved December 20, 2017. </a> </span> </span> </li> <li> <span id="scite-140" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-140" href="https://www.microsoft.com/en-us/security/blog/2022/10/14/new-prestige-ransomware-impacts-organizations-in-ukraine-and-poland/" target="_blank"> MSTIC. (2022, October 14). New “Prestige” ransomware impacts organizations in Ukraine and Poland. Retrieved January 19, 2023. </a> </span> </span> </li> <li> <span id="scite-141" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-141" href="https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/" target="_blank"> Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. </a> </span> </span> </li> <li> <span id="scite-142" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-142" href="https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine" target="_blank"> Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. </a> </span> </span> </li> <li> <span id="scite-143" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-143" href="https://www.trendmicro.com/vinfo/ph/security/news/cybercrime-and-digital-threats/qakbot-resurges-spreads-through-vbs-files" target="_blank"> Mendoza, E. et al. (2020, May 25). Qakbot Resurges, Spreads through VBS Files. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-144" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-144" href="https://www.kroll.com/en/insights/publications/cyber/qakbot-malware-exfiltrating-emails-thread-hijacking-attacks" target="_blank"> Sette, N. et al. (2020, June 4). Qakbot Malware Now Exfiltrating Emails for Sophisticated Thread Hijacking Attacks. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-145" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-145" href="https://www.crowdstrike.com/blog/duck-hunting-with-falcon-complete-qakbot-zip-based-campaign/" target="_blank"> CS. (2020, October 7). Duck Hunting with Falcon Complete: A Fowl Banking Trojan Evolves, Part 2. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-146" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-146" href="https://success.trendmicro.com/solution/000283381" target="_blank"> Trend Micro. (2020, December 17). QAKBOT: A decade-old malware still with new tricks. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-147" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-147" href="https://redcanary.com/threat-detection-report/threats/qbot/" target="_blank"> Rainey, K. (n.d.). Qbot. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-148" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-148" href="https://blog.cyberint.com/qakbot-banking-trojan" target="_blank"> Cyberint. (2021, May 25). Qakbot Banking Trojan. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-149" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-149" href="https://securelist.com/qakbot-technical-analysis/103931/" target="_blank"> Kuzmenko, A. et al. (2021, September 2). QakBot technical analysis. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-150" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-150" href="https://groupib.pathfactory.com/ransomware-reports/prolock_wp" target="_blank"> Group IB. (2020, September). LOCK LIKE A PRO. Retrieved September 27, 2021. </a> </span> </span> </li> <li> <span id="scite-151" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-151" href="https://www.volexity.com/blog/2018/06/07/patchwork-apt-group-targets-us-think-tanks/" target="_blank"> Meltzer, M, et al. (2018, June 07). Patchwork APT Group Targets US Think Tanks. Retrieved July 16, 2018. </a> </span> </span> </li> <li> <span id="scite-152" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-152" href="https://www.cisa.gov/uscert/ncas/analysis-reports/AR18-352A" target="_blank"> CISA. (2018, December 18). Analysis Report (AR18-352A) Quasar Open-Source Remote Administration Tool. Retrieved August 1, 2022. </a> </span> </span> </li> <li> <span id="scite-153" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-153" href="https://www.welivesecurity.com/2020/05/13/ramsay-cyberespionage-toolkit-airgapped-networks/" target="_blank"> Sanmillan, I.. (2020, May 13). Ramsay: A cyber‑espionage toolkit tailored for air‑gapped networks. Retrieved May 27, 2020. </a> </span> </span> </li> <li> <span id="scite-154" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-154" href="https://researchcenter.paloaltonetworks.com/2018/06/unit42-rancor-targeted-attacks-south-east-asia-using-plaintee-ddkong-malware-families/" target="_blank"> Ash, B., et al. (2018, June 26). RANCOR: Targeted Attacks in South East Asia Using PLAINTEE and DDKONG Malware Families. Retrieved July 2, 2018. </a> </span> </span> </li> <li> <span id="scite-155" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-155" href="https://securelist.com/chafer-used-remexi-malware/89538/" target="_blank"> Legezo, D. (2019, January 30). Chafer used Remexi malware to spy on Iran-based foreign diplomatic entities. Retrieved April 17, 2019. </a> </span> </span> </li> <li> <span id="scite-156" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-156" href="http://www.symantec.com/connect/blogs/buckeye-cyberespionage-group-shifts-gaze-us-hong-kong" target="_blank"> Symantec Security Response. (2016, September 6). Buckeye cyberespionage group shifts gaze from US to Hong Kong. Retrieved September 26, 2016. </a> </span> </span> </li> <li> <span id="scite-157" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-157" href="https://cofense.com/upgrades-delivery-support-infrastructure-revenge-rat-malware-bigger-threat/" target="_blank"> Gannon, M. (2019, February 11). With Upgrades in Delivery and Support Infrastructure, Revenge RAT Malware is a Bigger Threat. Retrieved May 1, 2019. </a> </span> </span> </li> <li> <span id="scite-158" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-158" href="https://www.welivesecurity.com/wp-content/uploads/2017/02/Read-The-Manual.pdf" target="_blank"> Faou, M. and Boutin, J. (2017, February). Read The Manual: A Guide to the RTM Banking Trojan. Retrieved March 9, 2017. </a> </span> </span> </li> <li> <span id="scite-159" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-159" href="https://unit42.paloaltonetworks.com/russian-language-malspam-pushing-redaman-banking-malware/" target="_blank"> Duncan, B., Harbison, M. (2019, January 23). Russian Language Malspam Pushing Redaman Banking Malware. Retrieved June 16, 2020. </a> </span> </span> </li> <li> <span id="scite-160" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-160" href="https://www.cert.ssi.gouv.fr/uploads/CERTFR-2021-CTI-006.pdf" target="_blank"> ANSSI. (2021, February 25). RYUK RANSOMWARE. Retrieved March 29, 2021. </a> </span> </span> </li> <li> <span id="scite-161" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-161" href="https://blog.malwarebytes.com/threat-intelligence/2021/04/a-deep-dive-into-saint-bot-downloader/" target="_blank"> Hasherezade. (2021, April 6). A deep dive into Saint Bot, a new downloader. Retrieved June 9, 2022. </a> </span> </span> </li> <li> <span id="scite-162" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-162" href="https://technet.microsoft.com/en-us/library/bb490996.aspx" target="_blank"> Microsoft. (n.d.). Schtasks. Retrieved April 28, 2016. </a> </span> </span> </li> <li> <span id="scite-163" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-163" href="https://www.proofpoint.com/us/threat-insight/post/servhelper-and-flawedgrace-new-malware-introduced-ta505" target="_blank"> Schwarz, D. and Proofpoint Staff. (2019, January 9). ServHelper and FlawedGrace - New malware introduced by TA505. Retrieved May 28, 2019. </a> </span> </span> </li> <li> <span id="scite-164" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-164" href="https://www.fireeye.com/blog/threat-research/2016/11/fireeye_respondsto.html" target="_blank"> FireEye. (2016, November 30). FireEye Responds to Wave of Destructive Cyber Attacks in Gulf Region. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-165" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-165" href="http://researchcenter.paloaltonetworks.com/2016/11/unit42-shamoon-2-return-disttrack-wiper/" target="_blank"> Falcone, R.. (2016, November 30). Shamoon 2: Return of the Disttrack Wiper. Retrieved January 11, 2017. </a> </span> </span> </li> <li> <span id="scite-166" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-166" href="https://www.cybereason.com/hubfs/dam/collateral/reports/Molerats-in-the-Cloud-New-Malware-Arsenal-Abuses-Cloud-Platforms-in-Middle-East-Espionage-Campaign.pdf" target="_blank"> Cybereason Nocturnus Team. (2020, December 9). MOLERATS IN THE CLOUD: New Malware Arsenal Abuses Cloud Platforms in Middle East Espionage Campaign. Retrieved December 22, 2020. </a> </span> </span> </li> <li> <span id="scite-167" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-167" href="https://cyberforensicator.com/2019/01/20/silence-dissecting-malicious-chm-files-and-performing-forensic-analysis/" target="_blank"> Skulkin, O.. (2019, January 20). Silence: Dissecting Malicious CHM Files and Performing Forensic Analysis. Retrieved May 24, 2019. </a> </span> </span> </li> <li> <span id="scite-168" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-168" href="https://blog.talosintelligence.com/2018/07/smoking-guns-smoke-loader-learned-new.html#more" target="_blank"> Baker, B., Unterbrink H. (2018, July 03). Smoking Guns - Smoke Loader learned new tricks. Retrieved July 5, 2018. </a> </span> </span> </li> <li> <span id="scite-169" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-169" href="https://www.volexity.com/blog/2020/12/14/dark-halo-leverages-solarwinds-compromise-to-breach-organizations/" target="_blank"> Cash, D. et al. (2020, December 14). Dark Halo Leverages SolarWinds Compromise to Breach Organizations. Retrieved December 29, 2020. </a> </span> </span> </li> <li> <span id="scite-170" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-170" href="https://www.fireeye.com/blog/threat-research/2020/12/evasive-attacker-leverages-solarwinds-supply-chain-compromises-with-sunburst-backdoor.html" target="_blank"> FireEye. (2020, December 13). Highly Evasive Attacker Leverages SolarWinds Supply Chain to Compromise Multiple Global Victims With SUNBURST Backdoor. Retrieved January 4, 2021. </a> </span> </span> </li> <li> <span id="scite-171" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-171" href="https://www.crowdstrike.com/blog/sunspot-malware-technical-analysis/" target="_blank"> CrowdStrike Intelligence Team. (2021, January 11). SUNSPOT: An Implant in the Build Process. Retrieved January 11, 2021. </a> </span> </span> </li> <li> <span id="scite-172" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-172" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-198a" target="_blank"> CISA. (2020, July 16). MAR-10296782-1.v1 – SOREFANG. Retrieved September 29, 2020. </a> </span> </span> </li> <li> <span id="scite-173" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-173" href="https://citizenlab.org/2016/05/stealth-falcon/" target="_blank"> Marczak, B. and Scott-Railton, J.. (2016, May 29). Keep Calm and (Don’t) Enable Macros: A New Threat Actor Targets UAE Dissidents. Retrieved June 8, 2016. </a> </span> </span> </li> <li> <span id="scite-174" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-174" href="https://www.wired.com/images_blogs/threatlevel/2011/02/Symantec-Stuxnet-Update-Feb-2011.pdf" target="_blank"> Nicolas Falliere, Liam O Murchu, Eric Chien 2011, February W32.Stuxnet Dossier (Version 1.4) Retrieved. 2017/09/22 </a> </span> </span> </li> <li> <span id="scite-175" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-175" href="https://www.mandiant.com/resources/blog/suspected-iranian-actor-targeting-israeli-shipping" target="_blank"> Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. </a> </span> </span> </li> <li> <span id="scite-176" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-176" href="https://threatresearch.ext.hp.com/svcready-a-new-loader-reveals-itself/" target="_blank"> Schlapfer, Patrick. (2022, June 6). A New Loader Gets Ready. Retrieved December 13, 2022. </a> </span> </span> </li> <li> <span id="scite-177" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-177" href="https://www.proofpoint.com/us/blog/threat-insight/charting-ta2541s-flight" target="_blank"> Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023. </a> </span> </span> </li> <li> <span id="scite-178" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-178" href="https://securelist.com/toddycat-keep-calm-and-check-logs/110696/" target="_blank"> Dedola, G. et al. (2023, October 12). ToddyCat: Keep calm and check logs. Retrieved January 3, 2024. </a> </span> </span> </li> <li> <span id="scite-179" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-179" href="https://securelist.com/darkhalo-after-solarwinds-the-tomiris-connection/104311/" target="_blank"> Kwiatkoswki, I. and Delcher, P. (2021, September 29). DarkHalo After SolarWinds: the Tomiris connection. Retrieved December 27, 2021. </a> </span> </span> </li> <li> <span id="scite-180" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-180" href="https://www.securityartwork.es/wp-content/uploads/2017/07/Trickbot-report-S2-Grupo.pdf" target="_blank"> Salinas, M., Holguin, J. (2017, June). Evolution of Trickbot. Retrieved July 31, 2018. </a> </span> </span> </li> <li> <span id="scite-181" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-181" href="https://www.trendmicro.com/vinfo/us/threat-encyclopedia/malware/tspy_trickload.n" target="_blank"> Antazo, F. (2016, October 31). TSPY_TRICKLOAD.N. Retrieved September 14, 2018. </a> </span> </span> </li> <li> <span id="scite-182" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-182" href="https://www.microsoft.com/en-us/wdsi/threats/malware-encyclopedia-description?Name=Trojan:Win32/Totbrick" target="_blank"> Pornasdoro, A. (2017, October 12). Trojan:Win32/Totbrick. Retrieved September 14, 2018. </a> </span> </span> </li> <li> <span id="scite-183" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-183" href="https://www.fireeye.com/blog/threat-research/2018/10/triton-attribution-russian-government-owned-lab-most-likely-built-tools.html" target="_blank"> FireEye Intelligence . (2018, October 23). TRITON Attribution: Russian Government-Owned Lab Most Likely Built Custom Intrusion Tools for TRITON Attackers. Retrieved April 16, 2019. </a> </span> </span> </li> <li> <span id="scite-184" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-184" href="https://www.cybereason.com/blog/valak-more-than-meets-the-eye" target="_blank"> Salem, E. et al. (2020, May 28). VALAK: MORE THAN MEETS THE EYE . Retrieved June 19, 2020. </a> </span> </span> </li> <li> <span id="scite-185" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-185" href="https://unit42.paloaltonetworks.com/valak-evolution/" target="_blank"> Duncan, B. (2020, July 24). Evolution of Valak, from Its Beginnings to Mass Distribution. Retrieved August 31, 2020. </a> </span> </span> </li> <li> <span id="scite-186" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-186" href="https://assets.sentinelone.com/labs/sentinel-one-valak-i" target="_blank"> Reaves, J. and Platt, J. (2020, June). Valak Malware and the Connection to Gozi Loader ConfCrew. Retrieved August 31, 2020. </a> </span> </span> </li> <li> <span id="scite-187" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-187" href="https://www.crowdstrike.com/blog/timelining-grim-spiders-big-game-hunting-tactics/" target="_blank"> John, E. and Carvey, H. (2019, May 30). Unraveling the Spiderweb: Timelining ATT&CK Artifacts Used by GRIM SPIDER. Retrieved May 12, 2020. </a> </span> </span> </li> <li> <span id="scite-188" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-188" href="https://us-cert.cisa.gov/ncas/alerts/aa20-302a" target="_blank"> DHS/CISA. (2020, October 28). Ransomware Activity Targeting the Healthcare and Public Health Sector. Retrieved October 28, 2020. </a> </span> </span> </li> <li> <span id="scite-189" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-189" href="https://www.fireeye.com/blog/threat-research/2020/10/kegtap-and-singlemalt-with-a-ransomware-chaser.html" target="_blank"> Kimberly Goody, Jeremy Kennelly, Joshua Shilko, Steve Elovitz, Douglas Bienstock. (2020, October 28). Unhappy Hour Special: KEGTAP and SINGLEMALT With a Ransomware Chaser. Retrieved October 28, 2020. </a> </span> </span> </li> <li> <span id="scite-190" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-190" href="https://thedfirreport.com/2020/11/05/ryuk-speed-run-2-hours-to-ransom/" target="_blank"> The DFIR Report. (2020, November 5). Ryuk Speed Run, 2 Hours to Ransom. Retrieved November 6, 2020. </a> </span> </span> </li> <li> <span id="scite-191" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-191" href="https://www.mandiant.com/sites/default/files/2021-10/fin12-group-profile.pdf" target="_blank"> Shilko, J., et al. (2021, October 7). FIN12: The Prolific Ransomware Intrusion Threat Actor That Has Aggressively Pursued Healthcare Targets. Retrieved June 15, 2023. </a> </span> </span> </li> <li> <span id="scite-192" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-192" href="https://www.arbornetworks.com/blog/asert/donot-team-leverages-new-modular-malware-framework-south-asia/" target="_blank"> Schwarz, D., Sopko J. (2018, March 08). Donot Team Leverages New Modular Malware Framework in South Asia. Retrieved June 11, 2018. </a> </span> </span> </li> <li> <span id="scite-193" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-193" href="https://us-cert.cisa.gov/ncas/analysis-reports/ar20-303b" target="_blank"> CISA. (2020, October 29). Malware Analysis Report (AR20-303B). Retrieved December 9, 2020. </a> </span> </span> </li> <li> <span id="scite-194" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-194" href="https://scadahacker.com/library/Documents/Cyber_Events/McAfee%20-%20Night%20Dragon%20-%20Global%20Energy%20Cyberattacks.pdf" target="_blank"> McAfee® Foundstone® Professional Services and McAfee Labs™. (2011, February 10). Global Energy Cyberattacks: “Night Dragon”. Retrieved February 19, 2018. </a> </span> </span> </li> <li> <span id="scite-195" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-195" href="https://github.com/mattifestation/PowerSploit" target="_blank"> PowerSploit. (n.d.). Retrieved December 4, 2014. </a> </span> </span> </li> <li> <span id="scite-196" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-196" href="https://technet.microsoft.com/library/jj852168.aspx" target="_blank"> Microsoft. (2012, November 15). Domain controller: Allow server operators to schedule tasks. Retrieved December 18, 2017. </a> </span> </span> </li> <li> <span id="scite-197" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-197" href="https://technet.microsoft.com/library/dn221960.aspx" target="_blank"> Microsoft. (2013, May 8). Increase scheduling priority. Retrieved December 18, 2017. </a> </span> </span> </li> <li> <span id="scite-198" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-198" href="https://twitter.com/leoloobeek/status/939248813465853953" target="_blank"> Loobeek, L. (2017, December 8). leoloobeek Status. Retrieved December 12, 2017. </a> </span> </span> </li> <li> <span id="scite-199" class="scite-citation"> <span class="scite-citation-text"> <a rel="nofollow" class="external text" name="scite-199" href="https://social.technet.microsoft.com/Forums/en-US/e5bca729-52e7-4fcb-ba12-3225c564674c/scheduled-tasks-history-retention-settings?forum=winserver8gen" target="_blank"> Satyajit321. (2015, November 3). Scheduled Tasks History Retention settings. Retrieved December 12, 2017. </a> </span> </span> </li> </ol> </div> </div> </div> </div> </div> </div> </div> </div> <!--stop-indexing-for-search--> <!-- search overlay for entire page -- not displayed inline --> <div class="overlay search" id="search-overlay" style="display: none;"> <div class="overlay-inner"> <!-- text input for searching --> <div class="search-header"> <div class="search-input"> <input type="text" id="search-input" placeholder="search"> </div> <div class="search-icons"> <div class="search-parsing-icon spinner-border" style="display: none" id="search-parsing-icon"></div> <div class="close-search-icon" id="close-search-icon">&times;</div> </div> </div> <!-- results and controls for loading more results --> <div id="search-body" class="search-body"> <div class="results" id="search-results"> <!-- content will be appended here on search --> </div> <div id="load-more-results" class="load-more-results"> <button class="btn btn-default" id="load-more-results-button">load more results</button> </div> </div> </div> </div> </div> <div class="row flex-grow-0 flex-shrink-1"> <!-- footer elements --> <footer class="col footer"> <div class="container-fluid"> <div class="row row-footer"> <div class="col-2 col-sm-2 col-md-2"> <div class="footer-center-responsive my-auto"> <a href="https://www.mitre.org" target="_blank" rel="noopener" aria-label="MITRE"> <img src="/versions/v15/theme/images/mitrelogowhiteontrans.gif" class="mitre-logo-wtrans"> </a> </div> </div> <div class="col-2 col-sm-2 footer-responsive-break"></div> <div class="footer-link-group"> <div class="row row-footer"> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/engage-with-attack/contact" class="footer-link">Contact Us</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/terms-of-use" class="footer-link">Terms of Use</a></u> </div> <div class="px-3 col-footer"> <u class="footer-link"><a href="/versions/v15/resources/legal-and-branding/privacy" class="footer-link">Privacy Policy</a></u> </div> <div class="px-3"> <u class="footer-link"><a href="/versions/v15/resources/changelog.html" class="footer-link" data-toggle="tooltip" data-placement="top" data-html="true" title="ATT&amp;CK content v15.1&#013;Website v4.1.6">Website Changelog</a></u> </div> </div> <div class="row"> <small class="px-3"> &copy;&nbsp;2015&nbsp;-&nbsp;2024, The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. </small> </div> </div> <div class="w-100 p-2 footer-responsive-break"></div> <div class="col pr-4"> <div class="footer-float-right-responsive-brand"> <div class="row row-footer row-footer-icon"> <div class="mb-1"> <a href="https://twitter.com/MITREattack" class="btn btn-footer"> <i class="fa-brands fa-x-twitter fa-lg"></i> </a> <a href="https://github.com/mitre-attack" class="btn btn-footer"> <i class="fa-brands fa-github fa-lg"></i> </a> </div> </div> </div> </div> </div> </div> </div> </footer> </div> </div> <!--stopindex--> </div> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/jquery-3.5.1.min.js"></script> <script src="/versions/v15/theme/scripts/popper.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap-select.min.js"></script> <script src="/versions/v15/theme/scripts/bootstrap.bundle.min.js"></script> <script src="/versions/v15/theme/scripts/site.js?1559"></script> <script src="/versions/v15/theme/scripts/settings.js?360"></script> <script src="/versions/v15/theme/scripts/search_bundle.js"></script> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/resizer.js"></script> <!--SCRIPTS--> <script src="/versions/v15/theme/scripts/bootstrap-tourist.js"></script> <script src="/versions/v15/theme/scripts/settings.js"></script> <script src="/versions/v15/theme/scripts/tour/tour-subtechniques.js"></script> <script src="/versions/v15/theme/scripts/sidebar-load-all.js"></script> </body> </html>